Finance AI Skill
Risk Management
Manage enterprise risk including financial risk assessment, operational risk, compliance risk, cyber risk, market risk, credit risk, and business continuity planning. Use when conducting risk assessments, developing risk registers, implementing risk mitigat...
Enterprise Risk Management
Identify, assess, mitigate, and monitor risks across the organization to protect value and ensure resilience.
Risk Assessment & Register
Enterprise Risk Register
ENTERPRISE RISK REGISTER — Q1 2025
═══════════════════════════════════
RISK CATEGORIES:
Strategic: Market, competition, technology disruption, M&A, regulation
Financial: Revenue, liquidity, credit, FX, interest rate, tax
Operational: Processes, systems, supply chain, talent, key person
Compliance: Regulatory, legal, data privacy, SOX, ethics
External: Economic, geopolitical, natural disaster, pandemic
RISK ASSESSMENT METHODOLOGY:
Likelihood: Rare (1) — Unlikely (2) — Possible (3) — Likely (4) — Almost Certain (5)
Impact: Insignificant (1) — Minor (2) — Moderate (3) — Major (4) — Catastrophic (5)
Risk Score: Likelihood × Impact (1-25)
Risk Rating: Low (1-6) — Medium (7-12) — High (13-18) — Critical (19-25)
TOP RISKS:
┌────┬───────────────────────┬─────┬─────┬──────┬────────┬──────────────┬────────────────────────┐
│ # │ Risk Description │ Like │ Imp. │ Score │ Rating │ Owner │ Mitigation │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R1 │ Customer concentration│ 4 │ 4 │ 16 │ HIGH │ CRO + CFO │ Diversification plan; │
│ │ (top 5 = 28%) │ │ │ │ │ │ 12-month target: 22% │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R2 │ Cybersecurity breach │ 3 │ 5 │ 15 │ HIGH │ CISO │ SOC 2, pentesting, │
│ │ │ │ │ │ │ │ incident response plan │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R3 │ Key talent retention │ 3 │ 4 │ 12 │ MEDIUM │ CHRO │ Retention programs, │
│ │ (competitive market) │ │ │ │ │ │ equity refresh plan │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R4 │ Revenue churn increase│ 3 │ 4 │ 12 │ MEDIUM │ CRO + CS │ CS program upgrade, │
│ │ (2.8% vs. 2.2% Q4) │ │ │ │ │ VP │ health monitoring │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R5 │ Economic downturn │ 3 │ 4 │ 12 │ MEDIUM │ CEO + CFO │ 13-month runway, │
│ │ │ │ │ │ │ │ cost reduction levers │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R6 │ Competitive disruption│ 3 │ 3 │ 9 │ MEDIUM │ CEO + CPO │ R&D investment, │
│ │ (new entrants) │ │ │ │ │ │ innovation pipeline │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R7 │ Regulatory change │ 2 │ 4 │ 8 │ MEDIUM │ General │ Regulatory monitoring, │
│ │ (data privacy, AI) │ │ │ │ │ Counsel │ compliance framework │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R8 │ Cloud dependency │ 2 │ 4 │ 8 │ MEDIUM │ CTO + CISO │ Multi-cloud strategy, │
│ │ (AWS single provider) │ │ │ │ │ │ DR plan │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R9 │ Interest rate rise │ 3 │ 2 │ 6 │ LOW │ CFO │ Fixed-rate debt │
│ │ (floating rate debt) │ │ │ │ │ │ conversion plan │
├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤
│ R10│ IP infringement │ 2 │ 3 │ 6 │ LOW │ General │ Patent portfolio, │
│ │ claim │ │ │ │ │ Counsel │ freedom-to-operate │
└────┴───────────────────────┴─────┴─────┴──────┴────────┴──────────────┴────────────────────────┘
RISK HEAT MAP SUMMARY:
Critical risks: 0
High risks: 2 (R1, R2)
Medium risks: 5 (R3-R7)
Low risks: 3 (R8-R10)
Trend (vs. Q4 2024):
↑ Elevated: R4 (churn uptick)
