| 1 Definition | 2 Functional Requirements | 3 Syntax |
| 4 Semantics | 5 Conformance Testing | 6 Performance Assessment |
1 Definition
The matrix defines, for each Risk for which an AIM is not available, the characteristics affecting the Company Business Continuity, i.e., the Financial and Governance Assessment.
2 Functional Requirements
The matrix is composed of one rows for each Risk for which an AIM is not available and four columns for the characteristics. Table 1 gives the four characteristics for the Risks considered.
Table 1 – Risk characteristics
| N. | Characteristic | Definition |
| 1 | Occurrence | The likelihood of the risk happening measured with three possible outcomes: |
| Low: the risk may occur only in exceptional circumstances or is unlikely to occur. | ||
| Medium: the risk may occur at some time. | ||
| High: the risk is expected to occur. | ||
| 2 | Impact | The extent of damage or disruption that would result if the Risk occurred. This is described on a scale: |
| Minor: Relatively minor changes in the Company processes, and/or products and services. | ||
| Moderate: Some minor changes in the company processes and/or products and services. | ||
| Major: Company processes and/or products and services are altered significantly. | ||
| 3 | Severity | The impact of a Risk on the ability of the Company to deliver compliant products to the customer; to the internal efficiency; to make damage to people, to the environment, or to the property measured in terms of the estimated time needed to restore normal business activities. It can take five values: |
| Irrelevant: The risk has no impact on the ability to deliver compliant products to the customer; no loss of internal efficiency; no damage to people, environment, or property. The estimated recovery time is from 1 to 8 hours. | ||
| Not very relevant: The risk has minor impacts on the ability to deliver compliant products to the customer; marginal loss of internal efficiency; no damage to people, environment, or property. The estimated recovery time is from 2 to 5 days. | ||
| Relevant: May result in significant sensitive consequences on product conformity or on-time delivery; may lead to a substantial loss of internal efficiency (massive rework or 100% selections); no damage to people and the environment but possible major damage to property. The estimated recovery time is from 3 to 10 days. | ||
| Very relevant: Can have very important consequences on the conformity of the products or the impossibility of their delivery; no damage to persons, any marginal damage to the environment or major property damage. The estimated recovery time is from 4 to 14 days. | ||
| Serious: The occurrence of the risk has very important consequences on the conformity of products or the impossibility of delivery; involves damage to people, the environment or damage important damage to property. The estimated recovery time is greater than 15 days. | ||
| 4 | Retention | The percentage of the potential effect of the Risk which is retained in the Company, i.e., the percentage which is not transferred to a third party, such as an insurance company. |
3 Syntax
https://schemas.mpai.community/CUI1/V2.0/data/SecondaryRiskMatrix.json
4 Semantics
| Label | Description |
| Header | Space-Time Header |
| – Standard-Object | The characters “CUI-SRM-V” |
| – Version | Major version – 1 or 2 characters |
| – Dot-separator | The character “.” |
| – Subversion | Minor version – 1 or 2 characters |
| MInstance | Identifier of Virtual Space. |
| – RiskIDs[] | The IDs of the Risks for which an AIM is not available. |
| – Occurence | See semantics above |
| – Impact | See semantics above |
| – Severity | See semantics above |
| – Retentions | See semantics above |
| DescrMetadata | Descriptive Metadata |
5 Conformance Testing
A Data instance Conforms with Secondary Risk Matrix (CUI-CPP) V2.0 if:
- The Data validates against the Secondary Risk Matrix’s JSON Schema.
- All Data in the Secondary Risk Matrix’s JSON Schema
- Have the specified type.
- Validate against their JSON Schemas.
- Conform with their Data Qualifiers if present.
