Meeting minutes
Risk concepts in DPV
In previous meetings, we discussed concepts related to Risks, DPIA/PIA, and how to specify the (often complex) requirements without imploding structure of DPV.
Current proposal includes adding concepts `RiskLevel`, `Severity`, `Likelihood`, and associated properties for these as `hasRiskLevel`, `hasSeverity`, and `hasLikelihood`.
Here the severity and likelihood can be used also on Consequences and Impacts other than Risks.
Risk and Risk mitigation measure concepts and relations are already present in DPV, and these will augment them.
The level, severity, and likelihood are what is applicable *after* all measures have been considered, i.e. it is the resulting characteristics of risk (or impact).
To indicate the changes between two instances of a risk, e.g. R1 indicating a resulting level of High, and R2 with a level of Low after applying additional measures, the concept of `ResidualRisk` was considered.
Discussions converged on agreement that such notation of residual risks and the incremental or iterative expression of risks, mitigations, and levels is useful in documentation.
However, there was introspection on the necessity of providing specific concepts related to Residual or Mitigated risk. Instead the group agreed to provide only relations related to these.
For Residual Risks - `hasResidualRisk` and `isResidualRiskOf` for expressing connectivity between risk, with mitigation measure associative properties (for Mitigated Measures) already existing in DPV.
For more complex or additional information, such as specific taxonomies of risk levels (e.g. Risk level = High), and the provision of concepts such as MitigatedRisk, RiskAssessmentFrameworks, etc. - a separate extension (`dpv-risk`) is to be created.
Harsh has some work on this, at - https://
Interested participants should email the group or Harsh directly.
Next Meeting
The group will meet again next week WED 27 JUL 13:00 WEST / 14:00 CEST.
Harsh will be not attending the meeting, another attendee will chair the meeting.