↓ Reduced: R9 (debt refinanced to fixed rate)
→ Stable: All others
RISK APPETITE STATEMENT:
Financial risk: LOW (preserve capital, maintain 12+ month runway)
Strategic risk: MEDIUM (invest in growth, accept measured risk for returns)
Operational risk: LOW (minimize disruption, invest in resilience)
Compliance risk: NONE (zero tolerance for compliance failures)
Reputational risk: LOW (protect brand, proactive issue management)Financial Risk Management
Financial Stress Testing
FINANCIAL STRESS TEST SCENARIOS:
════════════════════════════════
SCENARIO 1 — MODERATE RECESSION
Assumptions:
Revenue decline: 25% (from baseline)
Cost reduction: 15% (lagged, 3 months)
Collection extension: DSO increases 15 days
Customer churn: +50% (1.4% → 2.1%)
Impact Analysis:
Revenue impact (annualized): -$100M
Adjusted EBITDA: $12M (vs. $42M baseline)
Cash burn (peak): $4.5M/month (vs. $2.7M baseline)
Runway at peak stress: 9.4 months
With revolver: 16.2 months
Triggers for action:
If revenue decline >15%: Activate cost reduction plan
If runway <9 months: Execute headcount freeze
If runway <6 months: Emergency cost reduction
Mitigation status:
Cost reduction plan: Documented, ready (48-hour activation)
Runway: 13.2 months (adequate buffer)
Revolver: $25M available (immediate liquidity)
SCENARIO 2 — CUSTOMER CONCENTRATION LOSS
Assumptions:
Loss of top 2 customers (12% of revenue)
Replacement timeline: 6-9 months
Remaining customers: Stable (no contagion)
Impact Analysis:
Immediate revenue loss: $50M annually
EBITDA impact: -$38M (contribution margin of lost customers)
Cash impact (immediate): 0 (annual contracts, prepaid)
Runway impact: Minimal (revenue collected in advance)
Long-term: Revenue gap closes in 6-9 months
Mitigation status:
Contract review: All top customers on annual+ terms
Sales pipeline: $60M (covers loss with 20% buffer)
Customer success: Proactive engagement (health scores tracked)
SCENARIO 3 — CYBER INCIDENT / DATA BREACH
Assumptions:
Customer data breach (PII of 10,000+ customers)
Regulatory fines: Up to $2M (GDPR)
Remediation cost: $500K-$1M
Customer attrition: 5% in 90 days post-incident
Reputation damage: 6-month impact
Impact Analysis:
Direct cost: $2.5M-$3M (fines + remediation)
Revenue impact: $2.1M (5% churn, one-time)
Insurance coverage: $5M cyber policy (deductible $250K)
Net out-of-pocket: $0.75M-$1.25M
Reputation recovery: 6-12 months
Mitigation status:
Cyber insurance: $5M coverage (adequate)
Incident response plan: Tested (annual drill)
Security controls: SOC 2 compliant, continuous monitoring
Data encryption: At rest and in transit
SCENARIO 4 — KEY PERSON DEPARTURE
Assumptions:
CEO or CTO voluntary departure
Transition period: 3-6 months
No immediate replacement available
Impact Analysis:
Operational impact: Medium (delegation to interim)
Strategic impact: High (vision/execution gap)
Stock price impact: -10% to -20% (market reaction)
Customer confidence: Moderate risk
Talent retention: Risk of cascading departures
Mitigation status:
Key person insurance: CEO $10M, CTO $5M
Succession plan: Documented (interim + long-term candidates)
Board authority: Emergency powers defined
Communication plan: Pre-drafted templates
RISK MONITORING FREQUENCY:
Financial risks: Monthly (dashboard review)
Operational risks: Quarterly (assessment update)
Strategic risks: Semi-annual (board review)
All risks: Annual comprehensive review + updateBusiness Continuity & Disaster Recovery
BCP Framework
BUSINESS CONTINUITY PLAN OVERVIEW:
══════════════════════════════════
