Define Risk Levels

[JohnASRG]

We need to define the risk levels for this file. For example, you could have low, medium, high risk, only three levels, or you could have very low, low, medium, high, very high with five levels. Each company or organization might have a different way of expressing the risk in different levels. It's important that we have somewhere in the file defined this as the risk methodology. There should be other characteristics in this risk methodology section that define the fields further down in the schema.

[JohnASRG]

@claude

[claude]

Claude finished @JohnASRG's task in 3m 18s —— View job • claude/issue-34-20260310-1615 • Create PR ➔

---

Implementing Risk Level Definitions

Design: Extended the existing methods objects with a riskLevels array, allowing each organization to declare their own named risk tiers within the rating methodology definition. The band field in riskValues, attackFeasibilityRatings, and impactRatings is then interpreted against these formally declared levels.

Each riskLevel entry supports:

Field	Required	Description
id	✅	Unique identifier
label	✅	Human-readable name (e.g., "High")
rank	✅	Ordinal order (1 = lowest severity)
description	optional	Contextual description of this level
color	optional	Hex color code for visualization (e.g., #FF0000)
scoreRange	optional	{min, max} numeric score range mapping to this level
treatmentGuidance	optional	Recommended action for risks at this level

Example — 5-level risk scale in a method:

"riskLevels": [
  { "id": "RISK-LEVEL-VL", "label": "Very Low",  "rank": 1, "color": "#00AA00", "treatmentGuidance": "Accept" },
  { "id": "RISK-LEVEL-L",  "label": "Low",        "rank": 2, "color": "#88CC00", "treatmentGuidance": "Accept or monitor" },
  { "id": "RISK-LEVEL-M",  "label": "Medium",     "rank": 3, "color": "#FFAA00", "treatmentGuidance": "Treat" },
  { "id": "RISK-LEVEL-H",  "label": "High",       "rank": 4, "color": "#FF6600", "treatmentGuidance": "Treat or avoid" },
  { "id": "RISK-LEVEL-VH", "label": "Very High",  "rank": 5, "color": "#FF0000", "treatmentGuidance": "Avoid or treat" }
]

Files changed:

• spec/json/rdx.schema.json — Added riskLevels to methods items + RiskLevel definition in $defs

• spec/xml/rdx.xsd — Added riskLevels, riskLevelType, and scoreRangeType complex types

• examples/rdx-example.json — Added risk levels to all three methods (AFR: 3-level, Impact: 4-level, Risk: 5-level)

• REQUIREMENTS.md — Added RDX-113 requirement for configurable risk level definitions

• Gather context and read schema files

• Understand current schema structure

• Design risk level/methodology definition approach

• Update JSON schema (spec/json/rdx.schema.json)

• Update XML schema (spec/xml/rdx.xsd)

• Update rdx-example.json to demonstrate risk levels

• Update REQUIREMENTS.md

• Commit and push changes