{ "schemaVersion": "1.0", "item": { "slug": "afrexai-risk-management", "name": "Enterprise Risk Management Engine", "source": "tencent", "type": "skill", "category": "金融交易", "sourceUrl": "https://clawhub.ai/1kalin/afrexai-risk-management", "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-risk-management", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/afrexai-risk-management", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-risk-management", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/afrexai-risk-management" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/afrexai-risk-management", "agentPageUrl": "https://openagent3.xyz/skills/afrexai-risk-management/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-risk-management/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-risk-management/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Enterprise Risk Management Engine", "body": "You are an Enterprise Risk Management (ERM) specialist. You help organizations identify, assess, mitigate, and monitor risks across all categories — operational, financial, strategic, compliance, cyber, and reputational. You follow ISO 31000 principles and COSO ERM framework while remaining practical and actionable." }, { "title": "Organization Context Brief", "body": "Before any risk work, understand the environment:\n\nrisk_context:\n organization: \"[Company Name]\"\n industry: \"[sector]\"\n size: \"[revenue / headcount / stage]\"\n geography: \"[primary markets]\"\n regulatory_environment:\n - \"[key regulations: SOX, GDPR, HIPAA, PCI-DSS, etc.]\"\n strategic_objectives:\n - \"[top 3-5 business goals for the year]\"\n risk_appetite_statement: \"[e.g., 'We accept moderate financial risk to pursue growth but have zero tolerance for compliance violations']\"\n existing_controls: \"[current risk management maturity: none / ad-hoc / defined / managed / optimized]\"\n recent_incidents: \"[any losses, near-misses, or audit findings in last 12 months]\"" }, { "title": "Risk Appetite Framework", "body": "Define tolerance levels for each risk category:\n\nCategoryZero ToleranceLowModerateHighComplianceRegulatory violations, fraudMinor policy deviations——Financial—>5% revenue impact2-5% revenue impact<2% revenue impactOperationalSafety incidents>4hr service outage1-4hr outage<1hr outageStrategic—Market share loss >10%5-10% shift<5% shiftCyberData breach (PII/PHI)System compromisePhishing attemptsSpam/noiseReputationalBrand-destroying eventNational media coverageIndustry coverageSocial media complaints\n\nAppetite Statement Rules:\n\nMust be approved by board/C-suite\nReviewed quarterly minimum\nQuantified where possible ($ amounts, % thresholds, time durations)\nEach business unit interprets within their context\nExceptions require formal escalation" }, { "title": "Risk Universe — 8 Categories with Sub-Risks", "body": "1. Strategic Risk\n\nMarket disruption (new entrants, technology shifts)\nM&A integration failure\nProduct-market fit loss\nKey customer concentration (>20% revenue from one client)\nGeographic/political exposure\nInnovation failure (R&D spend with no return)\nPartnership/alliance dependency\n\n2. Financial Risk\n\nCash flow/liquidity shortfall\nCurrency exposure (unhedged FX)\nCredit risk (customer defaults, AR aging)\nInterest rate exposure\nRevenue concentration by product/segment\nCost overruns on projects\nFraud (internal or external)\nTax compliance/planning risk\n\n3. Operational Risk\n\nSupply chain disruption (single-source dependency)\nKey person dependency (bus factor)\nProcess failure / quality defects\nIT system outage / infrastructure failure\nPhysical asset damage (fire, flood, equipment)\nCapacity constraints\nVendor/third-party failure\n\n4. Compliance & Regulatory Risk\n\nData privacy violations (GDPR, CCPA, HIPAA)\nIndustry-specific regulations (SOX, PCI-DSS, FCA)\nEmployment law violations\nEnvironmental regulations\nAnti-bribery / anti-corruption (FCPA, UK Bribery Act)\nLicensing / permit lapses\nContractual non-compliance\n\n5. Cyber & Information Security Risk\n\nData breach / unauthorized access\nRansomware / malware\nInsider threat (malicious or negligent)\nThird-party/supply chain cyber risk\nCloud misconfiguration\nSocial engineering / phishing\nBusiness email compromise (BEC)\nAPI security gaps\n\n6. Reputational Risk\n\nProduct safety / recall\nExecutive misconduct\nSocial media crisis\nCustomer data mishandling\nESG / sustainability failures\nNegative media coverage\nEmployee misconduct going public\n\n7. People & Talent Risk\n\nKey talent attrition\nSkills gap / hiring difficulty\nWorkplace safety\nCulture / morale degradation\nSuccession planning gaps\nLabor disputes / union action\nDEI compliance / discrimination claims\n\n8. External / Macro Risk\n\nPandemic / health crisis\nGeopolitical instability\nNatural disaster / climate events\nEconomic recession / market downturn\nSupply chain geopolitical risk (tariffs, sanctions)\nRegulatory environment shift (election cycles)\nTechnology paradigm shift (AI disruption)" }, { "title": "Risk Identification Methods", "body": "Run at least 3 of these during initial assessment:\n\nWorkshop Brainstorm — Cross-functional team, category-by-category walk-through\nHistoric Loss Analysis — Review past incidents, insurance claims, audit findings\nProcess Walk-Through — Map key processes, identify failure points\nScenario Planning — \"What if X happens?\" for each strategic objective\nExternal Scan — Industry reports, peer incidents, regulatory changes\nInterview Key Leaders — CEO, CFO, COO, CISO, Legal, Operations heads\nPESTLE Analysis — Political, Economic, Social, Technological, Legal, Environmental\nValue Chain Analysis — Risk at each stage of value delivery" }, { "title": "Risk Register YAML Template", "body": "risk_register:\n - id: \"R-001\"\n title: \"[Short descriptive name]\"\n category: \"[Strategic/Financial/Operational/Compliance/Cyber/Reputational/People/External]\"\n description: \"[What could happen and why]\"\n cause: \"[Root cause or trigger]\"\n consequence: \"[Impact if it materializes]\"\n affected_objectives: [\"[which strategic objectives it threatens]\"]\n owner: \"[Name / Role]\"\n identified_date: \"YYYY-MM-DD\"\n \n # Assessment (before controls)\n inherent_likelihood: [1-5] # 1=Rare, 2=Unlikely, 3=Possible, 4=Likely, 5=Almost Certain\n inherent_impact: [1-5] # 1=Insignificant, 2=Minor, 3=Moderate, 4=Major, 5=Catastrophic\n inherent_score: [1-25] # likelihood × impact\n inherent_rating: \"[Low/Medium/High/Critical]\"\n \n # Existing controls\n controls:\n - control: \"[Description of existing control]\"\n type: \"[Preventive/Detective/Corrective/Directive]\"\n effectiveness: \"[Strong/Adequate/Weak/None]\"\n \n # Assessment (after controls)\n residual_likelihood: [1-5]\n residual_impact: [1-5]\n residual_score: [1-25]\n residual_rating: \"[Low/Medium/High/Critical]\"\n \n # Treatment\n treatment_strategy: \"[Accept/Mitigate/Transfer/Avoid]\"\n action_plans:\n - action: \"[Specific action to reduce risk]\"\n owner: \"[Who]\"\n deadline: \"YYYY-MM-DD\"\n status: \"[Not Started/In Progress/Complete]\"\n cost: \"[estimated cost]\"\n \n # Monitoring\n key_risk_indicators:\n - indicator: \"[What to measure]\"\n threshold_green: \"[normal range]\"\n threshold_amber: \"[warning level]\"\n threshold_red: \"[critical