--- name: risk-management description: Manage enterprise risk including financial risk assessment, operational risk, compliance risk, cyber risk, market risk, credit risk, and business continuity planning. Use when conducting risk assessments, developing risk registers, implementing risk mitigation strategies, managing insurance programs, performing stress testing, or creating business continuity plans. Triggers on phrases like "risk assessment", "risk register", "enterprise risk", "operational risk", "risk mitigation", "business continuity", "disaster recovery", "stress testing", "insurance program", "risk appetite", "risk tolerance", "ERM framework". --- # Enterprise Risk Management Identify, assess, mitigate, and monitor risks across the organization to protect value and ensure resilience. ## Risk Assessment & Register ### Enterprise Risk Register ``` ENTERPRISE RISK REGISTER — Q1 2025 ═══════════════════════════════════ RISK CATEGORIES: Strategic: Market, competition, technology disruption, M&A, regulation Financial: Revenue, liquidity, credit, FX, interest rate, tax Operational: Processes, systems, supply chain, talent, key person Compliance: Regulatory, legal, data privacy, SOX, ethics External: Economic, geopolitical, natural disaster, pandemic RISK ASSESSMENT METHODOLOGY: Likelihood: Rare (1) — Unlikely (2) — Possible (3) — Likely (4) — Almost Certain (5) Impact: Insignificant (1) — Minor (2) — Moderate (3) — Major (4) — Catastrophic (5) Risk Score: Likelihood × Impact (1-25) Risk Rating: Low (1-6) — Medium (7-12) — High (13-18) — Critical (19-25) TOP RISKS: ┌────┬───────────────────────┬─────┬─────┬──────┬────────┬──────────────┬────────────────────────┐ │ # │ Risk Description │ Like │ Imp. │ Score │ Rating │ Owner │ Mitigation │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R1 │ Customer concentration│ 4 │ 4 │ 16 │ HIGH │ CRO + CFO │ Diversification plan; │ │ │ (top 5 = 28%) │ │ │ │ │ │ 12-month target: 22% │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R2 │ Cybersecurity breach │ 3 │ 5 │ 15 │ HIGH │ CISO │ SOC 2, pentesting, │ │ │ │ │ │ │ │ │ incident response plan │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R3 │ Key talent retention │ 3 │ 4 │ 12 │ MEDIUM │ CHRO │ Retention programs, │ │ │ (competitive market) │ │ │ │ │ │ equity refresh plan │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R4 │ Revenue churn increase│ 3 │ 4 │ 12 │ MEDIUM │ CRO + CS │ CS program upgrade, │ │ │ (2.8% vs. 2.2% Q4) │ │ │ │ │ VP │ health monitoring │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R5 │ Economic downturn │ 3 │ 4 │ 12 │ MEDIUM │ CEO + CFO │ 13-month runway, │ │ │ │ │ │ │ │ │ cost reduction levers │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R6 │ Competitive disruption│ 3 │ 3 │ 9 │ MEDIUM │ CEO + CPO │ R&D investment, │ │ │ (new entrants) │ │ │ │ │ │ innovation pipeline │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R7 │ Regulatory change │ 2 │ 4 │ 8 │ MEDIUM │ General │ Regulatory monitoring, │ │ │ (data privacy, AI) │ │ │ │ │ Counsel │ compliance framework │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R8 │ Cloud dependency │ 2 │ 4 │ 8 │ MEDIUM │ CTO + CISO │ Multi-cloud strategy, │ │ │ (AWS single provider) │ │ │ │ │ │ DR plan │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R9 │ Interest rate rise │ 3 │ 2 │ 6 │ LOW │ CFO │ Fixed-rate debt │ │ │ (floating rate debt) │ │ │ │ │ │ conversion plan │ ├────┼───────────────────────┼─────┼─────┼──────┼────────┼──────────────┼────────────────────────┤ │ R10│ IP infringement │ 2 │ 3 │ 6 │ LOW │ General │ Patent portfolio, │ │ │ claim │ │ │ │ │ Counsel │ freedom-to-operate │ └────┴───────────────────────┴─────┴─────┴──────┴────────┴──────────────┴────────────────────────┘ RISK HEAT MAP SUMMARY: Critical risks: 0 High risks: 2 (R1, R2) Medium risks: 5 (R3-R7) Low risks: 3 (R8-R10) Trend (vs. Q4 2024): ↑ Elevated: R4 (churn uptick) ↓ Reduced: R9 (debt refinanced to fixed rate) → Stable: All others RISK APPETITE STATEMENT: Financial risk: LOW (preserve capital, maintain 12+ month runway) Strategic risk: MEDIUM (invest in growth, accept measured risk for returns) Operational risk: LOW (minimize disruption, invest in resilience) Compliance risk: NONE (zero tolerance for compliance failures) Reputational risk: LOW (protect brand, proactive issue management) ``` ## Financial Risk Management ### Financial Stress Testing ``` FINANCIAL STRESS TEST SCENARIOS: ════════════════════════════════ SCENARIO 1 — MODERATE RECESSION Assumptions: Revenue decline: 25% (from baseline) Cost reduction: 15% (lagged, 3 months) Collection extension: DSO increases 15 days Customer churn: +50% (1.4% → 2.1%) Impact Analysis: Revenue impact (annualized): -$100M Adjusted EBITDA: $12M (vs. $42M baseline) Cash burn (peak): $4.5M/month (vs. $2.7M baseline) Runway at peak stress: 9.4 months With revolver: 16.2 months Triggers for action: If revenue decline >15%: Activate cost reduction plan If runway <9 months: Execute headcount freeze If runway <6 months: Emergency cost reduction Mitigation status: Cost reduction plan: Documented, ready (48-hour activation) Runway: 13.2 months (adequate buffer) Revolver: $25M available (immediate liquidity) SCENARIO 2 — CUSTOMER CONCENTRATION LOSS Assumptions: Loss of top 2 customers (12% of revenue) Replacement timeline: 6-9 months Remaining customers: Stable (no contagion) Impact Analysis: Immediate revenue loss: $50M annually EBITDA impact: -$38M (contribution margin of lost customers) Cash impact (immediate): 0 (annual contracts, prepaid) Runway impact: Minimal (revenue collected in advance) Long-term: Revenue gap closes in 6-9 months Mitigation status: Contract review: All top customers on annual+ terms Sales pipeline: $60M (covers loss with 20% buffer) Customer success: Proactive engagement (health scores tracked) SCENARIO 3 — CYBER INCIDENT / DATA BREACH Assumptions: Customer data breach (PII of 10,000+ customers) Regulatory fines: Up to $2M (GDPR) Remediation cost: $500K-$1M Customer attrition: 5% in 90 days post-incident Reputation damage: 6-month impact Impact Analysis: Direct cost: $2.5M-$3M (fines + remediation) Revenue impact: $2.1M (5% churn, one-time) Insurance coverage: $5M cyber policy (deductible $250K) Net out-of-pocket: $0.75M-$1.25M Reputation recovery: 6-12 months Mitigation status: Cyber insurance: $5M coverage (adequate) Incident response plan: Tested (annual drill) Security controls: SOC 2 compliant, continuous monitoring Data encryption: At rest and in transit SCENARIO 4 — KEY PERSON DEPARTURE Assumptions: CEO or CTO voluntary departure Transition period: 3-6 months No immediate replacement available Impact Analysis: Operational impact: Medium (delegation to interim) Strategic impact: High (vision/execution gap) Stock price impact: -10% to -20% (market reaction) Customer confidence: Moderate risk Talent retention: Risk of cascading departures Mitigation status: Key person insurance: CEO $10M, CTO $5M Succession plan: Documented (interim + long-term candidates) Board authority: Emergency powers defined Communication plan: Pre-drafted templates RISK MONITORING FREQUENCY: Financial risks: Monthly (dashboard review) Operational risks: Quarterly (assessment