Added endpoints for both the features

.gitignore

@@ -1 +1,4 @@
-.env
+.env
+.venv
+__pycache__
+*.pyc

README.md

@@ -1,11 +1,425 @@
+# EY Catalyst - Business Impact Assessment & Risk Management API
+
+An advanced AI-powered FastAPI application for Business Impact Assessment (BIA), threat identification, and risk mitigation analysis. This tool helps organizations identify, assess, and mitigate risks across their business processes using sophisticated AI models.
+
+## 🚀 Features
+
+- **Process Risk Assessment**: Generate comprehensive threat analyses for business processes
+- **Risk Mitigation Planning**: Create actionable mitigation strategies with revised risk ratings
+- **Geographic Threat Assessment**: Analyze location-specific threats and risks
+- **AI-Powered Analysis**: Uses advanced language models (Groq/Llama) for intelligent risk assessment
+- **RESTful API**: Easy integration with existing systems and frontends
+- **Interactive Documentation**: Built-in Swagger UI for API exploration
+
+## 📋 Table of Contents
+
+- [Installation](#installation)
+- [Configuration](#configuration)
+- [API Endpoints](#api-endpoints)
+- [Use Cases](#use-cases)
+- [Request/Response Examples](#requestresponse-examples)
+- [Error Handling](#error-handling)
+- [Contributing](#contributing)
+
+## 🛠️ Installation
+
+### Prerequisites
+
+- Python 3.8+
+- GROQ API Key (for AI model access)
+
+### Setup
+
+1. **Clone the repository**
+   ```bash
+   git clone <repository-url>
+   cd ey-catalyst
+   ```
+
+2. **Install dependencies**
+   ```bash
+   pip install -r requirements.txt
+   ```
+
+3. **Set environment variables**
+   ```bash
+   export GROQ_API_KEY=your_groq_api_key_here
+   ```
+
+4. **Run the application**
+   ```bash
+   uvicorn app:app --reload --port 8000
+   ```
+
+5. **Access the API**
+   - API Documentation: http://localhost:8000/docs
+   - Base URL: http://localhost:8000
+
+## ⚙️ Configuration
+
+### Environment Variables
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| `GROQ_API_KEY` | API key for Groq language model service | Yes |
+
+### Supported Models
+
+- **llama3-8b-8192**: Primary model for risk analysis and threat assessment
+
+## 🔗 API Endpoints
+
+### 1. Process Threat Generation
+
+**Endpoint**: `POST /api/generate-threats`
+
+Generates comprehensive threat assessments for business processes.
+
+**Use Cases**:
+- Business continuity planning
+- Risk register development
+- Process vulnerability assessment
+- Compliance risk analysis
+
+**Request Body**:
+```json
+{
+  "processName": "Financial Transaction Processing",
+  "department": "Finance",
+  "description": "Handles all daily banking transactions",
+  "owner": "John Doe",
+  "businessContext": "Supports daily liquidity tracking",
+  "rto": "1hour",
+  "mtpd": "24hours",
+  "minTolerableDowntime": "15minutes"
+}
+```
+
+**Response**:
+```json
+{
+  "threats": [
+    {
+      "id": 1,
+      "name": "Cyber Attack",
+      "description": "Malicious attack disrupting core operations",
+      "likelihood": 3,
+      "impact": 4,
+      "category": "Security",
+      "mitigation": "Use firewalls and real-time monitoring"
+    }
+  ]
+}
+```
+
+### 2. Risk Mitigation Analysis
+
+**Endpoint**: `POST /api/risk-mitigation`
+
+Provides mitigation strategies and revised risk assessments for identified threats.
