The Decision Layer · DiamondSoul · Risk work that produces decisions and proof
The Decision Layer · by Maman Ibrahim · DiamondSoul
DiamondSoulThe Decision Layer2026

Most organisations don't have a risk problem. They have a decision problem disguised as risk.

DiamondSoul installs the integrated model — Risk Taxonomy, Decision Architecture, Decision Infrastructure — for boards, CROs, CISOs, and Audit Chairs at £1B+ regulated organisations whose risk functions produce more output than ever and are still being asked what to actually decide.

Book the Diagnostic → Or start where you are ↓
Published in / contributed to
Writing on risk governance and decision infrastructure has appeared in Forbes Technology Council, ISACA, CSO Online, CIO.com, MSN, and Senior Executive. Contributions to the WEF Cyber Resilience Compass, CSA CCM v4.0, and OWASP Agentic AI Security Risks.
The constraint

If these patterns keep returning in your organisation, the problem is design — not reporting.

Boards receive updates but not decisions. Risks get noted but not funded. Evidence gets assembled late, under pressure, from memory. Ownership drifts between committees. The issue is rarely personal; it is almost always structural.

Symptom 01

Board friction

The board asks sharper questions than current reporting can answer. Confidence drops even when slide volume rises. Directors sense the gap before the function does.

Symptom 02

Execution drift

Important issues recycle through committees. Decisions appear to exist, but closure remains weak and accountability blurs. A year later, the same risks are being discussed with different language.

Symptom 03

Evidence scramble

Audit and regulator packs take too long to produce. Proof exists somewhere, but not in a form leadership can trust quickly — and not in a form a new director could reconstruct without interviewing the people who were in the room.

The model

Three layers. One operating model.

The integrated model is built on a single principle: risk activity only produces decisions when three layers are present and load-bearing in sequence. Taxonomy is the language. Architecture is the routing. Infrastructure is the proof. Each layer depends on the others.

01
Risk Taxonomy

The shared language of exposure.

One taxonomy across the organisation so risks become comparable, aggregatable, and fundable. A three-level structure — domain, family, type — built on a nine-domain event backbone that stays stable as technologies change. Without it, every downstream decision inherits ambiguity, and the board cannot tell whether the top-10 risk list has changed because exposure has changed, or because people have reclassified the same events.

02
Decision Architecture

Routing, rights, and standards of proof.

The routing that moves a classified risk to the right decision-maker at the right authority level, without requiring the CRO in the room. Five sequential moves and eight decision attributes — a decision carrying all eight is durable under scrutiny; one missing any has a predictable failure mode. Named decision rights, named evidentiary standards, named escalation thresholds.

03
Decision Infrastructure

The system that turns architecture into practice.

A system of record, a cadence that closes loops, and evidence generated in the course of decisions rather than reconstructed after them. The layer most organisations have never installed, regardless of how mature their framework looks on paper. The function stops depending on the presence of any one individual.

The outputs

Four things that matter in senior rooms.

Fundable decisions

Decisions with named trade-offs, named owners, and named evidentiary standards. Decisions a CFO can fund and a board can defend.

Explicit risk appetite

Appetite that forces real trade-offs — with owners, thresholds, and expiry dates — rather than appetite that rubber-stamps every decision the business has already taken.

Audit-ready evidence

Evidence produced structurally as decisions are made, not reconstructed under regulatory or committee pressure from partial sources and imperfect memory.

A governance rhythm that holds

Weekly, monthly, and quarterly routines that keep the model operational after the installation work is done — so the function stops depending on any one individual.

Start where you are

Four doors. One direction.

Most engagements begin with reading, not commissioning. The path below is graduated by commitment, so a senior leader can self-qualify at their own pace before booking anything structured.

Door 01
No commitment

Subscribe to The Decision Layer.

A weekly briefing on LinkedIn for boards, C-suite, and senior risk leaders. Five sections, one read, under ten minutes. The right starting point if you want to see how the model thinks before deciding whether it fits your function.

Subscribe on LinkedIn →
Door 02
Small commitment

Read the Board Picks.

Eight curated reads across Forbes, ISACA, CSO Online, and CIO.com — the integrated model in working form, organised around the four questions a senior risk leader is being asked at the table this quarter.

Open Board Picks →
Door 03
Medium commitment

Take the 20-question self-assessment.

A private diagnostic of your function across the three load-bearing layers. Names the constraint to within a layer in 45 minutes. Useful before any structured conversation, and on its own as a board pre-read.

Begin the assessment →
Door 04
Paid engagement

Book the Diagnostic.

A 2–3 week structured executive review naming which load-bearing layer is the binding constraint, what it is costing in board confidence today, and the highest-value move available in the next 90 days.

Request the Diagnostic →
The audience

Designed for organisations mature enough to have built risk activity, and mature enough to notice that activity is not the same as decision.

Audience 01

Board Chairs and Board Members

For directors who need sharper board decisions, clearer ownership, and confidence they can defend under external scrutiny.

Audience 02

CIOs · CTOs · CISOs

For technology leaders who need decisions, funding, and evidence that survive outside the function — and who are tired of carrying structural load that should sit elsewhere.

Audience 03

CROs and Senior Risk Leaders

For risk functions producing more output than ever and still being asked by the board what to actually do. For leaders whose operational, supply-chain, third-party, or people risk work is fragmented across parallel taxonomies.

Audience 04

Audit and Assurance Leaders

For functions that want findings converted into named decisions, traceable evidence, and a governance standard that holds before the next regulatory review, not during it.

The engagements

Four ways into the integrated model.

The right one depends on where pressure is arriving in your organisation, and how quickly it needs to be answered.

01

Decision Layer Diagnostic

A structured executive review for organisations that know something is off but need to find the real constraint. The front door to the model. Most engagements begin here.

Learn more →
02

Decision Layer Installation

A focused installation engagement for organisations ready to build the missing layer — taxonomy, architecture, or infrastructure — identified by the Diagnostic. Best commissioned once the binding constraint is named and leadership is ready to act.

Learn more →
03

Decision Layer Advisory

Retained monthly advisory for board preparation, executive decisions, evidence freshness, and governance under pressure. For leaders who want ongoing strategic counsel rather than a one-off engagement.

Learn more →
04

Decision Layer Programme

The full enterprise installation — taxonomy, architecture, infrastructure — sequenced across a twelve-to-eighteen-month programme. For organisations committing to install the model as the durable operating layer of the risk function.

Learn more →
The front-door engagement

A system where risk work reliably produces decisions, delivery, and proof.

A 2–3 week structured executive review of the three load-bearing layers, naming the binding constraint in your function, what it is costing in board confidence today, and the highest-value move available in the next 90 days. Availability is limited by calendar, not by marketing.

Request the Diagnostic → or write directly: [email protected]
DiamondSoul advises boards, executive leadership teams, and senior risk functions on installing the integrated model inside organisations operating under rising regulatory and board-level scrutiny. Founded by Maman Ibrahim, author of The Decision Layer.
Engage
Contact
Maman Ibrahim · ICF · F-IoCR · F-ISRM · ChCSP · CISSP · CCSP · CISA · CRISC · CDPSE
© 2026 · DiamondSoul · Maman Ibrahim The Decision Layer · Risk Intelligence · Decision Architecture · Governance