Risk management is fundamentally a knowledge and analysis discipline — categorizing threats, assessing likelihood and impact, designing controls, and monitoring effectiveness. AI accelerates every phase of this work, particularly the documentation-heavy tasks that consume disproportionate time.
1. Risk Identification and Assessment
Risk Register Development
Prompt: Help me build a comprehensive risk register for this organization.
Organization: Regional commercial bank ($2.5B assets)
Regulatory environment: OCC (national charter), FDIC insured, BSA/AML compliance
Business lines: Commercial lending, retail banking, treasury, wealth management
Risk categories to assess:
1. Credit Risk
2. Market Risk (interest rate, liquidity)
3. Operational Risk
4. Compliance/Regulatory Risk
5. Cybersecurity Risk
6. Strategic Risk
7. Reputational Risk
For each risk category, identify:
- Top 5-7 specific risks within that category
- Inherent risk rating (High/Medium/Low) with rationale
- Current controls in place (typical for this type of institution)
- Residual risk after controls
- Key Risk Indicators (KRIs) to monitor
- Responsible owner (typical functional area)
- Regulatory reference (if applicable)
Format: Risk register table ready for board risk committee presentationRisk Assessment Facilitation
Prompt: Help me facilitate a risk assessment workshop.
Workshop: Operational risk assessment for our payment processing function
Participants: Payments Operations Manager, IT Director, Compliance Officer, Internal Auditor
Duration: 3 hours
Method: Facilitated identification and rating
Prepare:
1. Pre-workshop questionnaire (5-7 questions to send participants before session)
2. Workshop agenda with time allocations
3. Risk brainstorming prompts (what questions will surface risks in this area)
4. Rating scale definitions (Likelihood 1-5 with clear descriptions, Impact 1-5 with $ thresholds)
5. Heat map template (Likelihood × Impact grid)
6. Top 10 operational risks in payment processing (industry data for calibration)
7. Post-workshop output template (what we'll produce)
Facilitation guidance: How do I prevent groupthink and ensure quieter participants contribute?Regulatory Compliance Gap Analysis
Prompt: Perform a gap analysis against this regulation.
Regulation: GDPR (General Data Protection Regulation)
Organization type: Mid-size US e-commerce company that sells to EU customers
Current state: No formal GDPR program exists
For each GDPR requirement area, assess:
1. Requirement description (what the regulation requires)
2. Typical compliance activities needed
3. Documentation required
4. Gap assessment (Compliant / Partial / Non-compliant) with common gaps
5. Risk exposure if non-compliant (max fine, reputational risk)
6. Remediation effort estimate (Low/Medium/High)
7. Priority for remediation (Critical/High/Medium/Low)
GDPR areas to cover:
- Lawful basis for processing
- Privacy notices and consent
- Data subject rights (access, deletion, portability)
- Data protection officer requirement
- Data processing agreements
- Data breach notification (72-hour requirement)
- Privacy by design
- Cross-border transfer mechanisms
- Records of processing activities
Output: Gap analysis report suitable for presenting to executive team2. Control Framework Design
Internal Control Design
Prompt: Design internal controls for this process.
Process: Vendor payment processing
Control objective: Prevent and detect unauthorized payments and payment fraud
Process description:
1. Invoice received from vendor
2. AP clerk matches to purchase order and receiving report
3. Manager approves payment if over $5,000
4. Payment file prepared
5. Finance director approves and releases payment
6. Bank processes payment
7. Reconciliation performed weekly
Risks to control:
- Fictitious vendor invoices (fraud)
- Duplicate payments
- Unauthorized payment approvals
- Payment to wrong vendor (wrong bank details)
- Payment amount manipulation
- Vendor master data tampering
For each risk, design:
1. Preventive control (stops the risk from occurring)
2. Detective control (identifies if it occurred)
3. Control owner (who performs this control)
4. Control frequency (each transaction, daily, weekly, monthly)
5. Documentation required (what evidence proves the control worked)
6. Testing approach (how internal audit would test this control)
Format: Control matrix ready for SOX documentation or audit purposesSOX Compliance Documentation
Prompt: Help me document this internal control for SOX purposes.
Control: Three-way match for vendor invoices
Account: Accounts Payable
Financial statement assertion: Existence, Completeness, Valuation
Process owner: Accounts Payable Manager
Control description: For all invoices over $1,000, AP Clerk
electronically matches vendor invoice to purchase order and
receiving report in the ERP system before approving for payment.
Exceptions require AP Manager approval.
Document the following for SOX purposes:
1. Control objective statement
2. Risk addressed
3. Control description (detailed, specific to our process)
4. Control type (Preventive/Detective)
5. Control frequency
6. Control operator and their responsibility
7. Evidence of operation (what document/system record proves it ran)
8. What could cause the control to fail (control gaps/weaknesses)
9. Complementary controls (other controls that support this one)
10. Testing approach (how auditors would test this control)
Format: SOX control documentation template (US public company standard)3. Audit Planning and Execution
Audit Program Development
Prompt: Develop an audit program for this audit engagement.
Audit: IT General Controls Audit (ITGC)
Scope: Core financial reporting systems (ERP, data warehouse, reporting tools)
Regulatory context: SOX Section 404 (Management's assessment of internal controls)
Timing: 8-week engagement
Team: 1 senior auditor + 2 staff auditors
Audit objectives:
- Assess adequacy of access controls
- Evaluate change management process
- Review backup and recovery procedures
- Assess computer operations controls
Develop the audit program including:
For each objective:
1. Risks being addressed
2. Audit procedures (specific steps to execute)
3. Evidence to gather (what documents/screenshots/data)
4. Sample sizes (how many transactions/configurations to test)
5. Testing approach (observation, inspection, re-performance)
6. Responsible auditor and time estimate
7. Potential findings if controls are weak
Also: Opening meeting agenda + document request list to send in advanceAudit Finding Documentation
Prompt: Help me document this audit finding.