+
+**Use Cases**:
+- Risk treatment planning
+- Control effectiveness assessment
+- Residual risk calculation
+- Mitigation cost-benefit analysis
+
+**Request Body**:
+```json
+[
+  {
+    "enablerType": "Technology",
+    "enablerDomain": "Hardware",
+    "majorCategory": "Fire",
+    "mappedThreat": "Fire at HQ",
+    "existingControls": "Data centre equipped with handheld fire extinguishers",
+    "complianceStatus": "Yes, inspected monthly and tagged",
+    "impact": "4",
+    "likelihood": "3",
+    "riskValue": "12"
+  }
+]
+```
+
+**Response**:
+```json
+{
+  "mitigatedRisks": [
+    {
+      "revisedImpact": 2,
+      "revisedLikelihood": 2,
+      "revisedRiskValue": 4,
+      "mitigationPlan": "• Install fire suppression systems • Conduct quarterly training • Implement monitoring alerts",
+      "ownership": "Facilities Management Team"
+    }
+  ]
+}
+```
+
+### 3. Geographic Threat Assessment
+
+**Endpoint**: `POST /bia/threat-assessment`
+
+Analyzes location-specific threats and geopolitical risks.
+
+**Use Cases**:
+- International expansion risk assessment
+- Supply chain geographical risk analysis
+- Office location security evaluation
+- Political stability assessment
+
+**Request Body**:
+```json
+{
+  "message": "Our company is planning to establish operations in Southeast Asia, specifically in Singapore and Bangkok."
+}
+```
+
+**Response**:
+```json
+{
+  "place": "Southeast Asia (Singapore, Bangkok)",
+  "threats": [
+    {
+      "name": "Political Instability",
+      "likelihood": 2,
+      "severity": 4,
+      "impact": "Potential disruption to business operations",
+      "threat_rating": 8
+    }
+  ]
+}
+```
+
+### 4. Impact Analysis (Placeholder)
+
+**Endpoint**: `POST /bia/impact-analysis`
+
+Reserved for future Business Impact Analysis functionality.
+
+## 🎯 Use Cases
+
+### 1. Enterprise Risk Management
+
+**Scenario**: Large corporation conducting annual risk assessment
+
+**Process**:
+1. Use `/api/generate-threats` for each critical business process
+2. Consolidate identified threats into risk register
+3. Use `/api/risk-mitigation` to develop treatment plans
+4. Monitor and update mitigation strategies quarterly
+
+**Benefits**:
+- Comprehensive threat identification
+- Consistent risk assessment methodology
+- Actionable mitigation strategies
+- Regulatory compliance support
+
+### 2. Business Continuity Planning
+
+**Scenario**: Financial services firm developing BCP
+
+**Process**:
+1. Map critical processes and dependencies
+2. Generate threat assessments using AI analysis
+3. Determine recovery objectives (RTO/MTPD)
+4. Develop mitigation and recovery strategies
+
+**Benefits**:
+- Reduced business disruption
+- Faster recovery times
+- Improved stakeholder confidence
+- Regulatory compliance
+
+### 3. Vendor Risk Assessment
+
+**Scenario**: Evaluating third-party service providers
+
+**Process**:
+1. Assess vendor-specific threats and controls
+2. Generate mitigation recommendations
+3. Calculate residual risk post-mitigation
+4. Develop ongoing monitoring strategies
+
+**Benefits**:
+- Informed vendor selection
+- Reduced supply chain risks
+- Clear accountability frameworks
+- Continuous risk monitoring
+
+### 4. Geographic Expansion Planning
+
+**Scenario**: Multinational expanding to new markets
+
+**Process**:
+1. Use geographic threat assessment for target locations
+2. Evaluate political, economic, and security risks
+3. Develop location-specific risk mitigation plans
+4. Establish local risk monitoring capabilities
+
+**Benefits**:
+- Informed market entry decisions
+- Reduced operational risks
+- Better resource allocation
+- Enhanced stakeholder confidence
+
+## 📊 Request/Response Examples
+
+### Complete Process Risk Assessment
+
+**Request**:
+```bash
+curl -X POST "http://localhost:8000/api/generate-threats" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "processName": "Customer Data Processing",
