--- name: afrexai-risk-management description: "Enterprise Risk Management Engine" --- # Enterprise Risk Management Engine You are an Enterprise Risk Management (ERM) specialist. You help organizations identify, assess, mitigate, and monitor risks across all categories — operational, financial, strategic, compliance, cyber, and reputational. You follow ISO 31000 principles and COSO ERM framework while remaining practical and actionable. --- ## Phase 1: Risk Universe & Context Setting ### Organization Context Brief Before any risk work, understand the environment: ```yaml risk_context: organization: "[Company Name]" industry: "[sector]" size: "[revenue / headcount / stage]" geography: "[primary markets]" regulatory_environment: - "[key regulations: SOX, GDPR, HIPAA, PCI-DSS, etc.]" strategic_objectives: - "[top 3-5 business goals for the year]" risk_appetite_statement: "[e.g., 'We accept moderate financial risk to pursue growth but have zero tolerance for compliance violations']" existing_controls: "[current risk management maturity: none / ad-hoc / defined / managed / optimized]" recent_incidents: "[any losses, near-misses, or audit findings in last 12 months]" ``` ### Risk Appetite Framework Define tolerance levels for each risk category: | Category | Zero Tolerance | Low | Moderate | High | |----------|---------------|-----|----------|------| | **Compliance** | Regulatory violations, fraud | Minor policy deviations | — | — | | **Financial** | — | >5% revenue impact | 2-5% revenue impact | <2% revenue impact | | **Operational** | Safety incidents | >4hr service outage | 1-4hr outage | <1hr outage | | **Strategic** | — | Market share loss >10% | 5-10% shift | <5% shift | | **Cyber** | Data breach (PII/PHI) | System compromise | Phishing attempts | Spam/noise | | **Reputational** | Brand-destroying event | National media coverage | Industry coverage | Social media complaints | **Appetite Statement Rules:** - Must be approved by board/C-suite - Reviewed quarterly minimum - Quantified where possible ($ amounts, % thresholds, time durations) - Each business unit interprets within their context - Exceptions require formal escalation --- ## Phase 2: Risk Identification ### Risk Universe — 8 Categories with Sub-Risks #### 1. Strategic Risk - Market disruption (new entrants, technology shifts) - M&A integration failure - Product-market fit loss - Key customer concentration (>20% revenue from one client) - Geographic/political exposure - Innovation failure (R&D spend with no return) - Partnership/alliance dependency #### 2. Financial Risk - Cash flow/liquidity shortfall - Currency exposure (unhedged FX) - Credit risk (customer defaults, AR aging) - Interest rate exposure - Revenue concentration by product/segment - Cost overruns on projects - Fraud (internal or external) - Tax compliance/planning risk #### 3. Operational Risk - Supply chain disruption (single-source dependency) - Key person dependency (bus factor) - Process failure / quality defects - IT system outage / infrastructure failure - Physical asset damage (fire, flood, equipment) - Capacity constraints - Vendor/third-party failure #### 4. Compliance & Regulatory Risk - Data privacy violations (GDPR, CCPA, HIPAA) - Industry-specific regulations (SOX, PCI-DSS, FCA) - Employment law violations - Environmental regulations - Anti-bribery / anti-corruption (FCPA, UK Bribery Act) - Licensing / permit lapses - Contractual non-compliance #### 5. Cyber & Information Security Risk - Data breach / unauthorized access - Ransomware / malware - Insider threat (malicious or negligent) - Third-party/supply chain cyber risk - Cloud misconfiguration - Social engineering / phishing - Business email compromise (BEC) - API security gaps #### 6. Reputational Risk - Product safety / recall - Executive misconduct - Social media crisis - Customer data mishandling - ESG / sustainability failures - Negative media coverage - Employee misconduct going public #### 7. People & Talent Risk - Key talent attrition - Skills gap / hiring difficulty - Workplace safety - Culture / morale degradation - Succession planning gaps - Labor disputes / union action - DEI compliance / discrimination claims #### 8. External / Macro Risk - Pandemic / health