CRITICAL BUSINESS FUNCTIONS (Ranked):
1. Product availability (uptime >99.9%)
2. Customer data integrity and security
3. Financial operations (payroll, vendor payments)
4. Customer support and service delivery
5. Sales and revenue operations
6. Strategic decision-making (leadership)
RECOVERY OBJECTIVES:
┌───────────────────────────┬──────────┬──────────┬──────────────┐
│ Function │ RTO │ RPO │ Max Downtime │
├───────────────────────────┼──────────┼──────────┼──────────────┤
│ Cloud infrastructure │ 1 hour │ 15 min │ 4 hours │
│ Core application │ 2 hours │ 1 hour │ 8 hours │
│ Customer data/database │ 4 hours │ 30 min │ 8 hours │
│ Financial systems │ 8 hours │ 4 hours │ 24 hours │
│ Email/collaboration │ 4 hours │ 24 hours │ 48 hours │
│ HR/payroll systems │ 24 hours │ 24 hours │ 72 hours │
│ Office facilities │ 48 hours │ N/A │ 1 week │
└───────────────────────────┴──────────┴──────────┴──────────────┘
RTO = Recovery Time Objective (how quickly must we recover)
RPO = Recovery Point Objective (how much data loss is acceptable)
DISASTER SCENARIOS & RESPONSE:
┌─────────────────────┬──────────────┬──────────────────────────────────┐
│ Scenario │ Probability │ Response Plan │
├─────────────────────┼──────────────┼──────────────────────────────────┤
│ Data center outage │ Medium │ Multi-AZ failover; DR site │
│ Cyberattack (ransom)│ Low-Medium │ Isolate; restore from backup; │
│ │ │ incident response team activation│
│ Natural disaster │ Low │ Remote work activation; alternate│
│ │ │ office location │
│ Pandemic/health │ Medium │ Remote work; health protocols; │
│ crisis │ │ government compliance │
│ Key systems failure │ Low │ Manual processes; hot standby │
│ Power/internet out. │ Medium │ UPS; backup internet; mobile │
│ Supply chain │ Low │ Multi-vendor; buffer stock │
│ Regulatory shutdown │ Very low │ Legal response; compliance audit │
└─────────────────────┴──────────────┴──────────────────────────────────┘
BCP TESTING:
Tabletop exercise: Semi-annual (last: Q3 2024 — scored 82/100)
Technical DR test: Annual (last: October 2024 — RTO achieved: 45 min vs. 1 hr target)
Communication test: Quarterly (mass notification system)
Next tests:
Tabletop: Q3 2025 (scenario: ransomware attack)
DR test: October 2025
Communication: Q2 2025
CONTINUITY RESOURCES:
Backup infrastructure: AWS multi-region (primary: US-East, DR: US-West)
Data backup: Daily full + hourly incremental (30-day retention)
Offsite storage: Immutable backups (WORM — write once, read many)
Emergency contacts: Leadership tree (primary + alternate for all roles)
Communication tools: Mass notification (Everbridge), Slack emergency channels
Crisis team: 8 members (CEO, CFO, CTO, CISO, CHRO, GC, COO, Comms)
Emergency fund: $2M reserved for crisis responseInsurance Program Management
Insurance Portfolio
INSURANCE PROGRAM OVERVIEW:
════════════════════════════
POLICY INVENTORY:
┌──────────────────────────┬──────────────┬──────────────┬──────────────┐
│ Coverage Type │ Limit │ Deductible │ Annual Prem. │
├──────────────────────────┼──────────────┼──────────────┼──────────────┤
│ General Liability │ $2,000,000 │ $10,000 │ $45,000 │
│ Professional Liability │ $5,000,000 │ $25,000 │ $125,000 │
│ (Errors & Omissions) │ │ │ │
│ Cyber Liability │ $5,000,000 │ $250,000 │ $85,000 │
│ D&O Liability │ $10,000,000 │ N/A (SI) │ $210,000 │
│ Property │ $3,000,000 │ $25,000 │ $35,000 │
│ Workers' Compensation │ Statutory │ Varies │ $42,000 │
│ Key Person (CEO) │ $10,000,000 │ N/A │ $65,000 │