update) Strategic risks: Semi-annual (board review) All risks: Annual comprehensive review + update ``` ## Business Continuity & Disaster Recovery ### BCP Framework ``` BUSINESS CONTINUITY PLAN OVERVIEW: ══════════════════════════════════ CRITICAL BUSINESS FUNCTIONS (Ranked): 1. Product availability (uptime >99.9%) 2. Customer data integrity and security 3. Financial operations (payroll, vendor payments) 4. Customer support and service delivery 5. Sales and revenue operations 6. Strategic decision-making (leadership) RECOVERY OBJECTIVES: ┌───────────────────────────┬──────────┬──────────┬──────────────┐ │ Function │ RTO │ RPO │ Max Downtime │ ├───────────────────────────┼──────────┼──────────┼──────────────┤ │ Cloud infrastructure │ 1 hour │ 15 min │ 4 hours │ │ Core application │ 2 hours │ 1 hour │ 8 hours │ │ Customer data/database │ 4 hours │ 30 min │ 8 hours │ │ Financial systems │ 8 hours │ 4 hours │ 24 hours │ │ Email/collaboration │ 4 hours │ 24 hours │ 48 hours │ │ HR/payroll systems │ 24 hours │ 24 hours │ 72 hours │ │ Office facilities │ 48 hours │ N/A │ 1 week │ └───────────────────────────┴──────────┴──────────┴──────────────┘ RTO = Recovery Time Objective (how quickly must we recover) RPO = Recovery Point Objective (how much data loss is acceptable) DISASTER SCENARIOS & RESPONSE: ┌─────────────────────┬──────────────┬──────────────────────────────────┐ │ Scenario │ Probability │ Response Plan │ ├─────────────────────┼──────────────┼──────────────────────────────────┤ │ Data center outage │ Medium │ Multi-AZ failover; DR site │ │ Cyberattack (ransom)│ Low-Medium │ Isolate; restore from backup; │ │ │ │ incident response team activation│ │ Natural disaster │ Low │ Remote work activation; alternate│ │ │ │ office location │ │ Pandemic/health │ Medium │ Remote work; health protocols; │ │ crisis │ │ government compliance │ │ Key systems failure │ Low │ Manual processes; hot standby │ │ Power/internet out. │ Medium │ UPS; backup internet; mobile │ │ Supply chain │ Low │ Multi-vendor; buffer stock │ │ Regulatory shutdown │ Very low │ Legal response; compliance audit │ └─────────────────────┴──────────────┴──────────────────────────────────┘ BCP TESTING: Tabletop exercise: Semi-annual (last: Q3 2024 — scored 82/100) Technical DR test: Annual (last: October 2024 — RTO achieved: 45 min vs. 1 hr target) Communication test: Quarterly (mass notification system) Next tests: Tabletop: Q3 2025 (scenario: ransomware attack) DR test: October 2025 Communication: Q2 2025 CONTINUITY RESOURCES: Backup infrastructure: AWS multi-region (primary: US-East, DR: US-West) Data backup: Daily full + hourly incremental (30-day retention) Offsite storage: Immutable backups (WORM — write once, read many) Emergency contacts: Leadership tree (primary + alternate for all roles) Communication tools: Mass notification (Everbridge), Slack emergency channels Crisis team: 8 members (CEO, CFO, CTO, CISO, CHRO, GC, COO, Comms) Emergency fund: $2M reserved for crisis response ``` ## Insurance Program Management ### Insurance Portfolio ``` INSURANCE PROGRAM OVERVIEW: ════════════════════════════ POLICY INVENTORY: ┌──────────────────────────┬──────────────┬──────────────┬──────────────┐ │ Coverage Type │ Limit │ Deductible │ Annual Prem. │ ├──────────────────────────┼──────────────┼──────────────┼──────────────┤ │ General Liability │ $2,000,000 │ $10,000 │ $45,000 │ │ Professional Liability │ $5,000,000 │ $25,000 │ $125,000 │ │ (Errors & Omissions) │ │ │ │ │ Cyber Liability │ $5,000,000 │ $250,000 │ $85,000 │ │ D&O Liability │ $10,000,000 │ N/A (SI) │ $210,000 │ │ Property │ $3,000,000 │ $25,000 │ $35,000 │ │ Workers' Compensation │ Statutory │ Varies │ $42,000 │ │ Key Person (CEO) │ $10,000,000 │ N/A │ $65,000 │ │ Key Person (CTO) │ $5,000,000 │ N/A │ $35,000 │ │ Directors & Officers │ Included │ │ │ │ Employment Practices │ $5,000,000 │ $25,000 │ $55,000 │ │ U&E (Umbrella) │ $10,000,000 │ $1,000,000 │ $75,000 │ │ ─────────────────────── │ ─────────── │ ─────────── │ ─────────── │ │ TOTAL PREMIUM │ │ │ $772,000 │ └──────────────────────────┴──────────────┴──────────────┴──────────────┘ COVERAGE ANALYSIS: Adequately covered: ✓ General business operations (GL + PL + U&E) ✓ Cyber risk (dedicated policy, tested annually) ✓ Leadership liability (D&O with side A coverage) ✓ Key person protection (CEO + CTO) Areas for review: → Cyber deductible ($250K) — high; consider reduction (premium +$25K) → Property coverage (leased space) — may be excessive → International coverage (EU/Asia ops) — verify territorial scope → Intellectual property infringement — assess standalone policy need INSURANCE PROGRAM REVIEW (Annual): Next renewal: July 2025 (170 days) Broker: [Insurance Broker Name] Review scope: - Coverage adequacy assessment - Deductible optimization - Premium benchmarking - New coverage needs (international expansion) - Claims history review (past 3 years) Claims history: 2024: 2 claims (1 GL — minor injury; 1 cyber — attempted phishing, no loss) 2023: 1 claim (EPLI — employment dispute, settled within coverage) 2022: 0 claims Loss ratio: 2.1% (excellent — potential premium reduction) SELF-INSURANCE STRATEGY: High-frequency, low-severity risks: Self-insure (deductibles) Low-frequency, high-severity risks: Fully insure Decision framework: Annual analysis based on: - Expected loss frequency and severity - Cash flow impact of loss - Insurance market conditions - Regulatory requirements ``` ## Compliance Risk Management ### Regulatory Compliance Framework ``` COMPLIANCE RISK ASSESSMENT: ═══════════════════════════ APPLICABLE REGULATIONS: ┌───────────────────────────┬──────────┬──────────┬──────────────┬──────────────┐ │ Regulation/Area │ Juris. │ Severity │ Compliance │ Owner │ ├───────────────────────────┼──────────┼──────────┼──────────────┼──────────────┤ │ SOX (if public) │ US │ Critical │ ✓ Compliant │ CFO + Audit │ │ GDPR │ EU │ High │ ✓ Compliant │ DPO + GC │ │ CCPA/CPRA │ CA │ High │ ✓ Compliant │ DPO + GC │ │ PCI DSS │ Global │ High │ ✓ Compliant │ CISO │ │ SOC 2 │ US │ Medium │ In progress │ CISO │ │ HIPAA (if handling PHI) │ US │ High │ N/A │ N/A │ │ Export controls │ US │ Medium │ ✓ Compliant │ GC │ │ Labor/employment law │ Multi │ Medium │ ✓ Compliant │ CHRO │ │ Tax compliance │ Multi │ High │ ✓ Compliant │ Tax Director │ │ Anti-bribery (FCPA) │ Global │ Critical │ ✓ Compliant │ GC + Compliance│ └───────────────────────────┴──────────┴──────────┴──────────────┴──────────────┘ COMPLIANCE MONITORING: Continuous monitoring: - Automated controls testing (SOX): Quarterly - Data privacy request tracking: Ongoing (avg. 12-day response) - Employee training completion: Annual (current rate: 96%) - Third-party vendor compliance: Quarterly review - Regulatory change monitoring: Monthly Compliance metrics: Training completion: 96% (target: 100% by Feb 28) Policy acknowledgment: 98% Incident reporting: 3 incidents (Q4 2024) — all resolved Audit findings: 0 material, 2 observations (remediated) Regulatory inquiries: 0 Data subject requests: 8 (past 90 days) — all responded within SLA COMPLIANCE INCIDENT MANAGEMENT: Incident response workflow: 1. Detection (automated or reported) 2. Assessment (severity, scope, regulatory impact) 