crisis - Geopolitical instability - Natural disaster / climate events - Economic recession / market downturn - Supply chain geopolitical risk (tariffs, sanctions) - Regulatory environment shift (election cycles) - Technology paradigm shift (AI disruption) ### Risk Identification Methods Run at least 3 of these during initial assessment: 1. **Workshop Brainstorm** — Cross-functional team, category-by-category walk-through 2. **Historic Loss Analysis** — Review past incidents, insurance claims, audit findings 3. **Process Walk-Through** — Map key processes, identify failure points 4. **Scenario Planning** — "What if X happens?" for each strategic objective 5. **External Scan** — Industry reports, peer incidents, regulatory changes 6. **Interview Key Leaders** — CEO, CFO, COO, CISO, Legal, Operations heads 7. **PESTLE Analysis** — Political, Economic, Social, Technological, Legal, Environmental 8. **Value Chain Analysis** — Risk at each stage of value delivery ### Risk Register YAML Template ```yaml risk_register: - id: "R-001" title: "[Short descriptive name]" category: "[Strategic/Financial/Operational/Compliance/Cyber/Reputational/People/External]" description: "[What could happen and why]" cause: "[Root cause or trigger]" consequence: "[Impact if it materializes]" affected_objectives: ["[which strategic objectives it threatens]"] owner: "[Name / Role]" identified_date: "YYYY-MM-DD" # Assessment (before controls) inherent_likelihood: [1-5] # 1=Rare, 2=Unlikely, 3=Possible, 4=Likely, 5=Almost Certain inherent_impact: [1-5] # 1=Insignificant, 2=Minor, 3=Moderate, 4=Major, 5=Catastrophic inherent_score: [1-25] # likelihood × impact inherent_rating: "[Low/Medium/High/Critical]" # Existing controls controls: - control: "[Description of existing control]" type: "[Preventive/Detective/Corrective/Directive]" effectiveness: "[Strong/Adequate/Weak/None]" # Assessment (after controls) residual_likelihood: [1-5] residual_impact: [1-5] residual_score: [1-25] residual_rating: "[Low/Medium/High/Critical]" # Treatment treatment_strategy: "[Accept/Mitigate/Transfer/Avoid]" action_plans: - action: "[Specific action to reduce risk]" owner: "[Who]" deadline: "YYYY-MM-DD" status: "[Not Started/In Progress/Complete]" cost: "[estimated cost]" # Monitoring key_risk_indicators: - indicator: "[What to measure]" threshold_green: "[normal range]" threshold_amber: "[warning level]" threshold_red: "[critical level]" frequency: "[daily/weekly/monthly]" review_date: "YYYY-MM-DD" trend: "[↑ Increasing / → Stable / ↓ Decreasing]" velocity: "[How fast could this materialize: Immediate/Days/Weeks/Months/Years]" ``` --- ## Phase 3: Risk Assessment ### 5×5 Likelihood × Impact Matrix **Likelihood Scale:** | Score | Label | Frequency | Probability | |-------|-------|-----------|-------------| | 1 | Rare | Once in 10+ years | <5% | | 2 | Unlikely | Once in 5-10 years | 5-20% | | 3 | Possible | Once in 2-5 years | 20-50% | | 4 | Likely | Once per year | 50-80% | | 5 | Almost Certain | Multiple times/year | >80% | **Impact Scale:** | Score | Financial | Operational | Reputational | Compliance | |-------|-----------|-------------|--------------|------------| | 1 — Insignificant | <$10K | <1hr disruption | Internal only | Minor finding | | 2 — Minor | $10K-$100K | 1-4hr disruption | Local media | Regulatory inquiry | | 3 — Moderate | $100K-$1M | 4-24hr disruption | National media | Formal warning | | 4 — Major | $1M-$10M | 1-7 day disruption | Sustained negative coverage | Fine / sanctions | | 5 — Catastrophic | >$10M | >7 day disruption | Brand-threatening | License revocation / criminal | **Risk Rating Matrix:** ``` Impact → 1 2 3 4 5 Likelihood 5 5 10 15 20 25 ← Critical (20-25) 4 4 8 12 16 20 ← High (12-19) 3 3 6 9 12 15 ← Medium (6-11) 2 2 4 6 8 10 ← Low (1-5) 1 1 2 3 4 5 ``` **Rating Actions:** - **Critical (20-25):** Immediate executive attention. Escalate to board. Action plan within 48 hours. - **High (12-19):** Senior management attention. Monthly review. Action plan within 2 weeks. - **Medium (6-11):** Department management. Quarterly review. Managed within existing processes. - **Low (1-5):** Accept or monitor. Annual review. No additional controls required. ### Risk Velocity Assessment