Risk Management Expert

Comprehensive risk frameworks for enterprise risk assessment, business continuity, and risk mitigation.

Detailed References:

ERM Framework & Risk Appetite - COSO framework, risk appetite, quantitative analysis
Business Continuity Management - BCM lifecycle, recovery objectives, crisis management
Insurance & Risk Transfer - Insurance programs, risk financing strategies

Risk Categories

Category	Description	Examples
Strategic	Risks to business model/strategy	Competitive disruption, M&A failure
Operational	Risks in day-to-day operations	Process failures, supply chain
Financial	Financial loss risks	Credit, market, liquidity
Compliance	Regulatory/legal risks	Regulatory changes, lawsuits
Reputational	Brand and stakeholder risks	Negative publicity, social media
Technology	IT and cyber risks	Cyber attacks, system failures
Human Capital	People-related risks	Key person, talent shortage
External	Environmental/external risks	Natural disasters, geopolitical

Risk Assessment Process

RISK ASSESSMENT STEPS:

1. RISK IDENTIFICATION
   - Environmental scanning
   - Stakeholder interviews
   - Workshop facilitation
   - Historical analysis
   - Scenario analysis

2. RISK ANALYSIS
   - Probability assessment
   - Impact assessment
   - Velocity consideration
   - Control effectiveness

3. RISK EVALUATION
   - Risk prioritization
   - Comparison to appetite
   - Aggregation analysis
   - Interdependency mapping

4. RISK RESPONSE
   - Accept (within appetite)
   - Mitigate (reduce likelihood/impact)
   - Transfer (insurance, contracts)
   - Avoid (eliminate activity)

5. MONITORING & REPORTING
   - Key Risk Indicators (KRIs)
   - Risk dashboards
   - Escalation triggers
   - Periodic reassessment

Risk Heat Map

RISK MATRIX:

         IMPACT
         Low    Medium    High    Critical
LIKELIHOOD
Very High   3      6        9        12
High        2      4        6         9
Medium      1      2        4         6
Low         1      1        2         3

SCORING:
1-2: Accept/Monitor
3-4: Active Management
6: Senior Management Attention
9-12: Executive/Board Attention

Third-Party Risk Management

Vendor Risk Framework

TPRM LIFECYCLE:

1. PLANNING
   - Vendor inventory
   - Risk categorization
   - Assessment requirements

2. DUE DILIGENCE
   - Questionnaires
   - Documentation review
   - On-site assessments
   - Reference checks

3. CONTRACTING
   - Security requirements
   - SLAs
   - Audit rights
   - Termination provisions

4. ONGOING MONITORING
   - Performance tracking
   - Risk reassessment
   - Issue management

5. TERMINATION
   - Data return/destruction
   - Access revocation
   - Transition planning

Vendor Risk Tiers

Tier	Criteria	Assessment
Critical	Core business, high data access	Full assessment, annual
High	Significant operations impact	Comprehensive, annual
Medium	Moderate business impact	Standard, biennial
Low	Limited impact	Self-assessment

Vendor Assessment Areas

ASSESSMENT DOMAINS:

INFORMATION SECURITY:
- Security controls
- Data protection
- Incident response
- Access management

OPERATIONAL:
- Business continuity
- Change management
- Performance history

FINANCIAL:
- Financial stability
- Insurance coverage
- Pricing sustainability

COMPLIANCE:
- Regulatory compliance
- Certifications
- Audit history

REPUTATIONAL:
- Market reputation
- Legal history
- References

Operational Risk Management

Operational Risk Framework

OPERATIONAL RISK CATEGORIES:

PEOPLE:
- Human error
- Inadequate training
- Fraud
- Key person dependency

PROCESS:
- Control failures
- Procedure gaps
- Documentation issues
- Capacity constraints

SYSTEMS:
- IT failures
- Data integrity
- System integration
- Technology obsolescence

EXTERNAL:
- Vendor failures
- Regulatory changes
- Natural disasters
- Market disruptions

Key Risk Indicators (KRIs)

Risk Area	KRI	Threshold
Operational	Process exceptions	>5%
Technology	System downtime	>99.9% uptime
People	Staff turnover	<15%
Vendor	SLA breaches	<5%
Compliance	Policy violations	0 critical

Control Assessment

CONTROL EVALUATION:

DESIGN EFFECTIVENESS:
- Is the control properly designed?
- Does it address the risk?
- Is it documented?

OPERATING EFFECTIVENESS:
- Is it consistently applied?
- Is it working as intended?
- Is evidence maintained?

CONTROL RATINGS:
Effective: Control works as designed
Needs Improvement: Minor gaps
Inadequate: Significant gaps
Absent: No control in place

Reputational Risk

Reputation Risk Framework

REPUTATION DRIVERS:

PRODUCTS & SERVICES:
- Quality
- Safety
- Value

CORPORATE BEHAVIOR:
- Ethics
- Governance
- Environmental impact

WORKPLACE:
- Culture
- Diversity
- Employee treatment

LEADERSHIP:
- Integrity
- Competence
- Communication

FINANCIAL:
- Performance
- Transparency
- Investor relations

Reputation Monitoring

MONITORING SOURCES:

MEDIA:
- Traditional news
- Online publications
- Broadcast

SOCIAL:
- Twitter/X
- LinkedIn
- Reddit
- Industry forums

STAKEHOLDER:
- Customer feedback
- Employee surveys
- Investor calls
- Analyst reports

METRICS:
- Sentiment score
- Share of voice
- Message pull-through
- Crisis response time

Risk Reporting

Board Risk Reporting

BOARD REPORT ELEMENTS:

EXECUTIVE SUMMARY:
- Top risks
- Emerging risks
- Risk appetite status

RISK DASHBOARD:
- Heat map
- Trend analysis
- KRI status

DEEP DIVES:
- Focus areas
- Incident summary
- Response effectiveness

FORWARD LOOK:
- Emerging risks
- Strategic risks
- Mitigation plans

Risk Metrics Dashboard

Category	Metric	Target
Risk Appetite	Risks within tolerance	100%
Incidents	Material losses	0
Controls	Effective controls	>90%
Issues	Overdue remediation	<5%
Training	Completion rate	>95%

risk-management

NPX Install

Tags

SKILL.md Content

Risk Management Expert

Risk Categories

Risk Assessment Process

Risk Heat Map

Third-Party Risk Management

Vendor Risk Framework

Vendor Risk Tiers

Vendor Assessment Areas

Operational Risk Management

Operational Risk Framework

Key Risk Indicators (KRIs)

Control Assessment

Reputational Risk

Reputation Risk Framework

Reputation Monitoring

Risk Reporting

Board Risk Reporting

Risk Metrics Dashboard

See Also