│ Key Person (CTO) │ $5,000,000 │ N/A │ $35,000 │
│ Directors & Officers │ Included │ │ │
│ Employment Practices │ $5,000,000 │ $25,000 │ $55,000 │
│ U&E (Umbrella) │ $10,000,000 │ $1,000,000 │ $75,000 │
│ ─────────────────────── │ ─────────── │ ─────────── │ ─────────── │
│ TOTAL PREMIUM │ │ │ $772,000 │
└──────────────────────────┴──────────────┴──────────────┴──────────────┘
COVERAGE ANALYSIS:
Adequately covered:
✓ General business operations (GL + PL + U&E)
✓ Cyber risk (dedicated policy, tested annually)
✓ Leadership liability (D&O with side A coverage)
✓ Key person protection (CEO + CTO)
Areas for review:
→ Cyber deductible ($250K) — high; consider reduction (premium +$25K)
→ Property coverage (leased space) — may be excessive
→ International coverage (EU/Asia ops) — verify territorial scope
→ Intellectual property infringement — assess standalone policy need
INSURANCE PROGRAM REVIEW (Annual):
Next renewal: July 2025 (170 days)
Broker: [Insurance Broker Name]
Review scope:
- Coverage adequacy assessment
- Deductible optimization
- Premium benchmarking
- New coverage needs (international expansion)
- Claims history review (past 3 years)
Claims history:
2024: 2 claims (1 GL — minor injury; 1 cyber — attempted phishing, no loss)
2023: 1 claim (EPLI — employment dispute, settled within coverage)
2022: 0 claims
Loss ratio: 2.1% (excellent — potential premium reduction)
SELF-INSURANCE STRATEGY:
High-frequency, low-severity risks: Self-insure (deductibles)
Low-frequency, high-severity risks: Fully insure
Decision framework: Annual analysis based on:
- Expected loss frequency and severity
- Cash flow impact of loss
- Insurance market conditions
- Regulatory requirementsCompliance Risk Management
Regulatory Compliance Framework
COMPLIANCE RISK ASSESSMENT:
═══════════════════════════
APPLICABLE REGULATIONS:
┌───────────────────────────┬──────────┬──────────┬──────────────┬──────────────┐
│ Regulation/Area │ Juris. │ Severity │ Compliance │ Owner │
├───────────────────────────┼──────────┼──────────┼──────────────┼──────────────┤
│ SOX (if public) │ US │ Critical │ ✓ Compliant │ CFO + Audit │
│ GDPR │ EU │ High │ ✓ Compliant │ DPO + GC │
│ CCPA/CPRA │ CA │ High │ ✓ Compliant │ DPO + GC │
│ PCI DSS │ Global │ High │ ✓ Compliant │ CISO │
│ SOC 2 │ US │ Medium │ In progress │ CISO │
│ HIPAA (if handling PHI) │ US │ High │ N/A │ N/A │
│ Export controls │ US │ Medium │ ✓ Compliant │ GC │
│ Labor/employment law │ Multi │ Medium │ ✓ Compliant │ CHRO │
│ Tax compliance │ Multi │ High │ ✓ Compliant │ Tax Director │
│ Anti-bribery (FCPA) │ Global │ Critical │ ✓ Compliant │ GC + Compliance│
└───────────────────────────┴──────────┴──────────┴──────────────┴──────────────┘
COMPLIANCE MONITORING:
Continuous monitoring:
- Automated controls testing (SOX): Quarterly
- Data privacy request tracking: Ongoing (avg. 12-day response)
- Employee training completion: Annual (current rate: 96%)
- Third-party vendor compliance: Quarterly review
- Regulatory change monitoring: Monthly
Compliance metrics:
Training completion: 96% (target: 100% by Feb 28)
Policy acknowledgment: 98%
Incident reporting: 3 incidents (Q4 2024) — all resolved
Audit findings: 0 material, 2 observations (remediated)
Regulatory inquiries: 0
Data subject requests: 8 (past 90 days) — all responded within SLA
COMPLIANCE INCIDENT MANAGEMENT:
Incident response workflow:
1. Detection (automated or reported)
2. Assessment (severity, scope, regulatory impact)
3. Containment (stop the breach/violation)