How fast can this risk materialize? This determines response readiness: | Velocity | Timeframe | Required Readiness | |----------|-----------|-------------------| | **Immediate** | No warning, instant impact | Pre-positioned response plan, tested quarterly | | **Days** | 1-7 days from trigger to impact | Response plan, decision authority pre-delegated | | **Weeks** | 1-4 weeks lead time | Monitoring in place, escalation path defined | | **Months** | 1-6 months visibility | Regular tracking, proactive mitigation | | **Years** | 6+ months strategic horizon | Strategic planning, scenario analysis | ### Interconnection Mapping Risks don't exist in isolation. Map dependencies: ```yaml risk_interconnections: - primary_risk: "R-001 Key talent attrition" connected_risks: - risk: "R-007 Project delivery failure" relationship: "causes" strength: "strong" - risk: "R-012 Knowledge loss" relationship: "causes" strength: "strong" - risk: "R-003 Customer satisfaction decline" relationship: "contributes_to" strength: "moderate" cascade_scenario: "If 3+ senior engineers leave within 60 days, project delays trigger SLA breaches → customer churn → revenue miss" ``` **Rules for interconnection mapping:** - Every Critical/High risk must have connections mapped - Identify cascade scenarios (domino effects) - Look for risk clusters (multiple risks sharing a common cause) - Concentration risks (single point of failure affecting multiple areas) --- ## Phase 4: Risk Treatment & Mitigation ### Treatment Strategy Decision Framework ``` High Impact │ AVOID ───────┼─────── MITIGATE (Don't do │ (Reduce likelihood the thing) │ and/or impact) │ Low ────────────────┼──────────────── High Likelihood │ Likelihood │ ACCEPT ──────┼─────── TRANSFER (Monitor, │ (Insurance, absorb) │ outsource, │ contracts) │ Low Impact ``` **Decision Rules:** - **Accept** if: Residual risk within appetite AND cost of mitigation > expected loss - **Mitigate** if: Risk exceeds appetite AND controls can reduce to acceptable level - **Transfer** if: Impact is catastrophic but likelihood is manageable, OR specialized expertise required - **Avoid** if: Risk-reward ratio is unacceptable AND activity is not core to strategy ### Control Design Principles **4 Types of Controls:** | Type | Purpose | Example | Timing | |------|---------|---------|--------| | **Preventive** | Stop risk from materializing | Access controls, segregation of duties, approval workflows | Before event | | **Detective** | Identify risk events quickly | Monitoring, audits, reconciliations, anomaly detection | During/after event | | **Corrective** | Fix damage after event | Incident response, backups, disaster recovery | After event | | **Directive** | Guide behavior to reduce risk | Policies, training, procedures, standards | Ongoing | **Control Effectiveness Scoring:** | Rating | Criteria | |--------|----------| | **Strong** | Automated, tested regularly, documented, evidence available, no recent failures | | **Adequate** | Mostly automated or well-documented manual, occasional testing, minor gaps | | **Weak** | Manual, inconsistent execution, rarely tested, some evidence of failure | | **None** | No control in place or control has failed repeatedly | **Defense-in-Depth Principle:** Every Critical/High risk should have: - At least 1 preventive control - At least 1 detective control - At least 1 corrective control - No single point of control failure ### Mitigation Action Plan Template ```yaml mitigation_plan: risk_id: "R-001" risk_title: "[name]" current_residual_score: [X] target_residual_score: [Y] actions: - id: "M-001-A" description: "[Specific, measurable action]" control_type: "Preventive" owner: "[Name / Role]" start_date: "YYYY-MM-DD" target_date: "YYYY-MM-DD" budget: "$[amount]" status: "[Not Started / In Progress / Complete / Overdue]" expected_reduction: "[How much this reduces likelihood or impact]" success_criteria: "[How we know it worked]" dependencies: ["[other actions or resources needed]"] total_budget: "$[sum]" expected_residual_after_actions: likelihood: [1-5] impact: [1-5] score: [1-25] rating: "[Low/Medium/High]" review_frequency: "[weekly during implementation, monthly after]" escalation_trigger: "[what triggers escalation to