# Standards #### Appendix H. Mapping to International Standards (ISO, NIST, Basel, Sendai, IPBES, etc.) This appendix situates **Nexus Risk Management (NRM)** and the **Nexus Ecosystem** vis-à-vis key international standards and frameworks. The goal is not to replace existing standards, but to: * Provide a **semantic and operational “rail”** on which they can be integrated and executed. * Clarify how **NRM Profiles**, **NXSS** (Nexus Standards Stack), and **GRF-IP** implementation profiles align with and extend these frameworks. * Make NRM evidence and artefacts *re-usable* in regulatory, supervisory, and policy processes that are already anchored in recognised standards. NRM should be read as a **meta-framework and technical substrate** that: > (a) embeds the *principles* of existing standards into ontology, rules, and workflows; and\ > (b) provides a **computable, auditable, cross-domain layer** for their implementation in a human–machine–nature risk era. *** ### H.1 Mapping Principles and Strategy 1. **Non-substitution, complementarity**\ NRM does **not** attempt to displace ISO 31000, NIST CSF, Basel III/IV, Sendai, IPCC/IPBES or other canonical frameworks. Instead, NRM: * Treats these as **external normative anchors**. * Represents their concepts and requirements in **GRIx ontologies**, **NRM Profiles**, and **GRF-IP profiles**. * Provides **evidence and processes** that can be inspected by regulators and auditors for compliance. 2. **Profiles and Implementation Mappings**\ For each major standard or framework, GRF defines: * One or more **NRM Profiles** (e.g., `NRM-Climate-Macro-Sovereign`, `NRM-Cyber-Critical-Infrastructure`). * One or more **GRF-IP profiles** (implementation profiles) specifying how a given rail/pack must behave to be “compatible with” or “aligned to” that standard. 3. **Ontological overlays**\ Each standard is reflected as an **ontology overlay** in GRIx: * Key terms, roles, processes, and control objectives become entities and relations. * Requirements become **Policy DSL** rules, **Playbook DSL** templates, and **Agent DSL** constraints. 4. **Traceability**\ Every AEP, index, scenario, and decision log references: * The **standards and frameworks** it is aligned with; * The **specific clauses or control families** that are addressed; * The **evidence trail** that supports assertions of conformance. *** ### H.2 ISO Standards Mapping #### H.2.1 ISO 31000 (Risk Management — Guidelines) * **Conceptual alignment** * ISO 31000 emphasises **principles**, **framework**, and **process** (communication, context, assessment, treatment, monitoring, review). * NRM operationalises this by: * Encoding **risk context** and **scope** in `rail.yaml` and NRM Profiles. * Representing **risk identification, analysis, and evaluation** through UNOSINT, indices, and AEPs. * Embedding **risk treatment, monitoring, and review** as Playbook DSL workflows, scenario engines, and learning loops. * **NRM extension** * ISO 31000 is largely **organisation-centric**; NRM extends it to **multi-institutional, systemic, and planetary risk** via: * Federated risk graphs (cross-border, cross-sector). * Multi-stakeholder NVM governance. * Integration of community and Indigenous knowledge. #### H.2.2 ISO 22301 (Business Continuity) & ISO 223XX Family * **Context** * These address business continuity management (BCM) and societal security. * **NRM mapping** * Business impact analyses, continuity strategies, and exercises map to: * **NXPCK** IRP playbooks and AAPs. * Scenario and simulation engines in NXSTUDIO. * Rail SLOs and degraded-mode policies (Part IV & VI). * **GRF-IP** * GRF can define profiles such as `GRF-IP.ISO22301-BCM-ALIGNED`, stipulating minimum NRM artefacts (AEPs, playbooks, DR patterns) needed for alignment. #### H.2.3 ISO 27001 / 27002 / 27701 / 27005 (Information Security and Privacy) * **Security controls** * Technical and organisational controls map to: * **Policy DSL** rules (access, logging, response). * NXHAL/NXPAL