1// Schema lifecycle: experimental | stable | deprecated
 2@status("experimental")
 3package gemara
 4
 5@go(gemara)
 6
 7// A RiskCatalog is a structured collection of documented risks that may affect an organization,
 8// system, or service. It provides a centralized reference for risks that can be mapped to threats
 9// and referenced by policies when documenting how those risks are mitigated or accepted.
10#RiskCatalog: {
11	#Catalog
12	metadata: type: "RiskCatalog"
13
14	// groups narrows the base groups to risk categories with appetite and severity boundaries
15	groups?: [#RiskCategory, ...#RiskCategory]
16
17	// risks is a list of risks defined by this catalog
18	risks?: [#Risk, ...#Risk] @go(Risks)
19
20	if risks != _|_ {
21		_uniqueRiskIds: {for i, r in risks {(r.id): i}}
22		groups: [#RiskCategory, ...#RiskCategory]
23	}
24}
25
26// RiskCategory describes a grouping of risks and defines appetite boundaries
27#RiskCategory: {
28	#Group
29
30	// appetite defines the acceptable level of risk for this category
31	appetite: #RiskAppetite @go(Appetite)
32
33	// max-severity defines the risk tolerance boundary: the highest severity
34	// the organization will accept within this category
35	"max-severity"?: #Severity @go(MaxSeverity) @yaml("max-severity,omitempty")
36}
37
38// Severity defines the assessed level of a risk based on its potential impact and likelihood
39#Severity:
40	// minor consequence if realized; manageable within normal operations
41	"Low" |
42	// moderate consequence if realized; may impair specific functions or objectives
43	"Medium" |
44	// severe consequence if realized; likely to disrupt core operations or objectives
45	"High" |
46	// extreme consequence if realized; threatens organizational viability or mission
47	"Critical" @go(-)
48
49// RiskAppetite defines the acceptable level of exposure for a risk category
50#RiskAppetite:
51	// organization is willing to accept higher cost to minimize risk
52	"Minimal" |
53	// organization favors caution but permits limited risk
54	"Low" |
55	// organization tolerates residual risk when justified by value
56	"Moderate" |
57	// organization is willing to operate with less restrictive controls
58	"High" @go(-)
59
60// A Risk represents the potential for negative impact resulting from one or more threats.
61#Risk: {
62	// id allows this risk to be referenced by other elements
63	id: string
64
65	// title describes the risk
66	title: string
67
68	// description explains the risk scenario
69	description: string
70
71	// group references by id a catalog group that this risk belongs to
72	group: string @go(Group)
73
74	// severity describes the assessed level of this risk
75	severity: #Severity @go(Severity)
76
77	// owner defines the RACI roles responsible for managing this risk
78	owner?: #RACI @go(Owner)
79
80	// impact describes the business or operational impact
81	impact?: string
82
83	// threats link this risk to Layer 2 threats
84	"threats"?: [#MultiEntryMapping, ...#MultiEntryMapping] @go(Threats)
85}