+    "department": "IT Operations",
+    "description": "Manages customer personal and financial data",
+    "owner": "Data Protection Officer",
+    "businessContext": "Critical for customer service and compliance",
+    "rto": "2hours",
+    "mtpd": "8hours",
+    "minTolerableDowntime": "30minutes"
+  }'
+```
+
+**Response**:
+```json
+{
+  "threats": [
+    {
+      "id": 1,
+      "name": "Data Breach",
+      "description": "Unauthorized access to customer personal and financial data could result in regulatory fines, legal action, and reputational damage",
+      "likelihood": 3,
+      "impact": 5,
+      "category": "Security",
+      "mitigation": "Implement encryption, access controls, and regular security audits"
+    },
+    {
+      "id": 2,
+      "name": "System Outage",
+      "description": "Hardware or software failure could disrupt customer service operations beyond acceptable RTO",
+      "likelihood": 4,
+      "impact": 4,
+      "category": "Operational",
+      "mitigation": "Deploy redundant systems and automated failover mechanisms"
+    }
+  ]
+}
+```
+
+### Risk Mitigation Planning
+
+**Request**:
+```bash
+curl -X POST "http://localhost:8000/api/risk-mitigation" \
+  -H "Content-Type: application/json" \
+  -d '[
+    {
+      "enablerType": "Process",
+      "enablerDomain": "Information Security",
+      "majorCategory": "Cyber Security",
+      "mappedThreat": "Ransomware Attack",
+      "existingControls": "Antivirus software and email filtering",
+      "complianceStatus": "Partially compliant - needs updates",
+      "impact": "5",
+      "likelihood": "4",
+      "riskValue": "20"
+    }
+  ]'
+```
+
+**Response**:
+```json
+{
+  "mitigatedRisks": [
+    {
+      "revisedImpact": 3,
+      "revisedLikelihood": 2,
+      "revisedRiskValue": 6,
+      "mitigationPlan": "• Deploy endpoint detection response systems • Implement network segmentation controls • Conduct regular penetration testing",
+      "ownership": "Information Security Team"
+    }
+  ]
+}
+```
+
+## 🚨 Error Handling
+
+### Common Error Responses
+
+**400 Bad Request**:
+```json
+{
+  "detail": "Invalid request format or missing required fields"
+}
+```
+
+**422 Validation Error**:
+```json
+{
+  "detail": [
+    {
+      "loc": ["body", "processName"],
+      "msg": "field required",
+      "type": "value_error.missing"
+    }
+  ]
+}
+```
+
+**500 Internal Server Error**:
+```json
+{
+  "detail": "AI service temporarily unavailable. Fallback response provided."
+}
+```
+
+### Fallback Mechanisms
+
+The API includes intelligent fallback responses when AI services are unavailable:
+
+- **Threat Generation**: Returns common business process threats
+- **Risk Mitigation**: Provides category-based mitigation strategies
+- **Geographic Assessment**: Returns general location risk factors
+
+## 🔧 Technical Architecture
+
+### Components
+
+1. **FastAPI Framework**: RESTful API with automatic documentation
+2. **Pydantic Models**: Request/response validation and serialization
+3. **Groq Integration**: AI-powered analysis using Llama models
+4. **Fallback Logic**: Intelligent responses when AI is unavailable
+5. **JSON Processing**: Robust parsing of AI-generated responses
+
+### Security Considerations
+
+- **API Key Management**: Secure handling of external service credentials
+- **Input Validation**: Comprehensive request validation using Pydantic
+- **Error Handling**: Graceful degradation with meaningful error messages
+- **Rate Limiting**: Consider implementing for production deployments
+
+## 🤝 Contributing
+
+1. Fork the repository
+2. Create a feature branch (`git checkout -b feature/amazing-feature`)
+3. Commit your changes (`git commit -m 'Add some amazing feature'`)
+4. Push to the branch (`git push origin feature/amazing-feature`)
+5. Open a Pull Request
+
+## 📄 License
+
+This project is licensed under the MIT License - see the LICENSE file for details.
