Back to Details

feature-risk-assessment

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Feature Risk Assessment

功能风险评估

Matter context

Matter上下文

Matter context. Check 
## Matter workspaces
in the practice-level CLAUDE.md. If 
Enabled
is
(the default for in-house users), skip the rest of this paragraph — skills use practice-level context and the matter machinery is invisible. If enabled and there is no active matter, ask: "Which matter is this for? Run 
/product-legal:matter-workspace switch <slug>
or say 
practice-level
." Load the active matter's 
matter.md
for matter-specific context and overrides. Write outputs to the matter folder at 
~/.claude/plugins/config/claude-for-legal/product-legal/matters/<matter-slug>/
. Never read another matter's files unless 
Cross-matter context
is 
on
.
Matter上下文:查看实践级CLAUDE.md中的
## Matter workspaces
部分。如果
Enabled
(内部用户默认设置),则跳过本段剩余内容——技能将使用实践级上下文,matter机制不可见。如果已启用且无活跃matter,请询问:“这是针对哪个matter的?运行
/product-legal:matter-workspace switch <slug>
或说明
practice-level
。”加载活跃matter的
matter.md
以获取特定于matter的上下文和覆盖配置。将输出写入matter文件夹:
~/.claude/plugins/config/claude-for-legal/product-legal/matters/<matter-slug>/
。除非
Cross-matter context
on
,否则切勿读取其他matter的文件。

Purpose

目的

The launch review is broad. This is deep. When a single issue needs more than a table row — a novel AI feature, a children's product, something a regulator is actively looking at — this skill produces a standalone assessment.
Not every launch needs one. Most don't. This is for the 10% where "PIA done, shipped" isn't the right level of scrutiny.
发布评审的范围较广,而本技能则聚焦深度分析。当单个问题需要的不仅仅是表格中的一行内容时——比如全新AI功能、儿童产品、监管机构重点关注的领域——本技能将生成一份独立的评估报告。
并非每次发布都需要这份评估,大多数情况下不需要。仅适用于那10%的场景,即“已完成PIA,可发布”的审查程度不足以覆盖风险的情况。

When to run this

适用场景

  • Launch review found a pattern that's not in the calibration table (novel)
  • Launch review found something in the "usually blocks" category
  • GC or leadership asked "what's the risk here" and wants more than a one-liner
  • The feature is in an area with active regulatory attention (AI, children, biometric, health)
  • Someone outside legal is worried and a structured answer would help
If none of the above, the launch review is enough. Don't generate paperwork for its own sake.
  • 发布评审发现校准表中未涵盖的新问题
  • 发布评审发现属于**“通常会阻碍发布”**类别的问题
  • 总法律顾问或领导层询问“此处存在什么风险”,且需要的不仅仅是一句话的回答
  • 功能处于监管机构重点关注的领域(AI、儿童、生物识别、健康)
  • 法律团队外部人员对此表示担忧,结构化的回答有助于缓解顾虑
如果不符合上述任何场景,发布评审的结果已足够。切勿为了生成文档而生成文档。

Structure

结构

1. What we're assessing

1. 评估对象

One paragraph. What the feature does, what's new about it, why it got escalated to a full assessment.
一段文字说明。介绍该功能的作用、创新点,以及为何需要升级为全面评估。

2. The risks

2. 风险点

For each distinct risk (aim for 2-5, not 15):
markdown
undefined
针对每个不同的风险(目标为2-5个,而非15个):
markdown
undefined

Risk [N]: [Short name]

风险[N]:[简短名称]

