{"categories":{"availability":{"label":"Availability Disruption","icon":"server","color":"red"},"integrity":{"label":"Data Integrity Breach","icon":"database","color":"amber"},"confidentiality":{"label":"Confidentiality Breach","icon":"lock","color":"violet"},"supply_chain":{"label":"Supply Chain Failure","icon":"link","color":"orange"},"compliance":{"label":"Regulatory Compliance","icon":"scale","color":"cyan"}},"risks":[{"id":"RISK-001","category":"availability","title":"Cloud Provider Outage \u2014 Critical Services","description":"Extended outage of primary cloud provider affecting mission-critical hosted services with no automated failover.","likelihood":3,"impact":5,"risk_level":"high","treatment":"Implement multi-region active-active failover. Test quarterly.","owner":"CTO \/ Cloud Architecture","deadline":"2026-09-30","status":"in_progress","framework_mapping":["DORA Art. 11","MaRisk AT 7.2","ISO 27001 A.8.14"]},{"id":"RISK-002","category":"integrity","title":"Unauthorized Data Modification in Core Banking","description":"Privileged user modifies transactional data without detection due to missing integrity monitoring.","likelihood":2,"impact":5,"risk_level":"high","treatment":"Deploy database activity monitoring (DAM) with real-time alerts.","owner":"CISO \/ Security Operations","deadline":"2026-08-15","status":"open","framework_mapping":["DORA Art. 9(4)","MaRisk AT 7.2","ISO 27001 A.8.2"]},{"id":"RISK-003","category":"confidentiality","title":"Third-Party Data Leakage via API","description":"Customer data exposed through insufficiently secured third-party API integrations with excessive data sharing.","likelihood":3,"impact":4,"risk_level":"high","treatment":"API security audit, implement data minimization, deploy API gateway with threat detection.","owner":"API Security Team","deadline":"2026-10-01","status":"open","framework_mapping":["DORA Art. 28","MaRisk AT 9","ISO 27001 A.8.11"]},{"id":"RISK-004","category":"supply_chain","title":"Critical ICT Service Provider Concentration","description":"Single point of failure: more than 60% of critical ICT services\u4f9d\u8d56 on one provider (cloud\/SaaS).","likelihood":3,"impact":4,"risk_level":"high","treatment":"Develop exit strategy per DORA Art. 28. Identify alternative providers.","owner":"Third-Party Risk Management","deadline":"2026-12-31","status":"in_progress","framework_mapping":["DORA Art. 28(3)","MaRisk AT 9","ISO 27001 A.5.19"]},{"id":"RISK-005","category":"compliance","title":"TLPT Non-Compliance (Overdue)","description":"Threat-Led Penetration Testing overdue by 6 months. Regulatory deadline missed.","likelihood":4,"impact":5,"risk_level":"critical","treatment":"Immediate TLPT procurement. Contract with accredited provider within 30 days.","owner":"CISO \/ Procurement","deadline":"2026-07-30","status":"overdue","framework_mapping":["DORA Art. 24-25","MaRisk AT 4.3.5"]},{"id":"RISK-006","category":"availability","title":"Legacy System Single Point of Failure","description":"Core legacy application running on end-of-life hardware with no redundancy or support contract.","likelihood":4,"impact":3,"risk_level":"medium","treatment":"Migration to modern platform. Interim: procured extended support + backup system.","owner":"Infrastructure Team","deadline":"2027-03-31","status":"in_progress","framework_mapping":["DORA Art. 11(4)","MaRisk AT 7.2"]},{"id":"RISK-007","category":"confidentiality","title":"Ransomware Attack on Critical Systems","description":"High-impact ransomware scenario: encrypted backups, business-critical data loss, regulatory reporting required.","likelihood":3,"impact":5,"risk_level":"high","treatment":"Air-gapped backups, ransomware playbook, EDR deployment, employee training.","owner":"Security Operations","deadline":"2026-08-01","status":"in_progress","framework_mapping":["DORA Art. 11","MaRisk BT 3.2","ISO 27001 A.8.7"]},{"id":"RISK-008","category":"supply_chain","title":"Sub-Contractor Non-Compliance Cascade","description":"Critical outsourced service provider uses sub-contractors not covered by DORA compliance obligations.","likelihood":2,"impact":3,"risk_level":"medium","treatment":"Audit all sub-contractor chains. Amend contracts with flow-down clauses.","owner":"Vendor Management","deadline":"2026-09-15","status":"open","framework_mapping":["DORA Art. 30","MaRisk AT 9","ISO 27001 A.5.20"]},{"id":"RISK-009","category":"availability","title":"DDoS Attack on Customer-Facing Platforms","description":"Large-scale DDoS attack could render online banking and customer portal unavailable.","likelihood":4,"impact":3,"risk_level":"medium","treatment":"DDoS protection service (scrubbing center), rate limiting, CDN integration.","owner":"Network Security","deadline":"2026-07-15","status":"completed","framework_mapping":["DORA Art. 11","ISO 27001 