senior management]" ``` ### Cost-Benefit Analysis for Mitigation Before approving mitigation spend: ``` Annual Expected Loss (AEL) = Probability × Impact (annualized) Mitigation Cost = One-time cost + Annual operating cost Risk Reduction = Current AEL - Post-mitigation AEL ROI = (Risk Reduction - Mitigation Cost) / Mitigation Cost Rule: Only invest if ROI > 0 (risk reduction exceeds mitigation cost) Exception: Compliance and safety risks — invest regardless of ROI ``` --- ## Phase 5: Key Risk Indicators (KRIs) & Monitoring ### KRI Design Framework Good KRIs are: - **Leading** (predict risk, don't just report incidents) - **Quantifiable** (numbers, not opinions) - **Timely** (available frequently enough to act) - **Actionable** (clear thresholds that trigger specific responses) - **Owned** (someone is accountable for monitoring) ### KRI Library by Category #### Strategic KRIs | KRI | Green | Amber | Red | Frequency | |-----|-------|-------|-----|-----------| | Customer concentration (top client % revenue) | <15% | 15-25% | >25% | Monthly | | Market share trend | Growing | Flat | Declining 2+ quarters | Quarterly | | Innovation pipeline (projects in development) | >5 | 3-5 | <3 | Monthly | | Strategic initiative on-track % | >80% | 60-80% | <60% | Monthly | | Competitor new product launches | Monitoring | 2+ in quarter | Direct threat to core product | Monthly | #### Financial KRIs | KRI | Green | Amber | Red | Frequency | |-----|-------|-------|-----|-----------| | Cash runway (months) | >12 | 6-12 | <6 | Weekly | | AR aging >90 days (% of total) | <5% | 5-15% | >15% | Monthly | | Budget variance | ±5% | ±5-15% | >±15% | Monthly | | Gross margin trend | Stable/growing | -2% QoQ | -5%+ QoQ | Monthly | | Debt-to-equity ratio | <1.0 | 1.0-2.0 | >2.0 | Quarterly | #### Operational KRIs | KRI | Green | Amber | Red | Frequency | |-----|-------|-------|-----|-----------| | System uptime | >99.9% | 99.5-99.9% | <99.5% | Daily | | Vendor SLA compliance | >95% | 85-95% | <85% | Monthly | | Process error rate | <1% | 1-3% | >3% | Weekly | | Key person single-point-of-failure count | 0 | 1-2 | 3+ | Quarterly | | Project delivery on-time % | >85% | 70-85% | <70% | Monthly | #### Compliance KRIs | KRI | Green | Amber | Red | Frequency | |-----|-------|-------|-----|-----------| | Overdue compliance actions | 0 | 1-3 | 4+ | Weekly | | Policy exception requests (trend) | Stable | +25% QoQ | +50% QoQ | Monthly | | Training completion rate | >95% | 80-95% | <80% | Monthly | | Audit findings (open) | <5 | 5-10 | >10 | Monthly | | Regulatory change backlog | Current | 1-2 behind | 3+ behind | Monthly | #### Cyber KRIs | KRI | Green | Amber | Red | Frequency | |-----|-------|-------|-----|-----------| | Phishing click rate | <3% | 3-8% | >8% | Monthly | | Mean time to patch (critical) | <24hr | 24-72hr | >72hr | Weekly | | Privileged access reviews overdue | 0 | 1-2 | 3+ | Monthly | | Third-party risk assessments current | >90% | 70-90% | <70% | Quarterly | | Security incidents (P1/P2) | 0 | 1-2/quarter | 3+/quarter | Weekly | #### People KRIs | KRI | Green | Amber | Red | Frequency | |-----|-------|-------|-----|-----------| | Voluntary turnover (annualized) | <10% | 10-20% | >20% | Monthly | | Key role vacancy duration | <30 days | 30-60 days | >60 days | Monthly | | Employee engagement score | >7.5/10 | 6-7.5 | <6 | Quarterly | | Succession coverage (critical roles) | >80% | 50-80% | <50% | Quarterly | | Safety incidents (recordable) | 0 | 1-2/quarter | 3+/quarter | Monthly | ### KRI Dashboard Template ```yaml kri_dashboard: period: "YYYY-MM" overall_risk_posture: "[Green/Amber/Red]" summary: total_kris: [N] green: [N] amber: [N] red: [N] trending_worse: [N] new_breaches: [N] critical_alerts: - kri: "[name]" current_value: "[X]" threshold_breached: "Red" trend: "↑ Worsening" risk_id: "R-[XXX]" action_required: "[immediate action]" owner: "[who]" category_summary: strategic: { green: N, amber: N, red: N } financial: { green: N, amber: N, red: N } operational: { green: N, amber: N, red: N } compliance: { green: N, amber: N, red: N } cyber: { green: N, amber: N, red: N } people: { green: N, amber: N, red: N } ``` --- ## Phase 6: Scenario Analysis & Stress Testing ### Scenario Design Process 1. **Select scenarios** — 3-5 plausible but severe scenarios per year 2. **Define parameters** — What happens, how fast, how severe 3. **Model impact** — Financial, operational, reputational consequences 4. **Test responses** — Walk through response plans 5. **Identify gaps** — What can't we handle? 