3. Containment (stop the breach/violation) 4. Investigation (root cause, affected data/parties) 5. Remediation (corrective action, process fix) 6. Reporting (regulatory, if required; internal) 7. Documentation (lessons learned, policy update) Escalation thresholds: Immediate (same day): Data breach, regulatory violation, legal action Urgent (24 hours): Training gap >5%, control failure, policy violation Routine (weekly): Minor incidents, near-misses, process improvements ``` ## Output ### Risk Management Dashboard ``` ENTERPRISE RISK DASHBOARD — Jan 27, 2025 ══════════════════════════════════════════ Risk Overview: Total risks tracked: 10 Critical: 0 High: 2 Medium: 5 Low: 3 Overall risk rating: MEDIUM (manageable) Trend: Stable (R4 elevated, R9 reduced) Top Risks: R1: Customer concentration — HIGH (score: 16) Mitigation: Diversification plan on track R2: Cybersecurity breach — HIGH (score: 15) Mitigation: SOC 2, pentesting, IR plan active Financial Resilience: Cash runway: 13.2 months (well above 6-month target) Revolver available: $25M Stress test (moderate recession): 9.4-month runway (adequate) Insurance coverage: $45M+ total limits ($772K premium) Business Continuity: RTO compliance: All functions within target Last DR test: Oct 2024 (RTO achieved: 45 min) Next tabletop: Q3 2025 Backup integrity: ✓ Verified (daily) Compliance Status: Overall: ✓ COMPLIANT (0 material issues) SOX: 98% controls pass rate Data privacy: 96% training complete SOC 2: In progress (target: June 2025) Audit findings: 0 unresolved Risk Actions: 1. Complete training (remaining 4%) by Feb 28 2. Customer diversification — Q1 target: reduce top-5 to 25% 3. Cyber pentest — scheduled Feb 10 4. BCP tabletop planning — initiate Feb 1 5. Insurance renewal review — start May 2025 ``` ## Integration Points - GRC platforms (ServiceNow GRC, MetricStream, AuditBoard): Risk register, compliance tracking - ERP/GL: Financial data for stress testing, scenario analysis - Cybersecurity platforms (CrowdStrike, SentinelOne, Palo Alto): Threat detection, incident response - BI platforms: Risk dashboards, heat maps - Insurance platforms (Thimble, Hiscox, broker portals): Policy management, claims - HRIS: Key person risk, talent retention metrics - CRM: Customer concentration risk, churn indicators - IT monitoring tools: System uptime, RTO compliance - Incident management (PagerDuty, ServiceNow): Response coordination - Communication tools (Everbridge, Slack): Mass notification, crisis communication ## Edge Cases - **Systemic financial crisis**: Multiple stress factors simultaneously; extended recovery timeline; government intervention - **Geopolitical events**: Trade sanctions, export restrictions, currency controls, supply chain disruption - **Pandemic/health crisis**: Extended remote operations; employee health; regulatory changes; economic impact - **Natural disaster**: Office evacuation; employee safety; business relocation; insurance claims - **Cyberattack (ransomware)**: System isolation; backup restoration; law enforcement coordination; notification requirements - **Regulatory investigation**: Legal privilege; document preservation; response strategy; settlement considerations - **Activist investor/campaign**: Reputational management; stakeholder communication; operational impact - **Key executive departure (multiple)**: Interim leadership; communication strategy; talent stability - **Major customer lawsuit**: Legal defense; insurance activation; financial provision; PR management - **Complete system failure**: Fallback to manual operations; customer communication; SLA penalty management