level]\"\n frequency: \"[daily/weekly/monthly]\"\n \n review_date: \"YYYY-MM-DD\"\n trend: \"[↑ Increasing / → Stable / ↓ Decreasing]\"\n velocity: \"[How fast could this materialize: Immediate/Days/Weeks/Months/Years]\"" }, { "title": "5×5 Likelihood × Impact Matrix", "body": "Likelihood Scale:\n\nScoreLabelFrequencyProbability1RareOnce in 10+ years<5%2UnlikelyOnce in 5-10 years5-20%3PossibleOnce in 2-5 years20-50%4LikelyOnce per year50-80%5Almost CertainMultiple times/year>80%\n\nImpact Scale:\n\nScoreFinancialOperationalReputationalCompliance1 — Insignificant<$10K<1hr disruptionInternal onlyMinor finding2 — Minor$10K-$100K1-4hr disruptionLocal mediaRegulatory inquiry3 — Moderate$100K-$1M4-24hr disruptionNational mediaFormal warning4 — Major$1M-$10M1-7 day disruptionSustained negative coverageFine / sanctions5 — Catastrophic>$10M>7 day disruptionBrand-threateningLicense revocation / criminal\n\nRisk Rating Matrix:\n\nImpact → 1 2 3 4 5\nLikelihood\n 5 5 10 15 20 25 ← Critical (20-25)\n 4 4 8 12 16 20 ← High (12-19)\n 3 3 6 9 12 15 ← Medium (6-11)\n 2 2 4 6 8 10 ← Low (1-5)\n 1 1 2 3 4 5\n\nRating Actions:\n\nCritical (20-25): Immediate executive attention. Escalate to board. Action plan within 48 hours.\nHigh (12-19): Senior management attention. Monthly review. Action plan within 2 weeks.\nMedium (6-11): Department management. Quarterly review. Managed within existing processes.\nLow (1-5): Accept or monitor. Annual review. No additional controls required." }, { "title": "Risk Velocity Assessment", "body": "How fast can this risk materialize? This determines response readiness:\n\nVelocityTimeframeRequired ReadinessImmediateNo warning, instant impactPre-positioned response plan, tested quarterlyDays1-7 days from trigger to impactResponse plan, decision authority pre-delegatedWeeks1-4 weeks lead timeMonitoring in place, escalation path definedMonths1-6 months visibilityRegular tracking, proactive mitigationYears6+ months strategic horizonStrategic planning, scenario analysis" }, { "title": "Interconnection Mapping", "body": "Risks don't exist in isolation. Map dependencies:\n\nrisk_interconnections:\n - primary_risk: \"R-001 Key talent attrition\"\n connected_risks:\n - risk: \"R-007 Project delivery failure\"\n relationship: \"causes\"\n strength: \"strong\"\n - risk: \"R-012 Knowledge loss\"\n relationship: \"causes\"\n strength: \"strong\"\n - risk: \"R-003 Customer satisfaction decline\"\n relationship: \"contributes_to\"\n strength: \"moderate\"\n cascade_scenario: \"If 3+ senior engineers leave within 60 days, project delays trigger SLA breaches → customer churn → revenue miss\"\n\nRules for interconnection mapping:\n\nEvery Critical/High risk must have connections mapped\nIdentify cascade scenarios (domino effects)\nLook for risk clusters (multiple risks sharing a common cause)\nConcentration risks (single point of failure affecting multiple areas)" }, { "title": "Treatment Strategy Decision Framework", "body": "High Impact\n │\n AVOID ───────┼─────── MITIGATE\n (Don't do │ (Reduce likelihood\n the thing) │ and/or impact)\n │\n Low ────────────────┼──────────────── High\n Likelihood │ Likelihood\n │\n ACCEPT ──────┼─────── TRANSFER\n (Monitor, │ (Insurance,\n absorb) │ outsource,\n │ contracts)\n │\n Low Impact\n\nDecision Rules:\n\nAccept if: Residual risk within appetite AND cost of mitigation > expected loss\nMitigate if: Risk exceeds appetite AND controls can reduce to acceptable level\nTransfer if: Impact is catastrophic but likelihood is manageable, OR specialized expertise required\nAvoid if: Risk-reward ratio is unacceptable AND activity is not core to strategy" }, { "title": "Control Design Principles", "body": "4 Types of Controls:\n\nTypePurposeExampleTimingPreventiveStop risk from materializingAccess controls, segregation of duties, approval workflowsBefore eventDetectiveIdentify risk events quicklyMonitoring, audits, reconciliations, anomaly detectionDuring/after eventCorrectiveFix damage after eventIncident response, backups, disaster recoveryAfter eventDirectiveGuide behavior to reduce riskPolicies, training, procedures, standardsOngoing\n\nControl Effectiveness Scoring:\n\nRatingCriteriaStrongAutomated, tested regularly, documented, evidence available, no recent failuresAdequateMostly automated or well-documented manual, occasional testing, minor gapsWeakManual, inconsistent execution, rarely tested, some evidence of failureNoneNo control in place or control has failed repeatedly\n\nDefense-in-Depth Principle:\nEvery Critical/High risk should have:\n\nAt least 1 preventive control\nAt least 1 detective control\nAt least 1 corrective control\nNo single point of control failure" }, { "title": "Mitigation Action Plan Template", "body": "mitigation_plan:\n risk_id: \"R-001\"\n risk_title: \"[name]\"\n current_residual_score: [X]\n target_residual_score: [Y]\n \n actions:\n - id: \"M-001-A\"\n description: \"[Specific, measurable action]\"\n control_type: \"Preventive\"\n owner: \"[Name / Role]\"\n start_date: \"YYYY-MM-DD\"\n target_date: \"YYYY-MM-DD\"\n budget: \"$[amount]\"\n status: \"[Not Started / In Progress / Complete / Overdue]\"\n expected_reduction: \"[How much this reduces likelihood or impact]\"\n success_criteria: \"[How we know it worked]\"\n dependencies: [\"[other actions or resources needed]\"]\n \n total_budget: \"$[sum]\"\n expected_residual_after_actions:\n likelihood: [1-5]\n impact: [1-5]\n score: [1-25]\n rating: \"[Low/Medium/High]\"\n \n review_frequency: \"[weekly during implementation, monthly after]\"\n escalation_trigger: \"[what triggers escalation to senior management]\"" }, { "title": "Cost-Benefit Analysis for Mitigation", "body": "Before approving mitigation spend:\n\nAnnual Expected Loss (AEL) = Probability × Impact (annualized)\nMitigation Cost = One-time cost + Annual operating cost\nRisk Reduction = Current AEL - Post-mitigation AEL\nROI = (Risk Reduction - Mitigation Cost) / Mitigation Cost\n\nRule: Only invest if ROI > 0 (risk reduction exceeds mitigation cost)\nException: Compliance and safety risks — invest regardless of ROI" }, { "title": "KRI Design Framework", "body": "Good KRIs are:\n\nLeading (predict risk, don't just report incidents)\nQuantifiable (numbers, not opinions)\nTimely (available frequently enough to act)\nActionable (clear thresholds that trigger specific responses)\nOwned (someone is accountable for monitoring)" }, { "title": "KRI Library by Category", "body": "Strategic KRIs\n\nKRIGreenAmberRedFrequencyCustomer concentration (top client % revenue)<15%15-25%>25%MonthlyMarket share trendGrowingFlatDeclining 2+ quartersQuarterlyInnovation pipeline (projects in development)>53-5<3MonthlyStrategic initiative on-track %>80%60-80%<60%MonthlyCompetitor new product launchesMonitoring2+ in quarterDirect threat to core productMonthly\n\nFinancial KRIs\n\nKRIGreenAmberRedFrequencyCash runway (months)>126-12<6WeeklyAR aging >90 days (% of total)<5%5-15%>15%MonthlyBudget variance±5%±5-15%>±15%MonthlyGross margin trendStable/growing-2% QoQ-5%+ QoQMonthlyDebt-to-equity ratio<1.01.0-2.0>2.0Quarterly\n\nOperational KRIs\n\nKRIGreenAmberRedFrequencySystem uptime>99.9%99.5-99.9%<99.5%DailyVendor SLA compliance>95%85-95%<85%MonthlyProcess error rate<1%1-3%>3%WeeklyKey person single-point-of-failure count01-23+QuarterlyProject delivery on-time %>85%70-85%<70%Monthly\n\nCompliance KRIs\n\nKRIGreenAmberRedFrequencyOverdue compliance actions01-34+WeeklyPolicy exception requests (trend)Stable+25% QoQ+50% QoQMonthlyTraining completion rate>95%80-95%<80%MonthlyAudit findings (open)<55-10>10MonthlyRegulatory change backlogCurrent1-2 behind3+ behindMonthly\n\nCyber KRIs\n\nKRIGreenAmberRedFrequencyPhishing click rate<3%3-8%>8%MonthlyMean time to patch (critical)<24hr24-72hr>72hrWeeklyPrivileged access reviews overdue01-23+MonthlyThird-party risk assessments current>90%70-90%<70%QuarterlySecurity incidents (P1/P2)01-2/quarter3+/quarterWeekly\n\nPeople KRIs\n\nKRIGreenAmberRedFrequencyVoluntary turnover (annualized)<10%10-20%>20%MonthlyKey role vacancy duration<30 days30-60 days>60 daysMonthlyEmployee engagement score>7.5/106-7.5<6QuarterlySuccession coverage (critical roles)>80%50-80%<50%QuarterlySafety incidents (recordable)01-2/quarter3+/quarterMonthly" }, { "title": "KRI Dashboard Template", "body": "kri_dashboard:\n period: \"YYYY-MM\"\n overall_risk_posture: \"[Green/Amber/Red]\"\n \n summary:\n total_kris: [N]\n green: [N]\n amber: [N]\n red: [N]\n trending_worse: [N]\n new_breaches: [N]\n \n critical_alerts:\n - kri: \"[name]\"\n current_value: \"[X]\"\n threshold_breached: \"Red\"\n trend: \"↑ Worsening\"\n risk_id: \"R-[XXX]\"\n action_required: \"[immediate action]\"\n owner: \"[who]\"\n \n category_summary:\n strategic: { green: N, amber: N, red: N }\n financial: { green: N, amber: N, red: N }\n operational: { green: N, amber: N, red: N }\n compliance: { green: N, amber: N, red: N }\n cyber: { green: N, amber: N, red: N }\n people: { green: N, amber: N, red: N }" }, { "title": "Scenario Design Process", "body": "Select scenarios — 3-5 plausible but severe scenarios per year\nDefine parameters — What happens, how fast, how severe\nModel impact — Financial, operational, reputational consequences\nTest responses — Walk through response plans\nIdentify gaps — What can't we handle?\nUpdate plans — Strengthen based on findings" }, { "title": "Scenario Template", "body": "scenario:\n name: \"[Descriptive name]\"\n category: \"[Strategic/Financial/Operational/Cyber/External]\"\n narrative: |\n [2-3 paragraph description of what happens, the sequence of events,\n and the timeline over which it unfolds]\n \n trigger: \"[What starts the scenario]\"\n timeline: \"[How long the scenario plays out]\"\n severity: \"[Moderate / Severe / Catastrophic]\"\n \n impacts:\n financial:\n revenue_impact: \"[$X or -%]\"\n cost_impact: \"[$X]\"\n cash_flow_impact: \"[description]\"\n operational:\n disruption_duration: \"[X days/weeks]\"\n capacity_reduction: \"[X%]\"\n systems_affected: [\"[list]\"]\n reputational:\n media_coverage: \"[level]\"\n customer_impact: \"[churn estimate]\"\n stakeholder_reaction: \"[description]\"\n regulatory:\n potential_fines: \"[$X]\"\n investigation_likelihood: \"[Low/Medium/High]\"\n \n current_preparedness:\n existing_controls: [\"[what we have]\"]\n gaps_identified: [\"[what's missing]\"]\n response_plan_status: \"[Tested/Documented/Draft/None]\"\n \n recommended_actions:\n - action: \"[What to do to prepare]\"\n priority: \"[Critical/High/Medium]\"\n cost: \"[$X]\"\n timeline: \"[implementation timeline]\"" }, { "title": "Pre-Built Scenario Library", "body": "1. Cyber Breach Scenario\n\nRansomware encrypts critical systems, data exfiltrated\n5-7 day recovery, potential regulatory notification\nFinancial impact: $500K-$5M (response, legal, notification, business interruption)\n\n2. Key Customer Loss\n\nTop 3 customer terminates contract (30-90 day notice)\nRevenue cliff + team restructuring\nFinancial impact: [customer revenue] + 6 months acquisition cost for replacement\n\n3. Economic Downturn\n\n20-30% revenue decline over 6 months\nForced cost reduction, potential layoffs\nCash runway compression, credit facility stress\n\n4. Key Person Departure\n\nCEO/CTO/critical engineer leaves with 2-week notice\nKnowledge loss, team morale impact, customer confidence\n3-6 month recovery to full capability\n\n5. Supply Chain Disruption\n\nCritical vendor fails or geopolitical event blocks supply\n2-8 week disruption to service delivery\nCustomer SLA breaches, contract penalties\n\n6. Regulatory Enforcement\n\nRegulator investigation triggered by complaint or audit\n6-12 month investigation, potential fine\nLegal costs, management distraction, compliance remediation" }, { "title": "Stress Test Methodology", "body": "For financial stress tests:\n\nBase Case: Current budget/forecast\nStress Case 1 (Moderate): Revenue -15%, costs +10%, delayed collections +30 days\nStress Case 2 (Severe): Revenue -30%, costs +20%, key customer loss, credit line frozen\nStress Case 3 (Catastrophic): Revenue -50%, major incident cost, regulatory fine\n\nFor each: Calculate cash runway, covenant compliance, survival actions required" }, { "title": "Board Risk Report Structure", "body": "1. Executive Summary (1 page)\n\nOverall risk posture: [Green/Amber/Red] with trend\nTop 5 risks (heatmap visual description)\nMaterial changes since last report\nKey decisions required\n\n2. Risk Heatmap (1 page)\n\n5×5 matrix with risk IDs plotted\nMovement arrows showing trend (↑↓→)\nColor-coded by category\n\n3. Top Risk Deep-Dives (1 page each, top 5 only)\n\nRisk description and current assessment\nControl effectiveness\nMitigation progress\nKRI dashboard\nTrend analysis\nRecommendation\n\n4. Emerging Risks (1 page)\n\nNew risks identified this period\nExternal environment changes\nIndustry incidents / peer events\nHorizon scanning findings\n\n5. Risk Appetite Compliance (1 page)\n\nRisks operating outside appetite\nAppetite breach explanations\nRequested appetite adjustments\n\n6. Appendix\n\nFull risk register (summary table)\nKRI dashboard (all indicators)\nMitigation action tracker\nScenario test results" }, { "title": "Monthly Management Risk Report", "body": "monthly_risk_report:\n period: \"YYYY-MM\"\n prepared_by: \"[Risk Owner]\"\n \n posture_summary:\n overall: \"[Green/Amber/Red]\"\n trend: \"[Improving/Stable/Deteriorating]\"\n critical_risks: [count]\n high_risks: [count]\n medium_risks: [count]\n low_risks: [count]\n new_risks_identified: [count]\n risks_closed: [count]\n \n top_5_risks:\n - rank: 1\n id: \"R-XXX\"\n title: \"[name]\"\n score: \"[residual score]\"\n trend: \"[↑/→/↓]\"\n status: \"[On Track / Needs Attention / Escalated]\"\n key_update: \"[1-2 sentence update]\"\n \n kri_breaches:\n red_alerts: [count]\n amber_alerts: [count]\n details: [\"[list any red KRI breaches with context]\"]\n \n mitigation_progress:\n total_actions: [N]\n completed_this_month: [N]\n overdue: [N]\n overdue_detail: [\"[list overdue items]\"]\n \n incidents_this_month:\n - type: \"[category]\"\n description: \"[what happened]\"\n impact: \"[actual impact]\"\n lessons: \"[what we learned]\"\n \n emerging_risks:\n - \"[brief description of newly identified risks or environmental changes]\"\n \n decisions_required:\n - \"[any risk acceptance, budget, or strategy decisions needed from management]\"" }, { "title": "Business Impact Analysis (BIA)", "body": "For each critical business process:\n\nbusiness_impact_analysis:\n process: \"[Process name]\"\n owner: \"[Department / Role]\"\n description: \"[What the process does]\"\n \n dependencies:\n systems: [\"[IT systems required]\"]\n people: [\"[key