Monitoring tells you what broke. Catalogs tell you what exists. Neither tells you what is unsafe right now — or what regulators expect you to have already identified.
OHA operationalizes STPA (System-Theoretic Process Analysis) into a workflow engineers actually use — AI-assisted, audit-ready, and continuously refreshed from your incident record.
Before 2024, applying STPA to a 200-app portfolio required a team of safety engineers and 6–12 months. Mithris compresses that into a workflow an SRE can run on an app in 15 minutes — and the AI improves with every incident PIR it ingests.
Every score in OHA is computed from explicit, auditable inputs. No black boxes. Every number traces back to a hazard, a control, and an effectiveness rating you can review.
A continuous loop, not a one-time exercise. Hazards are surfaced before incidents, controls are rated, and every incident report feeds back into the register.
A 4-step wizard captures hazards, unsafe control actions, and business losses per application.
Live HazardRisk updates as constraints are added. A 5×5 heatmap surfaces residual risk for every application.
Missing safety constraints auto-create gaps. Effective constraints auto-close them. Bi-directional link to PRR evidence.
Incident records (ServiceNow + free-form PIR) feed CAST-style AI extraction. Every incident strengthens the register.
Every AI suggestion ships with token-Jaccard duplicate detection — flagging similar existing hazards before the operator accepts a suggestion, so the LLM call is never wasted on a duplicate. Runs against any OpenAI-compatible endpoint, including self-hosted Ollama for air-gapped deployments.
OHA implements a simplified CAST workflow. The AI reads the incident record and applies CAST principles — identify the hazard (not what went wrong), name the contributing factors, propose a safety constraint and an observability control.
Each catalogue entry is a best-practice template — clone it into your application, tune it to your system, and you have a hazard record in seconds. Or skip the catalogue and let the AI suggest hazards from scratch.
When the CISO asks "show me your hazard register," Mithris answers in one click — and the artifact is the document regulators are actually asking for.
EU Digital Operational Resilience Act. Article 6 requires a documented ICT risk-management framework. Article 8 requires hazard identification and classification — the exact output of OHA.
In application since 17 Jan 2025 · ~22,000 EU financial entities in scope
Risk-management measures for essential and important entities. Member states are transposing through 2025–26. Hazard analysis and operational-risk treatment are central requirements.
Telcos · energy · transport · healthcare · digital infrastructure
The Identify function (ID.RA — Risk Assessment) is foundational. OHA produces the per-asset risk identification, classification, and treatment evidence the framework expects.
Adopted by US banking regulators (FFIEC), CISA, and most critical-infrastructure operators
Information security risk management. OHA's risk-treatment workflow (identify → score → mitigate) maps directly to ISO 27005's recommended process — with audit-ready evidence at every step.
Foundation for ISO 27001 risk programs · referenced by HITRUST, SOC 2, and most enterprise audit regimes
We'll run the hazard wizard on a real service from your portfolio, surface its current residual risk, and show you the Board Pack PDF an auditor would actually accept.