+
+## 🆘 Support
+
+For support and questions:
+- Create an issue in the repository
+- Contact the development team
+- Check the API documentation at `/docs`
+
 ---
-title: Ey Catalyst
-emoji: 📊
-colorFrom: yellow
-colorTo: purple
-sdk: docker
-pinned: false
-license: mit
----
-See if push works
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+
+**Built with ❤️ for enterprise risk management and business continuity**

app.py

@@ -1,8 +1,10 @@
 # app.py
 from fastapi import FastAPI
 from pydantic import BaseModel
+from typing import List, Optional
 import os
 import openai
+import json
 
 app = FastAPI()
 
@@ -13,7 +15,7 @@ GROQ_API_KEY = os.environ.get("GROQ_API_KEY")
 def generate_response(system_prompt: str, user_message: str):
     client = openai.OpenAI(api_key=GROQ_API_KEY, base_url="https://api.groq.com/openai/v1")
     response = client.chat.completions.create(
-        model="mixtral-8x7b-32768",
+        model="llama3-8b-8192",  # Try this supported model
         messages=[
             {"role": "system", "content": system_prompt},
             {"role": "user", "content": user_message}
@@ -22,10 +24,149 @@ def generate_response(system_prompt: str, user_message: str):
     )
     return response.choices[0].message.content
 
-# Request model
+# Request models
 class Message(BaseModel):
     message: str
 
+class ProcessData(BaseModel):
+    processName: str
+    department: str
+    description: str
+    owner: str
+    businessContext: str
+    rto: str
+    mtpd: str
+    minTolerableDowntime: str
+
+# Response models
+class Threat(BaseModel):
+    id: int
+    name: str
+    description: str
+    likelihood: int
+    impact: int
+    category: str
+    mitigation: str
+
+class ThreatsResponse(BaseModel):
+    threats: List[Threat]
+
+@app.post("/api/generate-threats", response_model=ThreatsResponse)
+def generate_threats(process_data: ProcessData):
+    """
+    Generate threats for a given business process based on its characteristics
+    """
+    system_prompt = """
+You are an expert cybersecurity and business continuity risk analyst. Your task is to analyze business processes and identify potential threats that could disrupt operations.
+
+Given the process information, generate a comprehensive list of threats that could affect this specific business process. Consider:
+- Cybersecurity threats (malware, ransomware, phishing, insider threats)
+- Operational threats (system failures, human error, supply chain disruption)
+- Natural disasters and environmental threats
+- Regulatory and compliance risks
+- Third-party and vendor risks
+- Physical security threats
+
+For each threat, provide:
+- A unique sequential ID
+- A clear, specific name
+- A detailed description of how it could impact this process
+- Likelihood rating (1-5, where 1=very unlikely, 5=very likely)
+- Impact rating (1-5, where 1=minimal impact, 5=catastrophic impact)
+- A relevant category
+- Practical mitigation strategies
+
+Consider the process's RTO, MTPD, and minimum tolerable downtime when assessing impact.
+
+Respond strictly in this JSON format:
+{
+  "threats": [
+    {
+      "id": 1,
+      "name": "Threat Name",
+      "description": "Detailed description of the threat and its potential impact",
+      "likelihood": 3,
+      "impact": 4,
+      "category": "Security/Operational/Environmental/Regulatory",
+      "mitigation": "Specific mitigation strategies"
+    }
+  ]
+}
+"""
+
+    user_message = f"""
+Process Details:
+- Process Name: {process_data.processName}
+- Department: {process_data.department}
+- Description: {process_data.description}
+- Process Owner: {process_data.owner}
+- Business Context: {process_data.businessContext}
+- Recovery Time Objective (RTO): {process_data.rto}
+- Maximum Tolerable Period of Disruption (MTPD): {process_data.mtpd}
+- Minimum Tolerable Downtime: {process_data.minTolerableDowntime}
+
+Please analyze this process and generate 8-12 relevant threats with their risk assessments and mitigation strategies.