secure baselines; Zero-Trust Security Fabric. * RailOps incident management playbooks. * **Risk assessment** * ISO 27005 risk analysis is instantiated as NRM Profiles for **INFRAINT** and **CYBINT** domains. * **Privacy** * ISO 27701 privacy governance maps directly to: * Lawful-basis matrices and SDZ. * Privacy & Fairness Fabric policies. #### H.2.4 Climate-Related ISO Standards (e.g., ISO 14090/14091) * **Climate adaptation** * ISO 14090 (adaptation to climate change) and related standards map to: * Climate- and adaptation-focused NRM Profiles and Packs. * CLIMATEINT and RESILINT modules with structured impact chains. * NRM extends these by linking adaptation planning to **capital structures** (GRA) and **systemic stress metrics**. *** ### H.3 NIST Frameworks Mapping #### H.3.1 NIST Cybersecurity Framework (CSF) & NIST SP 800-53 / 800-37 * **Core functions (Identify, Protect, Detect, Respond, Recover)** * Represented as sequences in Playbook DSL and as NRM Profiles for cyber–critical infrastructure. * Controls families map to Policy DSL constraints and NXSTUDIO/NXSOS configurations. * **RMF (Risk Management Framework)** * Steps (categorise, select, implement, assess, authorise, monitor) correspond to: * GRIx-based system categorisation. * NXFOUNDRY-based policy and control selection. * AEP-based evidence for authorisation. * RailOps continuous monitoring. #### H.3.2 NIST AI Risk Management Framework (AI RMF) * **AI-specific risks** * Trustworthiness, fairness, robustness are represented as: * Model cards and safety tiers in ML Fabric and AI Safety Fabric. * Agent DSL and Policy DSL constraints. * NRM extends the AI RMF by: * Integrating **AI risk** into broader systemic risk graphs. * Treating AI systems as risk-bearing entities in GRIx (AI-INT, MODELINT). *** ### H.4 Financial Standards (Basel, IAIS, IOSCO, IFRS/ISSB) #### H.4.1 Basel Framework (Basel III/IV, Basel Committee Guidance) * **Capital & liquidity regulation** * Climate and systemic risk guidance (e.g., on climate-related financial risks, scenario analysis) align with: * NRM Profiles for **banking-book and trading-book climate risk**. * NRM scenario engines for macro–financial stress testing. * **NRM as scenario infrastructure** * NRM provides the **data fusion, modelling, and governance rail** used for capital adequacy and ICAAP/ORSA-type processes. #### H.4.2 IAIS Insurance Core Principles (ICPs) & ORSA * **Risk-based supervision** * NRM supports insurers’ ORSA processes via: * Hazard and loss modelling packs (e.g., coastal, drought, health). * AEPs and indices that can be relied upon by supervisors. * **Systemic insurance risk** * Parametric and systemic products using NRM triggers become **transparent, traceable risk transfer mechanisms**. #### H.4.3 IOSCO & Market Infrastructures * NRM provides cross-asset and cross-market systemic indicators (FININT, MACROINT) that can feed into: * Market surveillance. * Stress tests of CCPs and trading venues. #### H.4.4 IFRS/ISSB, TCFD and Sustainability-Related Standards * **Climate and sustainability reporting** * NRM indices and scenarios map to: * Exposure metrics (transition/physical risk) required by TCFD-style disclosures. * ISSB sustainability metrics and scenario narratives. * **NRM Profiles** * `NRM-Climate-Corporate-ERM` profiles specify how corporate ERM systems call into NRM rails to produce consistent disclosure-ready evidence. *** ### H.5 Sendai Framework, DRR, and Global Climate Regimes #### H.5.1 Sendai Framework for Disaster Risk Reduction * **Sendai priorities** (understanding risk, governance, investing, preparedness and “Build Back Better”) align directly with NRM’s: * **Sense/Evidence** phases — UNOSINT, indices, AEPs. * **Governance** — NXSR, Rail DAOs, NXHIVE. * **Invest & Prepare** — GRA capital facilities, playbooks, scenario-driven programmes. * **Targets and indicators** * NRM’s index engines (NXOBS) expose Sendai-aligned indicators (losses, exposure, resilience) in