Scenario: [What would have to happen for this to go wrong. Be specific — not "data breach" but "the recommendation algo surfaces a user's sensitive category interest to someone who shouldn't see it because X."]
Who gets hurt: [Users? The company? A third party? Specific.]
How likely: [Low / Medium / High — with a reason. "Low — would require both X and Y to fail simultaneously." Not just a vibes rating.]
How bad if it happens: [Low / Medium / High — with a reason. "High — regulatory fine + class action exposure + press" vs. "Low — one angry tweet, no actual harm."]
Existing mitigations: [What already reduces the likelihood or impact]
Gap: [What's missing, if anything]
Residual risk: [After existing mitigations — is this acceptable or does it need more?]
undefined
场景:[风险发生的具体情境。需具体化——不要笼统说“数据泄露”,而是“由于X原因,推荐算法将用户的敏感类别兴趣展示给了不应看到的人”。]
受影响方:[用户?公司?第三方?需明确具体对象。]
发生概率:[低/中/高——并说明理由。例如“低——需要X和Y同时失效才会发生”,而非仅凭主观感受评级。]
影响程度:[低/中/高——并说明理由。例如“高——面临监管罚款、集体诉讼风险以及负面舆论” vs “低——仅引发一条愤怒推文,无实际损害”。]
现有缓解措施:[已有的可降低风险概率或影响的措施]
缺口:[如果存在,说明缺失的措施]
剩余风险:[采取现有缓解措施后——该风险是否可接受,还是需要进一步处理?]
undefined

3. Regulatory landscape (if relevant)

3. 监管环境(如适用)

Only include if a regulator is actively interested in this space. If so:
  • Which regulator, what they've said/done recently
  • How this feature would look to them
  • Whether we'd rather they hear about it from us or from a headline
仅当监管机构正在关注该领域时才需包含此部分。若适用:
  • 涉及哪个监管机构,其近期的表态或行动
  • 该功能在监管机构眼中的情况
  • 我们更倾向于主动告知监管机构,还是等到负面新闻曝光后再应对

4. Precedent (if any)

4. 先例(如有)

Has another company done something similar? What happened?
  • If nothing bad happened → useful, not dispositive
  • If something bad happened → what was different about their situation, does it apply here
Don't overweight precedent. Regulators change priorities; one company getting away with something doesn't mean the next one will.
是否有其他公司做过类似的事情?结果如何?
  • 若未出现问题——有参考价值,但不具决定性
  • 若出现问题——其情况与我们有何不同,是否适用于当前场景
切勿过度依赖先例。监管机构的优先级会变化;某家公司侥幸逃脱处罚不代表下一家也能如此。

5. Options

5. 可选方案

Present 2-3 realistic paths:
markdown
| Option | Description | Risk reduction | Cost |
|---|---|---|---|
| A: Ship as designed | [current plan] | None | None |
| B: Ship with [mitigation] | [change] | [how much] | [eng effort, timeline, UX] |
| C: Don't ship [component] | [scope cut] | [how much] | [product impact] |
提供2-3个可行的方案:
markdown
| 选项 | 描述 | 风险降低程度 | 成本 |
|---|---|---|---|
| A: 按设计发布 | [当前计划] |||
| B: 新增[缓解措施]后发布 | [变更内容] | [降低幅度] | [工程投入、时间线、用户体验影响] |
| C: 取消[组件]发布 | [范围缩减内容] | [降低幅度] | [产品影响] |

6. Recommendation

6. 建议

Pick one. Explain why. Acknowledge what you're trading off.
markdown
**Recommended: Option [X]**

[Why. What risk remains. Why that's acceptable. Who accepts it.]

**If the answer is "not my call":** [Who decides, what they need to know]
选择一个方案并说明理由,同时承认需要权衡的因素。
markdown
**推荐方案:选项[X]**

[理由说明。剩余风险是什么。为何该风险可接受。由谁批准。]