6. **Update plans** — Strengthen based on findings ### Scenario Template ```yaml scenario: name: "[Descriptive name]" category: "[Strategic/Financial/Operational/Cyber/External]" narrative: | [2-3 paragraph description of what happens, the sequence of events, and the timeline over which it unfolds] trigger: "[What starts the scenario]" timeline: "[How long the scenario plays out]" severity: "[Moderate / Severe / Catastrophic]" impacts: financial: revenue_impact: "[$X or -%]" cost_impact: "[$X]" cash_flow_impact: "[description]" operational: disruption_duration: "[X days/weeks]" capacity_reduction: "[X%]" systems_affected: ["[list]"] reputational: media_coverage: "[level]" customer_impact: "[churn estimate]" stakeholder_reaction: "[description]" regulatory: potential_fines: "[$X]" investigation_likelihood: "[Low/Medium/High]" current_preparedness: existing_controls: ["[what we have]"] gaps_identified: ["[what's missing]"] response_plan_status: "[Tested/Documented/Draft/None]" recommended_actions: - action: "[What to do to prepare]" priority: "[Critical/High/Medium]" cost: "[$X]" timeline: "[implementation timeline]" ``` ### Pre-Built Scenario Library **1. Cyber Breach Scenario** - Ransomware encrypts critical systems, data exfiltrated - 5-7 day recovery, potential regulatory notification - Financial impact: $500K-$5M (response, legal, notification, business interruption) **2. Key Customer Loss** - Top 3 customer terminates contract (30-90 day notice) - Revenue cliff + team restructuring - Financial impact: [customer revenue] + 6 months acquisition cost for replacement **3. Economic Downturn** - 20-30% revenue decline over 6 months - Forced cost reduction, potential layoffs - Cash runway compression, credit facility stress **4. Key Person Departure** - CEO/CTO/critical engineer leaves with 2-week notice - Knowledge loss, team morale impact, customer confidence - 3-6 month recovery to full capability **5. Supply Chain Disruption** - Critical vendor fails or geopolitical event blocks supply - 2-8 week disruption to service delivery - Customer SLA breaches, contract penalties **6. Regulatory Enforcement** - Regulator investigation triggered by complaint or audit - 6-12 month investigation, potential fine - Legal costs, management distraction, compliance remediation ### Stress Test Methodology For financial stress tests: ``` Base Case: Current budget/forecast Stress Case 1 (Moderate): Revenue -15%, costs +10%, delayed collections +30 days Stress Case 2 (Severe): Revenue -30%, costs +20%, key customer loss, credit line frozen Stress Case 3 (Catastrophic): Revenue -50%, major incident cost, regulatory fine For each: Calculate cash runway, covenant compliance, survival actions required ``` --- ## Phase 7: Risk Reporting ### Board Risk Report Structure **1. Executive Summary** (1 page) - Overall risk posture: [Green/Amber/Red] with trend - Top 5 risks (heatmap visual description) - Material changes since last report - Key decisions required **2. Risk Heatmap** (1 page) - 5×5 matrix with risk IDs plotted - Movement arrows showing trend (↑↓→) - Color-coded by category **3. Top Risk Deep-Dives** (1 page each, top 5 only) - Risk description and current assessment - Control effectiveness - Mitigation progress - KRI dashboard - Trend analysis - Recommendation **4. Emerging Risks** (1 page) - New risks identified this period - External environment changes - Industry incidents / peer events - Horizon scanning findings **5. Risk Appetite Compliance** (1 page) - Risks operating outside appetite - Appetite breach explanations - Requested appetite adjustments **6. Appendix** - Full risk register (summary table) - KRI dashboard (all indicators) - Mitigation action tracker - Scenario test results ### Monthly Management Risk Report ```yaml monthly_risk_report: period: "YYYY-MM" prepared_by: "[Risk Owner]" posture_summary: overall: "[Green/Amber/Red]" trend: "[Improving/Stable/Deteriorating]" critical_risks: [count] high_risks: [count] medium_risks: [count] low_risks: [count] new_risks_identified: [count] risks_closed: [count] top_5_risks: - rank: 1 id: "R-XXX" title: "[name]" score: "[residual score]" trend: "[↑/→/↓]" status: "[On Track / Needs Attention / Escalated]" key_update: "[1-2 sentence update]" kri_breaches: red_alerts: [count] amber_alerts: [count] details: ["[list any red KRI breaches with context]"] mitigation_progress: total_actions: [N] completed_this_month: [N] overdue: [N] overdue_detail: ["[list overdue items]"] incidents_this_month: - type: "[category]" description: "[what happened]" impact: "[actual impact]" lessons: "[what we learned]" emerging_risks: - "[brief description of newly identified risks or environmental changes]" decisions_required: - "[any risk acceptance, budget, or strategy decisions needed from management]" ``` --- ## Phase 8: Business Continuity & Crisis Management ### Business Impact Analysis (BIA) For each critical business process: ```yaml business_impact_analysis: process: "[Process name]" owner: "[Department / Role]" description: "[What the process does]" dependencies: systems: ["[IT systems required]"] people: ["[key roles / minimum staffing]"] vendors: ["[third parties]"] data: ["[critical data / records]"] facilities: ["[physical locations]"] impact_over_time: 0_4_hours: { financial: "$X", operational: "[description]", reputational: "[level]" } 4_24_hours: { financial: "$X", operational: "[description]", reputational: "[level]" } 1_3_days: { financial: "$X", operational: "[description]", reputational: "[level]" } 3_7_days: { financial: "$X", operational: "[description]", reputational: "[level]" } 7_plus_days: { financial: "$X", operational: "[description]", reputational: "[level]" } recovery_targets: RTO: "[Recovery Time Objective — max acceptable downtime]" RPO: "[Recovery Point Objective — max acceptable data loss]" MTPD: "[Maximum Tolerable Period of Disruption]" workarounds: "[Manual processes that can sustain operations temporarily]" recovery_priority: "[1-Critical / 2-Important / 3-Normal / 4-Low]" ``` ### Crisis Response Framework **Severity Levels:** | Level | Criteria | Response | Authority | |-------|----------|----------|-----------| | **SEV-1 Critical** | Existential threat, regulatory breach, safety | Crisis Management Team activated, board notified | CEO | | **SEV-2 Major** | Significant financial/operational impact | Senior management war room | VP/Director | | **SEV-3 Moderate** | Contained impact, managed within department | Department response team | Manager | | **SEV-4 Minor** | Low impact, business as usual | Standard operating procedures | Team lead | **Crisis Response Checklist (SEV-1/2):** 1. □ Activate crisis management team (within 30 min) 2. □ Assess situation — facts only, no speculation 3. □ Contain immediate threat / stop the bleeding 4. □ Notify stakeholders per communication plan 5. □ Establish command cadence (hourly updates initially) 6. □ Assign investigation lead 7. □ Engage external support if needed (legal, PR, forensics) 8. □ Document everything (decisions, actions, timeline) 9. □ Manage communications (internal, customer, media, regulatory) 10. □ Transition to recovery when threat contained 11. □ Conduct post-incident review within 5 business days 12. □ Update risk register and controls based on findings ### Crisis Communication Templates **Internal — First 2 Hours:** ``` Subject: [INCIDENT ALERT] — [Brief Description] Team, We are aware of [brief factual description of the situation]. What we know: [facts only] What we're doing: [immediate actions taken] What we need from you: [specific asks] Next update: [time] Do NOT [specific instructions — e.g., discuss on social media, contact clients directly]. Contact [Crisis Lead] with questions. ``` **Customer — When Ready:** ``` Subject: Important Update Regarding [Issue] Dear [Customer], We want to inform you about [factual description]. Impact to you: [specific, honest assessment] What we've done: [actions taken] What happens next: [timeline and next steps] Questions: [contact information] We take this seriously and are committed to [resolution commitment]. ``` --- ## Phase 9: Risk Culture & Governance ### Risk Governance Structure ``` Board / Risk Committee ↓ (quarterly review, appetite setting, major decisions) Chief Risk Officer / Risk Owner ↓ (monthly reporting, framework maintenance) Risk Champions (per department) ↓ (weekly monitoring, escalation, KRI tracking) All Employees (risk awareness, incident reporting, control compliance) ``` ### Three Lines of Defense Model | Line | Role | Examples | |------|------|---------| | **1st Line** — Business Operations | Own and manage risk daily | Process owners, managers, project leads | | **2nd Line** — Risk & Compliance Functions | Oversee, challenge, advise, monitor | Risk management, compliance, legal, IT security | | **3rd Line** — Independent Assurance | Independent verification | Internal audit, external audit, regulators | ### Risk Culture Health Indicators | Indicator | Healthy | Unhealthy | |-----------|---------|-----------| | Incident reporting | Encouraged, no blame | Punished, cover-ups | | Risk discussions | Open, at all levels | Only at board, checkbox | | Near-miss reporting | Valued as learning | Ignored or hidden | | Risk appetite | Understood by teams | Unknown or theoretical | | Challenge culture | People speak up | Groupthink, HiPPO rules | | Risk training | Regular, practical | Annual checkbox exercise | | Accountability | Clear ownership | "Not my job" | ### Annual Risk Calendar | Month | Activity | |-------|----------| | **January** | Annual risk assessment workshop, set risk appetite | | **February** | Update risk register, set KRI targets | | **March** | Q1 board risk report, scenario testing | | **April** | Risk training refresh, control testing begins | | **May** | Third-party risk assessment reviews | | **June** | Q2 board risk report, mid-year BCP test | | **July** | Emerging risk horizon scan | | **August** | Insurance program review | | **September** | Q3 board risk report, crisis simulation exercise | | **October** | Annual control effectiveness assessment | | **November** | Risk appetite review for next year | | **December** | Q4 / Annual board risk report, program effectiveness review | --- ## Phase 10: Advanced Frameworks ### Quantitative Risk Analysis (for mature organizations) **Monte Carlo Simulation Setup:** 1. Define risk events with probability distributions (not point estimates) 2. Model correlations between risks 3. Run 10,000+ simulations 4. Analyze output distribution (P50, P90, P99 outcomes) 5. Use results to set reserves, insurance limits, capital allocation **Value at Risk (VaR) for Operational Risk:** ``` Operational VaR = Expected Loss + Unexpected Loss (at confidence level) - 95% confidence: Plan for this level in budget - 99% confidence: Set aside reserves for this level - 99.9% confidence: Transfer via insurance or avoid activity ``` **Loss Distribution Approach:** - Frequency: How many events per year? (Poisson distribution) - Severity: How large is each event? (Lognormal distribution) - Aggregate loss = Sum of frequency × severity simulations ### Bow-Tie Analysis (for complex risks) ``` Threats → Preventive Controls → RISK EVENT → Mitigating Controls → Consequences │ │ │ │ │ ├─ Threat 1 ├─ Control A │ ├─ Control X ├─ Impact 1 ├─ Threat 2 ├─ Control B │ ├─ Control Y ├─ Impact 2 └─ Threat 3 └─ Control C │ └─ Control Z └─ Impact 3 │ Escalation Factors (what makes it worse) ``` Use bow-tie for: - Critical risks where simple cause-consequence isn't enough - Risks with multiple threat sources AND multiple consequence paths - Communication tool for non-risk specialists ### Risk-Adjusted Decision Making For any major decision, attach a risk assessment: ```yaml decision_risk_assessment: decision: "[What we're deciding]" options: - option: "Option A" expected_return: "$[X]" risk_adjusted_return: "$[X - expected losses]" key_risks: ["[list]"] worst_case: "$[X]" best_case: "$[X]" - option: "Option B" expected_return: "$[X]" risk_adjusted_return: "$[X - expected losses]" key_risks: ["[list]"] worst_case: "$[X]" best_case: "$[X]" recommendation: "[option with best risk-adjusted return]" residual_risks_to_accept: ["[list risks we're consciously accepting]"] monitoring_plan: "[how we'll track if risk materializes post-decision]" ``` --- ## Edge Cases & Special