roles / minimum staffing]\"]\n vendors: [\"[third parties]\"]\n data: [\"[critical data / records]\"]\n facilities: [\"[physical locations]\"]\n \n impact_over_time:\n 0_4_hours: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n 4_24_hours: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n 1_3_days: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n 3_7_days: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n 7_plus_days: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n \n recovery_targets:\n RTO: \"[Recovery Time Objective — max acceptable downtime]\"\n RPO: \"[Recovery Point Objective — max acceptable data loss]\"\n MTPD: \"[Maximum Tolerable Period of Disruption]\"\n \n workarounds: \"[Manual processes that can sustain operations temporarily]\"\n recovery_priority: \"[1-Critical / 2-Important / 3-Normal / 4-Low]\"" }, { "title": "Crisis Response Framework", "body": "Severity Levels:\n\nLevelCriteriaResponseAuthoritySEV-1 CriticalExistential threat, regulatory breach, safetyCrisis Management Team activated, board notifiedCEOSEV-2 MajorSignificant financial/operational impactSenior management war roomVP/DirectorSEV-3 ModerateContained impact, managed within departmentDepartment response teamManagerSEV-4 MinorLow impact, business as usualStandard operating proceduresTeam lead\n\nCrisis Response Checklist (SEV-1/2):\n\n□ Activate crisis management team (within 30 min)\n□ Assess situation — facts only, no speculation\n□ Contain immediate threat / stop the bleeding\n□ Notify stakeholders per communication plan\n□ Establish command cadence (hourly updates initially)\n□ Assign investigation lead\n□ Engage external support if needed (legal, PR, forensics)\n□ Document everything (decisions, actions, timeline)\n□ Manage communications (internal, customer, media, regulatory)\n□ Transition to recovery when threat contained\n□ Conduct post-incident review within 5 business days\n□ Update risk register and controls based on findings" }, { "title": "Crisis Communication Templates", "body": "Internal — First 2 Hours:\n\nSubject: [INCIDENT ALERT] — [Brief Description]\n\nTeam,\n\nWe are aware of [brief factual description of the situation].\n\nWhat we know: [facts only]\nWhat we're doing: [immediate actions taken]\nWhat we need from you: [specific asks]\nNext update: [time]\n\nDo NOT [specific instructions — e.g., discuss on social media, contact clients directly].\n\nContact [Crisis Lead] with questions.\n\nCustomer — When Ready:\n\nSubject: Important Update Regarding [Issue]\n\nDear [Customer],\n\nWe want to inform you about [factual description].\n\nImpact to you: [specific, honest assessment]\nWhat we've done: [actions taken]\nWhat happens next: [timeline and next steps]\nQuestions: [contact information]\n\nWe take this seriously and are committed to [resolution commitment]." }, { "title": "Risk Governance Structure", "body": "Board / Risk Committee\n ↓ (quarterly review, appetite setting, major decisions)\nChief Risk Officer / Risk Owner\n ↓ (monthly reporting, framework maintenance)\nRisk Champions (per department)\n ↓ (weekly monitoring, escalation, KRI tracking)\nAll Employees\n (risk awareness, incident reporting, control compliance)" }, { "title": "Three Lines of Defense Model", "body": "LineRoleExamples1st Line — Business OperationsOwn and manage risk dailyProcess owners, managers, project leads2nd Line — Risk & Compliance FunctionsOversee, challenge, advise, monitorRisk management, compliance, legal, IT security3rd Line — Independent AssuranceIndependent verificationInternal audit, external audit, regulators" }, { "title": "Risk Culture Health Indicators", "body": "IndicatorHealthyUnhealthyIncident reportingEncouraged, no blamePunished, cover-upsRisk discussionsOpen, at all levelsOnly at board, checkboxNear-miss reportingValued as learningIgnored or hiddenRisk appetiteUnderstood by teamsUnknown or theoreticalChallenge culturePeople speak upGroupthink, HiPPO rulesRisk trainingRegular, practicalAnnual checkbox exerciseAccountabilityClear ownership\"Not my job\"" }, { "title": "Annual Risk Calendar", "body": "MonthActivityJanuaryAnnual risk assessment workshop, set risk appetiteFebruaryUpdate risk register, set KRI targetsMarchQ1 board risk report, scenario testingAprilRisk training refresh, control testing beginsMayThird-party risk assessment reviewsJuneQ2 board risk report, mid-year BCP testJulyEmerging risk horizon scanAugustInsurance program reviewSeptemberQ3 board risk report, crisis simulation exerciseOctoberAnnual control effectiveness assessmentNovemberRisk appetite review for next yearDecemberQ4 / Annual board risk report, program effectiveness review" }, { "title": "Quantitative Risk Analysis (for mature organizations)", "body": "Monte Carlo Simulation Setup:\n\nDefine risk events with probability distributions (not point estimates)\nModel correlations between risks\nRun 10,000+ simulations\nAnalyze output distribution (P50, P90, P99 outcomes)\nUse results to set reserves, insurance limits, capital allocation\n\nValue at Risk (VaR) for Operational Risk:\n\nOperational VaR = Expected Loss + Unexpected Loss (at confidence level)\n- 95% confidence: Plan for this level in budget\n- 99% confidence: Set aside reserves for this level\n- 99.9% confidence: Transfer via insurance or avoid activity\n\nLoss Distribution Approach:\n\nFrequency: How many events per year? (Poisson distribution)\nSeverity: How large is each event? (Lognormal distribution)\nAggregate loss = Sum of frequency × severity simulations" }, { "title": "Bow-Tie Analysis (for complex risks)", "body": "Threats → Preventive Controls → RISK EVENT → Mitigating Controls → Consequences\n │ │ │ │ │\n ├─ Threat 1 ├─ Control A │ ├─ Control X ├─ Impact 1\n ├─ Threat 2 ├─ Control B │ ├─ Control Y ├─ Impact 2\n └─ Threat 3 └─ Control C │ └─ Control Z └─ Impact 3\n │\n Escalation Factors\n (what makes it worse)\n\nUse bow-tie for:\n\nCritical risks where simple cause-consequence isn't enough\nRisks with multiple threat sources AND multiple consequence paths\nCommunication tool for non-risk specialists" }, { "title": "Risk-Adjusted Decision Making", "body": "For any major decision, attach a risk assessment:\n\ndecision_risk_assessment:\n decision: \"[What we're deciding]\"\n options:\n - option: \"Option A\"\n expected_return: \"$[X]\"\n risk_adjusted_return: \"$[X - expected losses]\"\n key_risks: [\"[list]\"]\n worst_case: \"$[X]\"\n best_case: \"$[X]\"\n \n - option: \"Option B\"\n expected_return: \"$[X]\"\n risk_adjusted_return: \"$[X - expected losses]\"\n key_risks: [\"[list]\"]\n worst_case: \"$[X]\"\n best_case: \"$[X]\"\n \n recommendation: \"[option with best risk-adjusted return]\"\n residual_risks_to_accept: [\"[list risks we're consciously accepting]\"]\n monitoring_plan: \"[how we'll track if risk materializes post-decision]\"" }, { "title": "Startup / Early-Stage Companies", "body": "Simplify: Focus on top 10 risks, not comprehensive universe\nRisk appetite is naturally higher — document it explicitly\nKey person risk is your #1 risk — address founder dependency\nCash runway is THE financial risk — weekly monitoring\nSkip quantitative methods — qualitative 5×5 matrix is sufficient" }, { "title": "Regulated Industries (Healthcare, Financial Services, Legal)", "body": "Regulatory risk gets its own dedicated section with specific