**若无法决定:**[由谁决策,他们需要了解哪些信息]

Calibration check

校准检查

Before finalizing, check against 
~/.claude/plugins/config/claude-for-legal/product-legal/CLAUDE.md
→ Risk calibration:
  • Is this risk assessment calibrated to this company, or is it generic?
  • A risk that's "High" at a company under a consent decree might be "Medium" at one that isn't
  • The assessment should reflect the actual regulatory posture, litigation history, and risk appetite captured in the practice profile
最终定稿前,对照
~/.claude/plugins/config/claude-for-legal/product-legal/CLAUDE.md
中的“风险校准”部分进行检查:
  • 本次风险评估是否针对本公司定制,还是通用模板?
  • 对于处于同意令监管下的公司而言属于“高”风险的事项,对于其他公司可能仅为“中”风险
  • 评估应反映实践档案中记录的实际监管态势、诉讼历史和风险偏好

Handoffs

交接事项

  • To AI governance: If the deep-dive was triggered by an AI feature — which it often is — run 
    /ai-governance-legal:aia-generation [feature]
    in parallel or immediately after. The feature risk assessment frames the decision; the AIA documents the AI system specifically in the format AI governance needs. They're not duplicates: the FRA is a product-legal decision doc; the AIA is the governance record.
  • To privacy: If the feature involves new data collection or processing, run 
    /privacy-legal:pia-generation [feature]
    . The FRA's risk section will likely overlap with the PIA's — flag that overlap so work isn't duplicated, but both docs need to exist.
  • To AI governance vendor review: If the feature uses a new AI vendor, run 
    /ai-governance-legal:vendor-ai-review [vendor agreement]
    if not already done during the launch review.
  • 对接AI治理团队:如果深度分析是由AI功能触发的(通常如此),请并行或立即运行
    /ai-governance-legal:aia-generation [feature]
    。功能风险评估用于辅助决策;AIA(AI系统评估)则按照AI治理团队所需格式专门记录AI系统。两者并非重复文档:FRA(功能风险评估)是产品法律团队的决策文档;AIA是治理记录。
  • 对接隐私团队:如果功能涉及新的数据收集或处理,请运行
    /privacy-legal:pia-generation [feature]
    。FRA的风险部分可能与PIA(隐私影响评估)存在重叠——需标记该重叠部分以避免重复工作,但两份文档都需要存在。
  • 对接AI治理供应商评审团队:如果功能使用了新的AI供应商,且在发布评审阶段未完成相关评审,请运行
    /ai-governance-legal:vendor-ai-review [vendor agreement]

Output format

输出格式

Standalone doc, 2-4 pages. Prepend the work-product header from 
~/.claude/plugins/config/claude-for-legal/product-legal/CLAUDE.md
## Outputs
(it differs by user role — see 
## Who's using this
).
Not a slide deck, not a memo to file — a decision document someone reads and then decides.
Save where 
~/.claude/plugins/config/claude-for-legal/product-legal/CLAUDE.md
→ Launch review process says review docs go. If the doc is going to be shared with anyone outside the privileged loop (e.g., posted to a broadly-shared ticket), drop the work-product header only for that externally-facing copy and keep the privileged original in the matter file.
独立文档,2-4页。在文档开头添加
~/.claude/plugins/config/claude-for-legal/product-legal/CLAUDE.md
## Outputs
部分的工作产品页眉(页眉内容因用户角色而异——详见
## Who's using this
)。
请勿制作成幻灯片或存档备忘录——这是一份供他人阅读并做出决策的文档。
将文档保存至
~/.claude/plugins/config/claude-for-legal/product-legal/CLAUDE.md
中“发布评审流程”指定的评审文档存储位置。如果文档需要与特权圈子外的人员共享(例如发布到广泛共享的工单),仅在对外版本中移除工作产品页眉,特权版本仍需保存在matter文件夹中。