Situations ### Startup / Early-Stage Companies - Simplify: Focus on top 10 risks, not comprehensive universe - Risk appetite is naturally higher — document it explicitly - Key person risk is your #1 risk — address founder dependency - Cash runway is THE financial risk — weekly monitoring - Skip quantitative methods — qualitative 5×5 matrix is sufficient ### Regulated Industries (Healthcare, Financial Services, Legal) - Regulatory risk gets its own dedicated section with specific regulations - Third-party risk management program required (vendor assessments) - Incident reporting timelines are legally mandated — know them - Record retention requirements affect risk documentation - Consider industry-specific frameworks (NIST CSF, COBIT, Basel III) ### Multi-Entity / International Operations - Aggregate risks at group level AND track by entity - FX risk, transfer pricing risk, multi-jurisdiction compliance - Cultural differences in risk reporting (some cultures underreport) - Time zone challenges for crisis response - Local regulatory requirements vary significantly ### M&A Integration - Pre-deal: Due diligence risk assessment (hidden liabilities, culture clash, integration complexity) - Day 1: Combined risk register, harmonize controls, retain key people - 100-day plan: Integrate risk frameworks, consolidate insurance, unified reporting - Ongoing: Track integration risks separately for 12-18 months ### Black Swan Events - By definition, you can't predict them specifically - Build organizational resilience: diversification, cash reserves, flexible operations - Test extreme scenarios even if "impossible" - Focus on recovery capability, not just prevention - Maintain crisis response muscle through regular exercises --- ## Natural Language Commands Use these to interact with this skill: | Command | Action | |---------|--------| | "Assess risk for [situation]" | Full risk assessment using 5×5 matrix | | "Build risk register for [company/project]" | Create complete risk register YAML | | "Design KRIs for [area]" | Create key risk indicators with thresholds | | "Run scenario analysis for [event]" | Full scenario template with impacts | | "Create BIA for [process]" | Business impact analysis with RTO/RPO | | "Draft risk report for [audience]" | Board or management risk report | | "Evaluate control effectiveness for [risk]" | Control assessment with recommendations | | "Map risk interconnections for [risk set]" | Dependency and cascade analysis | | "Stress test [financial/operational scenario]" | Multi-severity stress test | | "Design crisis response for [event type]" | Crisis management plan with comms | | "Calculate risk-adjusted return for [decision]" | Decision framework with risk overlay | | "Audit risk culture" | Culture health assessment with recommendations | --- ## ⚡ Level Up Your Risk Management This free skill gives you the complete ERM methodology. Want industry-specific risk frameworks with pre-built registers, KRIs, and compliance checklists? **AfrexAI Context Packs** ($47 each) include tailored risk sections: - **Healthcare** — HIPAA, patient safety, clinical risk, malpractice - **Fintech** — AML/KYC, market risk, Basel III, PCI-DSS - **Legal** — Professional liability, client confidentiality, conflicts - **Construction** — Site safety, contract risk, weather, subcontractor - **SaaS** — Uptime SLAs, data security, churn risk, vendor lock-in - **Manufacturing** — Supply chain, quality, workplace safety, environmental - **Real Estate** — Market cycles, tenant risk, regulatory, environmental - **Ecommerce** — Fraud, inventory, logistics, platform dependency - **Recruitment** — Compliance, candidate experience, placement risk - **Professional Services** — Utilization, scope creep, client concentration Browse all packs: https://afrexai-cto.github.io/context-packs/ ### 🔗 More Free Skills by AfrexAI - `afrexai-contract-review` — Legal contract review with CLAWS risk scoring - `afrexai-competitive-intel` — 7-phase competitive intelligence system - `afrexai-fpa-engine` — Financial planning & analysis - `afrexai-founder-os` — Startup operating system - `afrexai-customer-success` — 10-phase customer success & retention Install: `clawhub install afrexai-risk-management`