+"""
+
+    try:
+        result = generate_response(system_prompt, user_message)
+        
+        # Extract JSON from the response (AI sometimes adds explanatory text)
+        json_start = result.find('{')
+        json_end = result.rfind('}') + 1
+        
+        if json_start != -1 and json_end > json_start:
+            json_str = result[json_start:json_end]
+            threats_data = json.loads(json_str)
+            return ThreatsResponse(**threats_data)
+        else:
+            raise ValueError("No valid JSON found in response")
+            
+    except (json.JSONDecodeError, ValueError) as e:
+        # Fallback response if JSON parsing fails
+        return ThreatsResponse(threats=[
+            Threat(
+                id=1,
+                name="System Unavailability",
+                description="Critical system failure affecting process execution",
+                likelihood=3,
+                impact=4,
+                category="Operational",
+                mitigation="Implement redundant systems and regular backups"
+            ),
+            Threat(
+                id=2,
+                name="Cyber Attack",
+                description="Malicious attack disrupting core operations",
+                likelihood=3,
+                impact=4,
+                category="Security",
+                mitigation="Use firewalls and real-time monitoring"
+            ),
+            Threat(
+                id=3,
+                name="Data Breach",
+                description="Unauthorized access to sensitive process data",
+                likelihood=2,
+                impact=5,
+                category="Security",
+                mitigation="Implement encryption and access controls"
+            )
+        ])
+    except Exception as e:
+        # Fallback response for any other errors
+        return ThreatsResponse(threats=[
+            Threat(
+                id=1,
+                name="Process Disruption",
+                description="General process disruption due to unforeseen circumstances",
+                likelihood=3,
+                impact=3,
+                category="Operational",
+                mitigation="Develop comprehensive business continuity plans"
+            )
+        ])
+
 @app.post("/bia/threat-assessment")
 def bia_threat_assessment(req: Message):
     prompt = """
@@ -63,3 +204,183 @@ def bia_impact_analysis(req: Message):
         "status": "placeholder",
         "note": "This endpoint is reserved for BIA impact analysis logic."
     }
+
+class RiskItem(BaseModel):
+    enablerType: str
+    enablerDomain: str
+    majorCategory: str
+    mappedThreat: str
+    existingControls: str
+    complianceStatus: str
+    impact: str
+    likelihood: str
+    riskValue: str
+
+class MitigationResponse(BaseModel):
+    revisedImpact: int
+    revisedLikelihood: int
+    revisedRiskValue: int
+    mitigationPlan: str
+    ownership: str
+
+class RiskMitigationResponse(BaseModel):
+    mitigatedRisks: List[MitigationResponse]
+
+@app.post("/api/risk-mitigation", response_model=RiskMitigationResponse)
+def generate_risk_mitigation(risk_items: List[RiskItem]):
+    """
+    Generate mitigation plans and revised risk assessments for identified threats
+    """
+    system_prompt = """
+You are an expert risk management and business continuity analyst. Your task is to analyze existing risk items and provide comprehensive mitigation strategies that will reduce the overall risk.
+
+For each risk item provided, you need to:
+1. Analyze the current risk assessment (impact, likelihood, risk value)
+2. Evaluate existing controls and compliance status
+3. Recommend additional mitigation measures
+4. Provide revised risk ratings after implementing the mitigation plan
+5. Assign appropriate ownership for the mitigation activities
+
+Consider:
+- Current controls effectiveness and compliance status
+- Industry best practices for the specific threat type
+- Cost-effective mitigation strategies
+- Realistic timeline for implementation
+- Appropriate ownership based on enabler type and domain
+
+For revised ratings:
+- Impact (1-5): Consider how mitigation reduces potential damage
+- Likelihood (1-5): Consider how mitigation reduces probability of occurrence
+- Risk Value: Calculate as revised impact × revised likelihood
+
+For mitigation plans:
+- Maximum 3 bullet points
+- Each point maximum 10 words
+- Be concise and actionable
+
+Respond strictly in this JSON format (no newlines within strings):
+{
+  "mitigatedRisks": [
+    {
+      "revisedImpact": 2,
+      "revisedLikelihood": 2,
+      "revisedRiskValue": 4,
+      "mitigationPlan": "• Install fire suppression systems • Conduct quarterly training • Implement monitoring alerts",
+      "ownership": "Responsible party/department"
+    }
+  ]
+}
+"""
+
+    # Format the risk items for the AI
+    risk_data = []
+    for i, item in enumerate(risk_items, 1):
+        risk_data.append(f"""
+Risk Item {i}:
+- Enabler Type: {item.enablerType}
+- Enabler Domain: {item.enablerDomain}
+- Major Category: {item.majorCategory}
+- Mapped Threat: {item.mappedThreat}
+- Existing Controls: {item.existingControls}
+- Compliance Status: {item.complianceStatus}
+- Current Impact: {item.impact}
+- Current Likelihood: {item.likelihood}
+- Current Risk Value: {item.riskValue}
+""")
+
+    user_message = f"""
+Please analyze the following risk items and provide mitigation strategies:
+
+{''.join(risk_data)}
+
+For each risk item, provide:
+1. Revised impact rating (1-5) after implementing mitigation
+2. Revised likelihood rating (1-5) after implementing mitigation
+3. Revised risk value (impact × likelihood)
+4. Concise mitigation plan (max 3 points, 10 words each)
+5. Appropriate ownership assignment (department/role responsible)
+
+Consider the existing controls and compliance status when developing mitigation plans.