Citation check

引用检查

If the assessment cites cases, statutes, regulations, or enforcement actions — in the Regulatory landscape or Precedent sections especially — those citations were generated by an AI model and have not been verified against a primary source. Before the decision document goes to a decisionmaker, verify each citation against a legal research tool (Westlaw, CourtListener, or your firm's research platform) for accuracy, good law status, and current enforcement posture. A risk assessment built on a fabricated enforcement action is worse than no assessment.
No silent supplement. If a research query to the configured legal research tool returns few or no results for the regime or precedent the assessment needs, report what was found and stop. Do NOT fill the gap from web search or model knowledge without asking. Say: "The search returned [N] results from [tool]. Coverage appears thin for [regime / precedent]. Options: (1) broaden the search query, (2) try a different research tool, (3) search the web — results will be tagged 
[web search — verify]
and should be checked against the issuing authority before relying, or (4) flag as unverified and stop. Which would you like?" A lawyer decides whether to accept lower-confidence sources.
Source attribution. Tag every citation in the Regulatory landscape and Precedent sections with where it came from: 
[Westlaw]
, 
[CourtListener]
, 
[regulator site]
, or the MCP tool name for citations retrieved from a legal research connector; 
[web search — verify]
for web-search citations; 
[model knowledge — verify]
for citations recalled from training data; 
[user provided]
for citations from the feature team. Citations tagged 
verify
carry higher fabrication risk and should be checked first. Never strip or collapse the tags — the decisionmaker needs to see which citations to verify first.
如果评估中引用了案例、法规、规章或执法行动——尤其是在“监管环境”或“先例”部分——这些引用由AI模型生成,尚未经过原始来源验证。在将决策文档提交给决策者之前,请通过法律研究工具(Westlaw、CourtListener或贵司的研究平台)核实每个引用的准确性、法律效力和当前执法态势。基于虚构执法行动的风险评估比没有评估更糟糕。
请勿私下补充内容:如果配置的法律研究工具返回的结果中,评估所需的监管制度或先例相关结果很少或没有,请报告搜索结果并停止操作。未经允许,切勿通过网络搜索或模型知识填补空白。应说明:“从[工具]中搜索到[N]条结果。[监管制度/先例]的相关覆盖范围较窄。可选方案:(1) 扩大搜索查询范围;(2) 尝试其他研究工具;(3) 进行网络搜索——结果将标记为
[web search — verify]
,在依赖前需与发布机构核实;(4) 标记为未验证并停止操作。您希望选择哪个方案?”由律师决定是否接受可信度较低的来源。
来源归因:在“监管环境”和“先例”部分的每个引用后标记来源:
[Westlaw]
[CourtListener]
[regulator site]
,或从法律研究连接器获取的引用标记为MCP工具名称;网络搜索的引用标记为
[web search — verify]
;从训练数据中调取的引用标记为
[model knowledge — verify]
;来自功能团队的引用标记为
[user provided]
。标记为
verify
的引用存在较高的虚构风险,应优先核实。切勿移除或合并这些标记——决策者需要了解哪些引用需要优先核实。

Close with the next-steps decision tree

以下一步决策树收尾

End with the next-steps decision tree per CLAUDE.md 
## Outputs
. Customize the options to what this skill just produced — the five default branches (draft the X, escalate, get more facts, watch and wait, something else) are a starting point, not a lock-in. The tree is the output; the lawyer picks.
根据CLAUDE.md中
## Outputs
部分的下一步决策树收尾。根据本技能生成的内容自定义选项——五个默认分支(起草X、升级处理、获取更多事实、观望等待、其他)仅为起点,并非固定选项。决策树是输出内容的一部分,由律师选择下一步行动。

What this skill does not do

本技能不包含的内容

  • It doesn't assess every feature. Most features get a launch review and that's it.
  • It doesn't make the decision. It frames the decision. Someone with authority picks an option.
  • It doesn't do quantitative risk modeling. If the company has a formal risk framework with numbers, use that — this is qualitative.
  • 并非评估所有功能。大多数功能仅需发布评审即可。
  • 不直接做出决策。仅为决策提供框架,由具备权限的人员选择方案。
  • 不进行定量风险建模。如果公司有带数值的正式风险框架,请使用该框架——本技能仅做定性分析。