A.8.20"]},{"id":"RISK-010","category":"compliance","title":"Information Register Submission Delay","description":"Annual DORA information register submission to competent authority at risk due to data quality issues.","likelihood":3,"impact":3,"risk_level":"medium","treatment":"Automated data quality checks, dedicated register team, monthly review cycles.","owner":"Information Register Team","deadline":"2026-11-30","status":"in_progress","framework_mapping":["DORA Art. 28(3)","ITS 2024\/1777"]},{"id":"RISK-011","category":"compliance","title":"AI Governance Framework Deficiency","description":"No formal AI governance framework in place for machine learning models used in credit scoring and fraud detection.","likelihood":4,"impact":4,"risk_level":"high","treatment":"Develop AI governance policy per EU AI Act. Establish model validation committee and bias testing.","owner":"Chief AI Officer \/ Data Governance","deadline":"2027-06-30","status":"open","framework_mapping":["EU AI Act Art. 6-8","MaRisk AT 7.2","ISO 27001 A.5.36"]},{"id":"RISK-012","category":"supply_chain","title":"Cloud Exit Strategy Gap","description":"No documented and tested exit strategy for primary cloud provider, creating vendor lock-in risk.","likelihood":3,"impact":5,"risk_level":"high","treatment":"Develop and test cloud exit plan per DORA Art. 28(3). Identify alternative providers and run tabletop exercise.","owner":"Cloud Architecture \/ TPRM","deadline":"2026-12-15","status":"open","framework_mapping":["DORA Art. 28(3)","MaRisk AT 9","ISO 27001 A.5.19"]},{"id":"RISK-013","category":"confidentiality","title":"Insider Threat Data Exfiltration","description":"Privileged insider could exfiltrate sensitive customer data via removable media or cloud uploads without detection.","likelihood":2,"impact":5,"risk_level":"high","treatment":"Deploy UEBA solution, implement DLP controls, enforce strict egress filtering, and conduct insider threat training.","owner":"CISO \/ Security Operations","deadline":"2026-11-01","status":"open","framework_mapping":["DORA Art. 9(4)","MaRisk BT 3.2","ISO 27001 A.8.12"]},{"id":"RISK-014","category":"integrity","title":"Legacy Cryptographic Algorithm Risk","description":"Several internal systems still use SHA-1 and TLS 1.1, vulnerable to collision and downgrade attacks.","likelihood":3,"impact":3,"risk_level":"medium","treatment":"Migrate all systems to SHA-256 and TLS 1.3. Decommission SHA-1 certificates by Q2 2027.","owner":"Cryptography Team \/ Platform Security","deadline":"2027-03-31","status":"in_progress","framework_mapping":["BSI TR-02102","ISO 27001 A.8.24","MaRisk AT 7.2"]},{"id":"RISK-015","category":"supply_chain","title":"Supply Chain Audit Right Not Enforceable","description":"Existing contracts with critical ICT sub-contractors lack enforceable audit rights for DORA compliance verification.","likelihood":3,"impact":4,"risk_level":"high","treatment":"Renegotiate contracts to include mandatory audit clauses. Perform initial compliance audit within 90 days.","owner":"Legal \/ Vendor Management","deadline":"2026-10-15","status":"open","framework_mapping":["DORA Art. 30","MaRisk AT 9","ISO 27001 A.5.20"]},{"id":"RISK-016","category":"integrity","title":"Zero-Day Vulnerability in Core Banking Platform","description":"Unpatched critical zero-day vulnerability discovered in the core banking application that could allow remote code execution.","likelihood":4,"impact":5,"risk_level":"critical","treatment":"Immediate vendor hotfix deployment. Compensating WAF rules until patch is applied. Forensic investigation.","owner":"CISO \/ Application Security","deadline":"2026-07-30","status":"open","framework_mapping":["DORA Art. 11(3)","MaRisk AT 7.2","ISO 27001 A.8.8"]},{"id":"RISK-017","category":"availability","title":"Data Center Cooling System Failure","description":"Primary data center cooling system has degraded performance with only N configuration left, risking thermal shutdown in summer months.","likelihood":2,"impact":4,"risk_level":"medium","treatment":"Emergency HVAC maintenance contract. Deploy portable cooling units. Plan for N+1 upgrade.","owner":"Facilities \/ Infrastructure","deadline":"2026-08-15","status":"in_progress","framework_mapping":["ISO 27001 A.7.2","MaRisk AT 7.3"]},{"id":"RISK-018","category":"compliance","title":"GDPR Non-Compliance in Customer Data Processing","description":"Customer data processing workflows lack documented legal basis for three high-risk processing activities identified during internal audit.","likelihood":3,"impact":4,"risk_level":"high","treatment":"Update privacy notices, document legitimate interest assessments, implement consent management platform.","owner":"DPO \/ Privacy Team","deadline":"2026-09-30","status":"open","framework_mapping":["GDPR Art. 6-7","DSGVO Art. 6-7","ISO 27001 A.5.33"]}]}