a machine-readable, cross-rail format. #### H.5.2 UNFCCC, NAPs, Adaptation Communications * **National adaptation plans** * NRM rails at the country level become **adaptation analytics backbones**, producing AEPs and scenarios that can be referenced in NAPs and Long-Term Strategies. * **Loss and Damage, resilience finance** * NRM evidence underpins **transparent, agreed metrics** for impacts and resilience, potentially informing Loss & Damage funding allocation and monitoring. *** ### H.6 IPCC, IPBES, WMO and Environmental Knowledge Systems #### H.6.1 IPCC Risk Framework * IPCC’s risk = f(hazard, exposure, vulnerability) structure is encoded as: * Core risk decomposition in **GRIx**. * Model templates in **NXPCK** for climate hazard packs. * AEPs that present risk in a manner consistent with the IPCC lexicon. #### H.6.2 IPBES & Biodiversity/ Ecosystem Risk * **Biodiversity & ecosystem services** * IPBES conceptual frameworks map to **CLIMATEINT**, **RESILINT**, and dedicated biodiversity INT modules. * **NRM extension** * NRM links biodiversity and ecosystem degradation risk into: * Sovereign and sub-sovereign risk profiles. * Infrastructure and supply chain risk via ecologically sensitive dependencies. #### H.6.3 WMO, GFCS and Meteorological Standards * Hazard data and early warnings from WMO/GFCS-compliant systems map naturally to: * EO/GEOINT streams in NXOBS. * Standardised hazard indices for DRR and climate risk packs. *** ### H.7 AI Governance, Data Protection & Human Rights #### H.7.1 AI Governance (e.g., OECD AI Principles, NIST AI RMF, emerging AI regulations) * NRM embodies AI governance principles via: * **AI & Agent Safety Fabric** (robustness, transparency, oversight). * Model cards, audit trails, red-teaming procedures. * Multi-stakeholder NVM oversight for high-impact AI usage. #### H.7.2 Data Protection & Privacy (e.g., GDPR, Convention 108, OECD Privacy Guidelines) * Core constructs: * **Lawful-basis matrices** and SDZ classes reflect GDPR-like categories (public interest, consent, vital interests, etc.). * Purpose limitation and data minimisation encoded in Policy DSL and ingestion contracts. * Data subject rights implemented through: * Erasure/deprecation workflows. * Anonymisation and aggregation patterns in packs. #### H.7.3 Human Rights & Indigenous Rights Instruments * NRM’s normative foundations and Community & Indigenous Governance Fabric are designed to be consistent with: * Indigenous rights and free, prior, informed consent (FPIC) practice. * Human rights risk frameworks (e.g., UN Guiding Principles on Business and Human Rights). These are operationalised as: * Rights to refusal/opaque knowledge in Policy DSL. * Community veto hooks and participatory modelling protocols in rails and packs. *** ### H.8 Summary: NRM as a Standards-Convergent Rail Across ISO, NIST, Basel, Sendai, IPCC/IPBES, and related frameworks, NRM offers: 1. A **semantic layer** (GRIx, NXSS) where the concepts, roles and obligations of each standard can be represented explicitly. 2. A **process & evidence layer** (AEPs, scenarios, episodes) that turns compliance from a static, document-driven activity into an **ongoing, data-driven practice**. 3. A **governance layer** (NVM, Rail DAOs, NXHIVE) that anchors the use of standards in **polycentric, multi-stakeholder decision structures**. 4. A **technical backbone** (NXSOS, NXSTUDIO, NXOBS) that supports **secure, privacy-respecting, and explainable implementation** of those standards at scale. In other words, the Nexus Ecosystem does not “compete” with existing standards; it **makes them computable, interoperable, and systemic**—so that in a human–machine–nature era, global risk management can be **both standards-compliant and fit-for-purpose**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.therisk.global/organization/standardization/nexus-rail/nexus-based-risk-management-nrm/technology/appendices/standards.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.