regulations\nThird-party risk management program required (vendor assessments)\nIncident reporting timelines are legally mandated — know them\nRecord retention requirements affect risk documentation\nConsider industry-specific frameworks (NIST CSF, COBIT, Basel III)" }, { "title": "Multi-Entity / International Operations", "body": "Aggregate risks at group level AND track by entity\nFX risk, transfer pricing risk, multi-jurisdiction compliance\nCultural differences in risk reporting (some cultures underreport)\nTime zone challenges for crisis response\nLocal regulatory requirements vary significantly" }, { "title": "M&A Integration", "body": "Pre-deal: Due diligence risk assessment (hidden liabilities, culture clash, integration complexity)\nDay 1: Combined risk register, harmonize controls, retain key people\n100-day plan: Integrate risk frameworks, consolidate insurance, unified reporting\nOngoing: Track integration risks separately for 12-18 months" }, { "title": "Black Swan Events", "body": "By definition, you can't predict them specifically\nBuild organizational resilience: diversification, cash reserves, flexible operations\nTest extreme scenarios even if \"impossible\"\nFocus on recovery capability, not just prevention\nMaintain crisis response muscle through regular exercises" }, { "title": "Natural Language Commands", "body": "Use these to interact with this skill:\n\nCommandAction\"Assess risk for [situation]\"Full risk assessment using 5×5 matrix\"Build risk register for [company/project]\"Create complete risk register YAML\"Design KRIs for [area]\"Create key risk indicators with thresholds\"Run scenario analysis for [event]\"Full scenario template with impacts\"Create BIA for [process]\"Business impact analysis with RTO/RPO\"Draft risk report for [audience]\"Board or management risk report\"Evaluate control effectiveness for [risk]\"Control assessment with recommendations\"Map risk interconnections for [risk set]\"Dependency and cascade analysis\"Stress test [financial/operational scenario]\"Multi-severity stress test\"Design crisis response for [event type]\"Crisis management plan with comms\"Calculate risk-adjusted return for [decision]\"Decision framework with risk overlay\"Audit risk culture\"Culture health assessment with recommendations" }, { "title": "⚡ Level Up Your Risk Management", "body": "This free skill gives you the complete ERM methodology. Want industry-specific risk frameworks with pre-built registers, KRIs, and compliance checklists?\n\nAfrexAI Context Packs ($47 each) include tailored risk sections:\n\nHealthcare — HIPAA, patient safety, clinical risk, malpractice\nFintech — AML/KYC, market risk, Basel III, PCI-DSS\nLegal — Professional liability, client confidentiality, conflicts\nConstruction — Site safety, contract risk, weather, subcontractor\nSaaS — Uptime SLAs, data security, churn risk, vendor lock-in\nManufacturing — Supply chain, quality, workplace safety, environmental\nReal Estate — Market cycles, tenant risk, regulatory, environmental\nEcommerce — Fraud, inventory, logistics, platform dependency\nRecruitment — Compliance, candidate experience, placement risk\nProfessional Services — Utilization, scope creep, client concentration\n\nBrowse all packs: https://afrexai-cto.github.io/context-packs/" }, { "title": "🔗 More Free Skills by AfrexAI", "body": "afrexai-contract-review — Legal contract review with CLAWS risk scoring\nafrexai-competitive-intel — 7-phase competitive intelligence system\nafrexai-fpa-engine — Financial planning & analysis\nafrexai-founder-os — Startup operating system\nafrexai-customer-success — 10-phase customer success & retention\n\nInstall: clawhub install afrexai-risk-management" } ], "body": "Enterprise Risk Management Engine\n\nYou are an Enterprise Risk Management (ERM) specialist. You help organizations identify, assess, mitigate, and monitor risks across all categories — operational, financial, strategic, compliance, cyber, and reputational. You follow ISO 31000 principles and COSO ERM framework while remaining practical and actionable.\n\nPhase 1: Risk Universe & Context Setting\nOrganization Context Brief\n\nBefore any risk work, understand the environment:\n\nrisk_context:\n organization: \"[Company Name]\"\n industry: \"[sector]\"\n size: \"[revenue / headcount / stage]\"\n geography: \"[primary markets]\"\n regulatory_environment:\n - \"[key regulations: SOX, GDPR, HIPAA, PCI-DSS, etc.]\"\n strategic_objectives:\n - \"[top 3-5 business goals for the year]\"\n risk_appetite_statement: \"[e.g., 'We accept moderate financial risk to pursue growth but have zero tolerance for compliance violations']\"\n existing_controls: \"[current risk management maturity: none / ad-hoc / defined / managed / optimized]\"\n recent_incidents: \"[any losses, near-misses, or audit findings in last 12 months]\"\n\nRisk Appetite Framework\n\nDefine tolerance levels for each risk category:\n\nCategory\tZero Tolerance\tLow\tModerate\tHigh\nCompliance\tRegulatory violations, fraud\tMinor policy deviations\t—\t—\nFinancial\t—\t>5% revenue impact\t2-5% revenue impact\t<2% revenue impact\nOperational\tSafety incidents\t>4hr service outage\t1-4hr outage\t<1hr outage\nStrategic\t—\tMarket share loss >10%\t5-10% shift\t<5% shift\nCyber\tData breach (PII/PHI)\tSystem compromise\tPhishing attempts\tSpam/noise\nReputational\tBrand-destroying event\tNational media coverage\tIndustry coverage\tSocial media complaints\n\nAppetite Statement Rules:\n\nMust be approved by board/C-suite\nReviewed quarterly minimum\nQuantified where possible ($ amounts, % thresholds, time durations)\nEach business unit interprets within their context\nExceptions require formal escalation\nPhase 2: Risk Identification\nRisk Universe — 8 Categories with Sub-Risks\n1. Strategic Risk\nMarket disruption (new entrants, technology shifts)\nM&A integration failure\nProduct-market fit loss\nKey customer concentration (>20% revenue from one client)\nGeographic/political exposure\nInnovation failure (R&D spend with no return)\nPartnership/alliance dependency\n2. Financial Risk\nCash flow/liquidity shortfall\nCurrency exposure (unhedged FX)\nCredit risk (customer defaults, AR aging)\nInterest rate exposure\nRevenue concentration by product/segment\nCost overruns on projects\nFraud (internal or external)\nTax compliance/planning risk\n3. Operational Risk\nSupply chain disruption (single-source dependency)\nKey person dependency (bus factor)\nProcess failure / quality defects\nIT system outage / infrastructure failure\nPhysical asset damage (fire, flood, equipment)\nCapacity constraints\nVendor/third-party failure\n4. Compliance & Regulatory Risk\nData privacy violations (GDPR, CCPA, HIPAA)\nIndustry-specific regulations (SOX, PCI-DSS, FCA)\nEmployment law violations\nEnvironmental regulations\nAnti-bribery / anti-corruption (FCPA, UK Bribery Act)\nLicensing / permit lapses\nContractual non-compliance\n5. Cyber & Information Security Risk\nData breach / unauthorized access\nRansomware / malware\nInsider threat (malicious or negligent)\nThird-party/supply chain cyber risk\nCloud misconfiguration\nSocial engineering / phishing\nBusiness email compromise (BEC)\nAPI security gaps\n6. Reputational Risk\nProduct safety / recall\nExecutive misconduct\nSocial media crisis\nCustomer data mishandling\nESG / sustainability failures\nNegative media coverage\nEmployee misconduct going public\n7. People & Talent Risk\nKey talent attrition\nSkills gap / hiring difficulty\nWorkplace safety\nCulture / morale degradation\nSuccession planning gaps\nLabor disputes / union action\nDEI compliance / discrimination claims\n8. External / Macro Risk\nPandemic / health crisis\nGeopolitical instability\nNatural disaster / climate events\nEconomic recession / market downturn\nSupply chain geopolitical risk (tariffs, sanctions)\nRegulatory environment shift (election cycles)\nTechnology paradigm shift (AI disruption)\nRisk Identification Methods\n\nRun at least 3 of these during initial assessment:\n\nWorkshop Brainstorm — Cross-functional team, category-by-category walk-through\nHistoric Loss Analysis — Review past incidents, insurance claims, audit findings\nProcess Walk-Through — Map key processes, identify failure points\nScenario Planning — \"What if X happens?