What we found: During testing of 25 user access reviews, we found
8 instances (32%) where terminated employees retained system access
after their termination date. Access was removed on average 18 days
post-termination (range: 3-45 days).
Root cause: HR doesn't have automated connection to IT provisioning system.
Terminations are communicated via email, which IT acts on manually.
Impact: Former employees with active access could log in and
potentially access sensitive financial and customer data.
Risk: High — data breach, unauthorized transactions, regulatory violation
Document this as a formal audit finding:
1. Finding title
2. Criteria (what should be happening)
3. Condition (what we found)
4. Cause (root cause analysis)
5. Effect/Risk (consequences if not remediated)
6. Recommendation (specific, actionable)
7. Management response template (what management should commit to)
8. Target remediation date (reasonable timeframe)
9. Severity rating with rationale
Format: Formal audit finding ready for audit reportAudit Report Executive Summary
Prompt: Write an executive summary for this audit report.
Audit: Third-Party Vendor Risk Assessment
Period: Q4 2025
Scope: 45 critical and high-risk vendors reviewed
Overall rating: Needs Improvement
Key findings:
1. Critical: 3 vendors have no security incident response plan — regulatory requirement
2. High: 12 vendors (27%) have not provided SOC 2 reports in past 12 months
3. High: Data processing agreements missing or expired for 8 vendors
4. Medium: Vendor risk assessments not updated annually for 18 vendors (40%)
5. Medium: No process for monitoring vendor financial health
Positives:
- Strong vendor contract terms with right-to-audit provisions
- Vendor onboarding process well-documented
- Vendor inventory is complete and classified by risk tier
Write an executive summary that:
- States the audit scope and rating clearly
- Highlights critical findings first
- Is factual and specific (no vague language)
- Includes a management call to action
- Is appropriate for board audit committee reading (no jargon)
- Length: 1 page maximum4. Incident Management
Incident Response Planning
Prompt: Create an incident response plan for this type of incident.
Incident type: Data breach (unauthorized access to customer PII)
Organization: Healthcare provider (HIPAA covered entity)
Patient data types: Name, DOB, SSN, medical records, insurance information
Response plan sections:
1. Incident classification criteria
- What triggers activation of this plan?
- Severity levels (Critical/High/Medium/Low) with definitions
2. Response team and contacts
- Roles needed (Incident Commander, Legal, PR, IT Security, Privacy Officer)
- Escalation path and authority levels
3. Immediate response steps (first 4 hours)
- Containment actions
- Evidence preservation
- Initial notification decisions
4. Investigation steps
- What to determine (scope, root cause, impacted records)
- Forensic evidence collection
- Chain of custody
5. Regulatory notification requirements
- HIPAA Breach Notification Rule (60-day deadline)
- State notification laws
- What triggers OCR notification
- Who drafts and approves notifications
6. Customer/patient notification
- Triggering threshold
- Required notification content (HIPAA mandated elements)
- Communication channels
7. Lessons learned and post-incident review
- Timeline for review
- What to document
Format: Operational playbook, ready to use in a real incidentBusiness Impact Assessment
Prompt: Complete a Business Impact Assessment for this system outage.
System down: ERP system (SAP)
Estimated outage duration: 24-48 hours
Business functions affected: Finance (AP/AR), Supply Chain (purchasing/receiving), Manufacturing (production orders)
Current time: Monday 8:00am (start of business week)
Assess:
1. Critical business processes that cannot function (list by priority)
2. Financial impact by hour/day (revenue lost, penalties, interest)
3. Customer impact (orders delayed, SLAs breached)
4. Regulatory/compliance risk (any reporting deadlines this week?)
5. Manual workaround feasibility for each critical process
6. Resources needed to execute manual workarounds
7. Recovery time objective (RTO) recommendation based on impact
8. Communication priorities (who to tell, what to say, when)
Format: BIA report for crisis management team briefing5. Policy Development
Policy Drafting
Prompt: Draft a policy for this area.
Policy: Acceptable Use Policy for AI Tools
Organization: Law firm (200 attorneys)
Driver: Attorneys are using various AI tools for legal research and drafting without guidelines
Regulatory considerations: Attorney-client privilege, client confidentiality, bar association guidelines
Policy sections needed:
1. Purpose and scope
2. Approved AI tools (vs. prohibited)
3. Permitted uses of AI in legal work
4. Prohibited uses (what AI must NOT do or see)
5. Client data handling (what client information may be input to AI)
6. Work product review requirement (AI output must be reviewed, never used as-is)
7. Billing considerations (can AI time be billed? how?)
8. Confidentiality and privilege protection
9. Incident reporting (what to do if AI tool causes a problem)
10. Training requirements
11. Compliance and consequences
Tone: Authoritative but practical — this will actually be followed
Length: 2-3 pages
Include: A quick-reference summary box at the top (do's and don'ts)AI tools in risk management are most valuable for accelerating the documentation and analysis work — risk registers, control matrices, audit programs — that consumes weeks of expert time. The judgment work (risk assessment calibration, materiality decisions, audit conclusions) remains human-dependent.