Risk analysis for computer systems, networks, and other devices is an extremely complex subject encompassing risk assessment, risk characterization, risk management, and organizational policies relating to risk. Risk communication is an important aspect of risk management, and OVAL and XCCDF have provided an excellent foundation for determining risk compliance communicating the results between various applications and to the end user.

IBM’s Data Governance Council has decided to push XBRL (eXtensible Business Reporting Language) — a flavor of XML — to become the new standard for communicating risk exposure. Currently, XBRL is primarily used to communicate financial data.

XBRL, a flavor of XML, uses identifying tags to describe various data elements within a financial document, such as “total revenue,” making them more easily searched, aggregated and analyzed.

The council wants to build a common “taxonomy of risk” using XBRL, a move that would help standardize risk-measurement worldwide, providing more transparency into the global economy and helping avoid widescale fiscal calamity like that gripping the world today.

The council is not attempting to foist a preconceived vision on the industry, said its chairman, Steve Adler. “We’re proposing a standards process. XBRL is just a tool, a blank slate, an empty canvas we seek to paint. In order to paint it, we invite people to contribute,” Adler said. The council hopes to be able to propose a specification within one year, he added.

Will  XBRL make it in the world of risk management? Certainly there is a need to go beyond XCCDF and the various SCAP implementations to provide a unified language to standardize the measurement of risks. IBM and the Data Governance Council — an association of 50 large, worldwide financial corporations and major organizations — are certainly powerful enough to push for adoption of XML.

If XBRL can be turned into a valid, usable specification, it is likely that we will begin to see XBRL-compatible applications with the next 18 month.