+"""
+
+    try:
+        result = generate_response(system_prompt, user_message)
+        
+        # Extract JSON from the response
+        json_start = result.find('{')
+        json_end = result.rfind('}') + 1
+        
+        if json_start != -1 and json_end > json_start:
+            json_str = result[json_start:json_end]
+            # The AI returns properly formatted JSON with newlines, just parse it directly
+            try:
+                mitigation_data = json.loads(json_str)
+                return RiskMitigationResponse(**mitigation_data)
+            except json.JSONDecodeError as e:
+                # If direct parsing fails, try cleaning the JSON
+                import re
+                json_str = re.sub(r'\n\s*', ' ', json_str)
+                json_str = re.sub(r'\r\s*', ' ', json_str) 
+                json_str = re.sub(r'\t+', ' ', json_str)
+                json_str = re.sub(r'\s+', ' ', json_str)
+                mitigation_data = json.loads(json_str)
+                return RiskMitigationResponse(**mitigation_data)
+        else:
+            raise ValueError("No valid JSON found in response")
+            
+    except (json.JSONDecodeError, ValueError) as e:
+        # Fallback response if JSON parsing fails - provide intelligent mitigation
+        fallback_risks = []
+        for i, item in enumerate(risk_items):
+            # Intelligent fallback logic based on threat category and existing controls
+            current_impact = int(item.impact)
+            current_likelihood = int(item.likelihood)
+            
+            # Risk reduction logic based on category
+            impact_reduction = 1
+            likelihood_reduction = 1
+            
+            if item.majorCategory.lower() in ['fire', 'natural disaster']:
+                impact_reduction = 2
+                likelihood_reduction = 2
+            elif item.majorCategory.lower() in ['cyber security', 'security']:
+                impact_reduction = 1
+                likelihood_reduction = 2
+            
+            revised_impact = max(1, current_impact - impact_reduction)
+            revised_likelihood = max(1, current_likelihood - likelihood_reduction)
+            
+            # Generate category-specific mitigation plans
+            if item.majorCategory.lower() == 'fire':
+                mitigation_plan = "• Install automatic fire suppression systems • Conduct quarterly safety training • Implement 24/7 monitoring alerts"
+                ownership = "Facilities Management Team"
+            elif item.majorCategory.lower() in ['cyber security', 'security']:
+                mitigation_plan = "• Deploy endpoint detection response systems • Implement network segmentation controls • Conduct regular penetration testing"
+                ownership = "Information Security Team"
+            else:
+                mitigation_plan = f"• Enhance existing {item.majorCategory.lower()} controls • Implement continuous monitoring systems • Establish incident response procedures"
+                ownership = f"{item.enablerDomain} Team"
+            
+            fallback_risks.append(MitigationResponse(
+                revisedImpact=revised_impact,
+                revisedLikelihood=revised_likelihood,
+                revisedRiskValue=revised_impact * revised_likelihood,
+                mitigationPlan=mitigation_plan,
+                ownership=ownership
+            ))
+        
+        return RiskMitigationResponse(mitigatedRisks=fallback_risks)
+    
+    except Exception as e:
+        # General fallback for any other errors
+        fallback_risks = []
+        for i, item in enumerate(risk_items):
+            fallback_risks.append(MitigationResponse(
+                revisedImpact=2,
+                revisedLikelihood=2,
+                revisedRiskValue=4,
+                mitigationPlan="• Implement enhanced risk controls • Establish monitoring procedures • Conduct regular assessments",
+                ownership="Risk Management Team"
+            ))
+        
+        return RiskMitigationResponse(mitigatedRisks=fallback_risks)