Abstract Organisations rarely fail because no signals were available. They fail because signals were missed, fragmented, misread, downgraded, or interpreted too late. Existing frameworks classify risk, quantify losses, define governance requirements, and specify control obligations, but they do not provide a structured methodology for interpreting the observable signal environment that surrounds a risk event. They do not explain what it means when expected signals are absent, when a system appears implausibly clean, or when a signal environment has been deliberately constructed to resist classification. This paper introduces PRISM (Propagation Risk Intelligence and Signal Mapping), a domain-agnostic methodology for signal-based risk assessment and decision intelligence. PRISM treats signals rather than events as the primary unit of assessment. It formalises a four-category signal taxonomy comprising negative signals, absent signals, anomalously positive signals, and strategic signal ambiguity. It further derives five system properties, Autonomy, Opacity, Coupling, Integrity, and Containment, that together determine how risk propagates through a system. PRISM operates through four layers: signal detection, signal-to-intelligence transformation, temporal continuity, and evidence preservation. A single assessment produces 21 structured outputs serving different organisational consumers simultaneously, including a propagation velocity estimate, an assessment confidence band, a designed-state drift analysis, and an organisational signal culture indicator. The methodology is auditable, calibratable, transferable, and repeatable. Domain transferability has been tested across ICT and cyber risk, financial crime and KYC signal assessment, and relationship dynamics. PRISM is intended to complement rather than replace the risk, security, and regulatory frameworks organisations already use by providing the signal interpretation layer they assume but do not define.
Hannimari Karola Savola (Thu,) studied this question.