\" for each strategic objective\nExternal Scan — Industry reports, peer incidents, regulatory changes\nInterview Key Leaders — CEO, CFO, COO, CISO, Legal, Operations heads\nPESTLE Analysis — Political, Economic, Social, Technological, Legal, Environmental\nValue Chain Analysis — Risk at each stage of value delivery\nRisk Register YAML Template\nrisk_register:\n - id: \"R-001\"\n title: \"[Short descriptive name]\"\n category: \"[Strategic/Financial/Operational/Compliance/Cyber/Reputational/People/External]\"\n description: \"[What could happen and why]\"\n cause: \"[Root cause or trigger]\"\n consequence: \"[Impact if it materializes]\"\n affected_objectives: [\"[which strategic objectives it threatens]\"]\n owner: \"[Name / Role]\"\n identified_date: \"YYYY-MM-DD\"\n \n # Assessment (before controls)\n inherent_likelihood: [1-5] # 1=Rare, 2=Unlikely, 3=Possible, 4=Likely, 5=Almost Certain\n inherent_impact: [1-5] # 1=Insignificant, 2=Minor, 3=Moderate, 4=Major, 5=Catastrophic\n inherent_score: [1-25] # likelihood × impact\n inherent_rating: \"[Low/Medium/High/Critical]\"\n \n # Existing controls\n controls:\n - control: \"[Description of existing control]\"\n type: \"[Preventive/Detective/Corrective/Directive]\"\n effectiveness: \"[Strong/Adequate/Weak/None]\"\n \n # Assessment (after controls)\n residual_likelihood: [1-5]\n residual_impact: [1-5]\n residual_score: [1-25]\n residual_rating: \"[Low/Medium/High/Critical]\"\n \n # Treatment\n treatment_strategy: \"[Accept/Mitigate/Transfer/Avoid]\"\n action_plans:\n - action: \"[Specific action to reduce risk]\"\n owner: \"[Who]\"\n deadline: \"YYYY-MM-DD\"\n status: \"[Not Started/In Progress/Complete]\"\n cost: \"[estimated cost]\"\n \n # Monitoring\n key_risk_indicators:\n - indicator: \"[What to measure]\"\n threshold_green: \"[normal range]\"\n threshold_amber: \"[warning level]\"\n threshold_red: \"[critical level]\"\n frequency: \"[daily/weekly/monthly]\"\n \n review_date: \"YYYY-MM-DD\"\n trend: \"[↑ Increasing / → Stable / ↓ Decreasing]\"\n velocity: \"[How fast could this materialize: Immediate/Days/Weeks/Months/Years]\"\n\nPhase 3: Risk Assessment\n5×5 Likelihood × Impact Matrix\n\nLikelihood Scale:\n\nScore\tLabel\tFrequency\tProbability\n1\tRare\tOnce in 10+ years\t<5%\n2\tUnlikely\tOnce in 5-10 years\t5-20%\n3\tPossible\tOnce in 2-5 years\t20-50%\n4\tLikely\tOnce per year\t50-80%\n5\tAlmost Certain\tMultiple times/year\t>80%\n\nImpact Scale:\n\nScore\tFinancial\tOperational\tReputational\tCompliance\n1 — Insignificant\t<$10K\t<1hr disruption\tInternal only\tMinor finding\n2 — Minor\t$10K-$100K\t1-4hr disruption\tLocal media\tRegulatory inquiry\n3 — Moderate\t$100K-$1M\t4-24hr disruption\tNational media\tFormal warning\n4 — Major\t$1M-$10M\t1-7 day disruption\tSustained negative coverage\tFine / sanctions\n5 — Catastrophic\t>$10M\t>7 day disruption\tBrand-threatening\tLicense revocation / criminal\n\nRisk Rating Matrix:\n\nImpact → 1 2 3 4 5\nLikelihood\n 5 5 10 15 20 25 ← Critical (20-25)\n 4 4 8 12 16 20 ← High (12-19)\n 3 3 6 9 12 15 ← Medium (6-11)\n 2 2 4 6 8 10 ← Low (1-5)\n 1 1 2 3 4 5\n\n\nRating Actions:\n\nCritical (20-25): Immediate executive attention. Escalate to board. Action plan within 48 hours.\nHigh (12-19): Senior management attention. Monthly review. Action plan within 2 weeks.\nMedium (6-11): Department management. Quarterly review. Managed within existing processes.\nLow (1-5): Accept or monitor. Annual review. No additional controls required.\nRisk Velocity Assessment\n\nHow fast can this risk materialize? This determines response readiness:\n\nVelocity\tTimeframe\tRequired Readiness\nImmediate\tNo warning, instant impact\tPre-positioned response plan, tested quarterly\nDays\t1-7 days from trigger to impact\tResponse plan, decision authority pre-delegated\nWeeks\t1-4 weeks lead time\tMonitoring in place, escalation path defined\nMonths\t1-6 months visibility\tRegular tracking, proactive mitigation\nYears\t6+ months strategic horizon\tStrategic planning, scenario analysis\nInterconnection Mapping\n\nRisks don't exist in isolation. Map dependencies:\n\nrisk_interconnections:\n - primary_risk: \"R-001 Key talent attrition\"\n connected_risks:\n - risk: \"R-007 Project delivery failure\"\n relationship: \"causes\"\n strength: \"strong\"\n - risk: \"R-012 Knowledge loss\"\n relationship: \"causes\"\n strength: \"strong\"\n - risk: \"R-003 Customer satisfaction decline\"\n relationship: \"contributes_to\"\n strength: \"moderate\"\n cascade_scenario: \"If 3+ senior engineers leave within 60 days, project delays trigger SLA breaches → customer churn → revenue miss\"\n\n\nRules for interconnection mapping:\n\nEvery Critical/High risk must have connections mapped\nIdentify cascade scenarios (domino effects)\nLook for risk clusters (multiple risks sharing a common cause)\nConcentration risks (single point of failure affecting multiple areas)\nPhase 4: Risk Treatment & Mitigation\nTreatment Strategy Decision Framework\n High Impact\n │\n AVOID ───────┼─────── MITIGATE\n (Don't do │ (Reduce likelihood\n the thing) │ and/or impact)\n │\n Low ────────────────┼──────────────── High\n Likelihood │ Likelihood\n │\n ACCEPT ──────┼─────── TRANSFER\n (Monitor, │ (Insurance,\n absorb) │ outsource,\n │ contracts)\n │\n Low Impact\n\n\nDecision Rules:\n\nAccept if: Residual risk within appetite AND cost of mitigation > expected loss\nMitigate if: Risk exceeds appetite AND controls can reduce to acceptable level\nTransfer if: Impact is catastrophic but likelihood is manageable, OR specialized expertise required\nAvoid if: Risk-reward ratio is unacceptable AND activity is not core to strategy\nControl Design Principles\n\n4 Types of Controls:\n\nType\tPurpose\tExample\tTiming\nPreventive\tStop risk from materializing\tAccess controls, segregation of duties, approval workflows\tBefore event\nDetective\tIdentify risk events quickly\tMonitoring, audits, reconciliations, anomaly detection\tDuring/after event\nCorrective\tFix damage after event\tIncident response, backups, disaster recovery\tAfter event\nDirective\tGuide behavior to reduce risk\tPolicies, training, procedures, standards\tOngoing\n\nControl Effectiveness Scoring:\n\nRating\tCriteria\nStrong\tAutomated, tested regularly, documented, evidence available, no recent failures\nAdequate\tMostly automated or well-documented manual, occasional testing, minor gaps\nWeak\tManual, inconsistent