4. Investigation (root cause, affected data/parties)
5. Remediation (corrective action, process fix)
6. Reporting (regulatory, if required; internal)
7. Documentation (lessons learned, policy update)
Escalation thresholds:
Immediate (same day): Data breach, regulatory violation, legal action
Urgent (24 hours): Training gap >5%, control failure, policy violation
Routine (weekly): Minor incidents, near-misses, process improvementsOutput
Risk Management Dashboard
ENTERPRISE RISK DASHBOARD — Jan 27, 2025
══════════════════════════════════════════
Risk Overview:
Total risks tracked: 10
Critical: 0 High: 2 Medium: 5 Low: 3
Overall risk rating: MEDIUM (manageable)
Trend: Stable (R4 elevated, R9 reduced)
Top Risks:
R1: Customer concentration — HIGH (score: 16)
Mitigation: Diversification plan on track
R2: Cybersecurity breach — HIGH (score: 15)
Mitigation: SOC 2, pentesting, IR plan active
Financial Resilience:
Cash runway: 13.2 months (well above 6-month target)
Revolver available: $25M
Stress test (moderate recession): 9.4-month runway (adequate)
Insurance coverage: $45M+ total limits ($772K premium)
Business Continuity:
RTO compliance: All functions within target
Last DR test: Oct 2024 (RTO achieved: 45 min)
Next tabletop: Q3 2025
Backup integrity: ✓ Verified (daily)
Compliance Status:
Overall: ✓ COMPLIANT (0 material issues)
SOX: 98% controls pass rate
Data privacy: 96% training complete
SOC 2: In progress (target: June 2025)
Audit findings: 0 unresolved
Risk Actions:
1. Complete training (remaining 4%) by Feb 28
2. Customer diversification — Q1 target: reduce top-5 to 25%
3. Cyber pentest — scheduled Feb 10
4. BCP tabletop planning — initiate Feb 1
5. Insurance renewal review — start May 2025Integration Points
- GRC platforms (ServiceNow GRC, MetricStream, AuditBoard): Risk register, compliance tracking
- ERP/GL: Financial data for stress testing, scenario analysis
- Cybersecurity platforms (CrowdStrike, SentinelOne, Palo Alto): Threat detection, incident response
- BI platforms: Risk dashboards, heat maps
- Insurance platforms (Thimble, Hiscox, broker portals): Policy management, claims
- HRIS: Key person risk, talent retention metrics
- CRM: Customer concentration risk, churn indicators
- IT monitoring tools: System uptime, RTO compliance
- Incident management (PagerDuty, ServiceNow): Response coordination
- Communication tools (Everbridge, Slack): Mass notification, crisis communication
Edge Cases
- Systemic financial crisis: Multiple stress factors simultaneously; extended recovery timeline; government intervention
- Geopolitical events: Trade sanctions, export restrictions, currency controls, supply chain disruption
- Pandemic/health crisis: Extended remote operations; employee health; regulatory changes; economic impact
- Natural disaster: Office evacuation; employee safety; business relocation; insurance claims
- Cyberattack (ransomware): System isolation; backup restoration; law enforcement coordination; notification requirements
- Regulatory investigation: Legal privilege; document preservation; response strategy; settlement considerations
- Activist investor/campaign: Reputational management; stakeholder communication; operational impact
- Key executive departure (multiple): Interim leadership; communication strategy; talent stability
- Major customer lawsuit: Legal defense; insurance activation; financial provision; PR management
- Complete system failure: Fallback to manual operations; customer communication; SLA penalty management