Security Officers Management & Analysis Project

Open Source IT Risk Management

One of the main goals of the Security Officers Management and Analysis Project ( is to develop and maintain Open Source Information Security Risk Management documents, tools and utilities.

It is our strong belief that risk management processes and best practices need to be developed and published in an open and free kind of way. Information Security is not a competitive issue and only freely available and cooperatively developed risk management utilities and tools can potentially lead to a better security management and to further development of the whole IT risk management field.


Our activities are concentrating on four sub-projects:

The OGRCM3 project develops and documents a methodology on how to measure and manage risk.

The ORIMOR contains a database model which is used as the basis for our own risk management framework and tool.

The ORICO Framework and Tool are the (reference) implementation of our own maturity management methodology.


The The Open Governance, Risk and Compliance Maturity Management Methodology contains an overview of the risk and compliance management process and an description on why and how to manage risk.


The Open Risk Model Repository are actually three things in one:

  • A central repository containing best practice details.
  • A model how to store risk management data.
  • An architecture to use a meta layer to store common type information.
ORICO Framework & Tool

The The Open Risk & Compliance Framework and Tool are two projects in one.

  • The Framework builds the foundation for a risk management tool. It implements all the building blocks like data abstraction and RAD tools which can be used when developing a risk management tool.
  • The Tool is the reference implementation of the OGRCM3. It makes heavy use of the ORICO Framework and is developed as a desktop as well as a web application.