execution, rarely tested, some evidence of failure\nNone\tNo control in place or control has failed repeatedly\n\nDefense-in-Depth Principle: Every Critical/High risk should have:\n\nAt least 1 preventive control\nAt least 1 detective control\nAt least 1 corrective control\nNo single point of control failure\nMitigation Action Plan Template\nmitigation_plan:\n risk_id: \"R-001\"\n risk_title: \"[name]\"\n current_residual_score: [X]\n target_residual_score: [Y]\n \n actions:\n - id: \"M-001-A\"\n description: \"[Specific, measurable action]\"\n control_type: \"Preventive\"\n owner: \"[Name / Role]\"\n start_date: \"YYYY-MM-DD\"\n target_date: \"YYYY-MM-DD\"\n budget: \"$[amount]\"\n status: \"[Not Started / In Progress / Complete / Overdue]\"\n expected_reduction: \"[How much this reduces likelihood or impact]\"\n success_criteria: \"[How we know it worked]\"\n dependencies: [\"[other actions or resources needed]\"]\n \n total_budget: \"$[sum]\"\n expected_residual_after_actions:\n likelihood: [1-5]\n impact: [1-5]\n score: [1-25]\n rating: \"[Low/Medium/High]\"\n \n review_frequency: \"[weekly during implementation, monthly after]\"\n escalation_trigger: \"[what triggers escalation to senior management]\"\n\nCost-Benefit Analysis for Mitigation\n\nBefore approving mitigation spend:\n\nAnnual Expected Loss (AEL) = Probability × Impact (annualized)\nMitigation Cost = One-time cost + Annual operating cost\nRisk Reduction = Current AEL - Post-mitigation AEL\nROI = (Risk Reduction - Mitigation Cost) / Mitigation Cost\n\nRule: Only invest if ROI > 0 (risk reduction exceeds mitigation cost)\nException: Compliance and safety risks — invest regardless of ROI\n\nPhase 5: Key Risk Indicators (KRIs) & Monitoring\nKRI Design Framework\n\nGood KRIs are:\n\nLeading (predict risk, don't just report incidents)\nQuantifiable (numbers, not opinions)\nTimely (available frequently enough to act)\nActionable (clear thresholds that trigger specific responses)\nOwned (someone is accountable for monitoring)\nKRI Library by Category\nStrategic KRIs\nKRI\tGreen\tAmber\tRed\tFrequency\nCustomer concentration (top client % revenue)\t<15%\t15-25%\t>25%\tMonthly\nMarket share trend\tGrowing\tFlat\tDeclining 2+ quarters\tQuarterly\nInnovation pipeline (projects in development)\t>5\t3-5\t<3\tMonthly\nStrategic initiative on-track %\t>80%\t60-80%\t<60%\tMonthly\nCompetitor new product launches\tMonitoring\t2+ in quarter\tDirect threat to core product\tMonthly\nFinancial KRIs\nKRI\tGreen\tAmber\tRed\tFrequency\nCash runway (months)\t>12\t6-12\t<6\tWeekly\nAR aging >90 days (% of total)\t<5%\t5-15%\t>15%\tMonthly\nBudget variance\t±5%\t±5-15%\t>±15%\tMonthly\nGross margin trend\tStable/growing\t-2% QoQ\t-5%+ QoQ\tMonthly\nDebt-to-equity ratio\t<1.0\t1.0-2.0\t>2.0\tQuarterly\nOperational KRIs\nKRI\tGreen\tAmber\tRed\tFrequency\nSystem uptime\t>99.9%\t99.5-99.9%\t<99.5%\tDaily\nVendor SLA compliance\t>95%\t85-95%\t<85%\tMonthly\nProcess error rate\t<1%\t1-3%\t>3%\tWeekly\nKey person single-point-of-failure count\t0\t1-2\t3+\tQuarterly\nProject delivery on-time %\t>85%\t70-85%\t<70%\tMonthly\nCompliance KRIs\nKRI\tGreen\tAmber\tRed\tFrequency\nOverdue compliance actions\t0\t1-3\t4+\tWeekly\nPolicy exception requests (trend)\tStable\t+25% QoQ\t+50% QoQ\tMonthly\nTraining completion rate\t>95%\t80-95%\t<80%\tMonthly\nAudit findings (open)\t<5\t5-10\t>10\tMonthly\nRegulatory change backlog\tCurrent\t1-2 behind\t3+ behind\tMonthly\nCyber KRIs\nKRI\tGreen\tAmber\tRed\tFrequency\nPhishing click rate\t<3%\t3-8%\t>8%\tMonthly\nMean time to patch (critical)\t<24hr\t24-72hr\t>72hr\tWeekly\nPrivileged access reviews overdue\t0\t1-2\t3+\tMonthly\nThird-party risk assessments current\t>90%\t70-90%\t<70%\tQuarterly\nSecurity incidents (P1/P2)\t0\t1-2/quarter\t3+/quarter\tWeekly\nPeople KRIs\nKRI\tGreen\tAmber\tRed\tFrequency\nVoluntary turnover (annualized)\t<10%\t10-20%\t>20%\tMonthly\nKey role vacancy duration\t<30 days\t30-60 days\t>60 days\tMonthly\nEmployee engagement score\t>7.5/10\t6-7.5\t<6\tQuarterly\nSuccession coverage (critical roles)\t>80%\t50-80%\t<50%\tQuarterly\nSafety incidents (recordable)\t0\t1-2/quarter\t3+/quarter\tMonthly\nKRI Dashboard Template\nkri_dashboard:\n period: \"YYYY-MM\"\n overall_risk_posture: \"[Green/Amber/Red]\"\n \n summary:\n total_kris: [N]\n green: [N]\n amber: [N]\n red: [N]\n trending_worse: [N]\n new_breaches: [N]\n \n critical_alerts:\n - kri: \"[name]\"\n current_value: \"[X]\"\n threshold_breached: \"Red\"\n trend: \"↑ Worsening\"\n risk_id: \"R-[XXX]\"\n action_required: \"[immediate action]\"\n owner: \"[who]\"\n \n category_summary:\n strategic: { green: N, amber: N, red: N }\n financial: { green: N, amber: N, red: N }\n operational: { green: N, amber: N, red: N }\n compliance: { green: N, amber: N, red: N }\n cyber: { green: N, amber: N, red: N }\n people: { green: N, amber: N, red: N }\n\nPhase 6: Scenario Analysis & Stress Testing\nScenario Design Process\nSelect scenarios — 3-5 plausible but severe scenarios per year\nDefine parameters — What happens, how fast, how severe\nModel impact — Financial, operational, reputational consequences\nTest responses — Walk through response plans\nIdentify gaps — What can't we handle?\nUpdate plans — Strengthen based on findings\nScenario Template\nscenario:\n name: \"[Descriptive name]\"\n category: \"[Strategic/Financial/Operational/Cyber/External]\"\n narrative: |\n [2-3 paragraph description of what happens, the sequence of events,\n and the timeline over which it unfolds]\n \n trigger: \"[What starts the scenario]\"\n timeline: \"[How long the scenario plays out]\"\n severity: \"[Moderate / Severe / Catastrophic]\"\n \n impacts:\n financial:\n revenue_impact: \"[$X or -%]\"\n cost_impact: \"[$X]\"\n cash_flow_impact: \"[description]\"\n operational:\n disruption_duration: \"[X days/weeks]\"\n capacity_reduction: \"[X%]\"\n systems_affected: [\"[list]\"]\n reputational:\n media_coverage: \"[level]\"\n customer_impact: \"[churn estimate]\"\n stakeholder_reaction: \"[description]\"\n regulatory:\n potential_fines: \"[$X]\"\n investigation_likelihood: \"[Low/Medium/High]\"\n \n current_preparedness:\n existing_controls: [\"[what we have]\"]\n gaps_identified: [\"[what's missing]\"]\n response_plan_status: \"[Tested/Documented/Draft/None]\"\n \n recommended_actions:\n - action: \"[What to do to prepare]\"\n priority: \"[Critical/High/Medium]\"\n cost: \"[$X]\"\n timeline: \"[implementation timeline]\"\n\nPre-Built Scenario Library\n\n1. Cyber Breach Scenario\n\nRansomware encrypts critical systems, data exfiltrated\n5-7 day recovery, potential regulatory notification\nFinancial impact: $500K-$5M (response, legal, notification, business interruption)\n\n2. Key Customer Loss\n\nTop 3 customer terminates contract (30-90 day notice)\nRevenue cliff + team restructuring\nFinancial impact: [customer revenue] + 6 months acquisition cost for replacement\n\n3. Economic Downturn\n\n20-30% revenue decline over 6 months\nForced cost reduction, potential layoffs\nCash runway compression, credit facility stress\n\n4. Key Person Departure\n\nCEO/CTO/critical engineer leaves with 2-week notice\nKnowledge loss, team morale impact, customer confidence\n3-6 month recovery to full capability\n\n5. Supply Chain Disruption\n\nCritical vendor fails or geopolitical event blocks supply\n2-8 week disruption to service delivery\nCustomer SLA breaches, contract penalties\n\n6. Regulatory Enforcement\n\nRegulator investigation triggered by complaint or audit\n6-12 month investigation, potential fine\nLegal costs, management distraction, compliance remediation\nStress Test Methodology\n\nFor financial stress tests:\n\nBase Case: Current budget/forecast\nStress Case 1 (Moderate): Revenue -15%, costs +10%, delayed collections +30 days\nStress Case 2 (Severe): Revenue -30%, costs +20%, key customer loss, credit line frozen\nStress Case 3 (Catastrophic): Revenue -50%, major incident cost, regulatory fine\n\nFor each: Calculate cash runway, covenant compliance, survival actions required\n\nPhase 7: Risk Reporting\nBoard Risk Report Structure\n\n1. Executive Summary (1 page)\n\nOverall risk posture: [Green/Amber/Red] with trend\nTop 5 risks (heatmap visual description)\nMaterial changes since last report\nKey decisions required\n\n2. Risk Heatmap (1 page)\n\n5×5 matrix with risk IDs plotted\nMovement arrows showing trend (↑↓→)\nColor-coded by category\n\n3. Top Risk Deep-Dives (1 page each, top 5 only)\n\nRisk description and current assessment\nControl effectiveness\nMitigation progress\nKRI dashboard\nTrend analysis\nRecommendation\n\n4. Emerging Risks (1 page)\n\nNew risks identified this period\nExternal environment changes\nIndustry incidents / peer events\nHorizon scanning findings\n\n5. Risk Appetite Compliance (1 page)\n\nRisks operating outside appetite\nAppetite breach explanations\nRequested appetite adjustments\n\n6. Appendix\n\nFull risk register (summary table)\nKRI dashboard (all indicators)\nMitigation action tracker\nScenario test results\nMonthly Management Risk Report\nmonthly_risk_report:\n period: \"YYYY-MM\"\n prepared_by: \"[Risk Owner]\"\n \n posture_summary:\n overall: \"[Green/Amber/Red]\"\n trend: \"[Improving/Stable/Deteriorating]\"\n critical_risks: [count]\n high_risks: [count]\n medium_risks: [count]\n low_risks: [count]\n new_risks_identified: [count]\n risks_closed: [count]\n \n top_5_risks:\n - rank: 1\n id: \"R-XXX\"\n title: \"[name]\"\n score: \"[residual score]\"\n trend: \"[↑/→/↓]\"\n status: \"[On Track / Needs Attention / Escalated]\"\n key_update: \"[1-2 sentence update]\"\n \n kri_breaches:\n red_alerts: [count]\n amber_alerts: [count]\n details: [\"[list any red KRI breaches with context]\"]\n \n mitigation_progress:\n total_actions: [N]\n completed_this_month: [N]\n overdue: [N]\n overdue_detail: [\"[list overdue items]\"]\n \n incidents_this_month:\n - type: \"[category]\"\n description: \"[what happened]\"\n impact: \"[actual impact]\"\n lessons: \"[what we learned]\"\n \n emerging_risks:\n - \"[brief description of newly identified risks or environmental changes]\"\n \n decisions_required:\n - \"[any risk acceptance, budget, or strategy decisions needed from management]\"\n\nPhase 8: Business Continuity & Crisis Management\nBusiness Impact Analysis (BIA)\n\nFor each critical business process:\n\nbusiness_impact_analysis:\n process: \"[Process name]\"\n owner: \"[Department / Role]\"\n description: \"[What the process does]\"\n \n dependencies:\n systems: [\"[IT systems required]\"]\n people: [\"[key roles / minimum staffing]\"]\n vendors: [\"[third parties]\"]\n data: [\"[critical data / records]\"]\n facilities: [\"[physical locations]\"]\n \n impact_over_time:\n 0_4_hours: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n 4_24_hours: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n 1_3_days: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n 3_7_days: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n 7_plus_days: { financial: \"$X\", operational: \"[description]\", reputational: \"[level]\" }\n \n recovery_targets:\n RTO: \"[Recovery Time Objective — max acceptable downtime]\"\n RPO: \"[Recovery Point Objective — max acceptable data loss]\"\n MTPD: \"[Maximum Tolerable Period of Disruption]\"\n \n workarounds: \"[Manual processes that can sustain operations temporarily]\"\n recovery_priority: \"[1-Critical / 2-Important / 3-Normal / 4-Low]\"\n\nCrisis Response Framework\n\nSeverity Levels:\n\nLevel\tCriteria\tResponse\tAuthority\nSEV-1 Critical\tExistential threat, regulatory breach, safety\tCrisis Management Team activated, board notified\tCEO\nSEV-2 Major\tSignificant financial/operational impact\tSenior management war room\tVP/Director\nSEV-3 Moderate\tContained impact, managed within department\tDepartment response team\tManager\nSEV-4 Minor\tLow impact, business as usual\tStandard operating procedures\tTeam lead\n\nCrisis Response Checklist (SEV-1/2):\n\n□ Activate crisis management team (within 30 min)\n□ Assess situation — facts only, no speculation\n□ Contain immediate threat / stop the bleeding\n□ Notify stakeholders per communication plan\n□ Establish command cadence (hourly updates initially)\n□ Assign investigation lead\n□ Engage external support if needed (legal, PR, forensics)\n□ Document everything (decisions, actions, timeline)\n□ Manage communications (internal, customer, media, regulatory)\n□ Transition to recovery when threat contained\n□ Conduct post-incident review within 5 business days\n□ Update risk register and controls based on findings\nCrisis Communication Templates\n\nInternal — First 2 Hours:\n\nSubject: [INCIDENT ALERT] — [Brief Description]\n\nTeam,\n\nWe are aware of [brief factual description of the situation].\n\nWhat we know: [facts only]\nWhat we're doing: [immediate actions taken]\nWhat we need from you: [specific asks]\nNext update: [time]\n\nDo NOT [specific instructions — e.g., discuss on social media, contact clients directly].\n\nContact [Crisis Lead] with questions.\n\n\nCustomer — When Ready:\n\nSubject: Important Update Regarding [Issue]\n\nDear [Customer],\n\nWe want to inform you about [factual description].\n\nImpact to you: [specific, honest assessment]\nWhat we've done: [actions taken]\nWhat happens next: [timeline and next steps]\nQuestions: [contact information]\n\nWe take this seriously and are committed to [resolution commitment].\n\nPhase 9: Risk Culture & Governance\nRisk Governance Structure\nBoard / Risk Committee\n ↓ (quarterly review, appetite setting, major decisions)\nChief Risk Officer / Risk Owner\n ↓ (monthly reporting, framework maintenance)\nRisk Champions (per department)\n ↓ (weekly monitoring, escalation, KRI tracking)\nAll Employees\n (risk awareness, incident reporting, control compliance)\n\nThree Lines of Defense Model\nLine\tRole\tExamples\n1st Line — Business Operations\tOwn and manage risk daily\tProcess owners, managers, project leads\n2nd Line — Risk & Compliance Functions\tOversee, challenge, advise, monitor\tRisk management, compliance, legal, IT security\n3rd Line — Independent Assurance\tIndependent verification\tInternal audit, external audit, regulators\nRisk Culture Health Indicators\nIndicator\tHealthy\tUnhealthy\nIncident reporting\tEncouraged, no blame\tPunished, cover-ups\nRisk discussions\tOpen, at all levels\tOnly at board, checkbox\nNear-miss reporting\tValued as learning\tIgnored or hidden\nRisk appetite\tUnderstood by teams\tUnknown or theoretical\nChallenge culture\tPeople speak up\tGroupthink, HiPPO rules\nRisk training\tRegular, practical\tAnnual checkbox exercise\nAccountability\tClear ownership\t\"Not my job\"\nAnnual Risk Calendar\nMonth\tActivity\nJanuary\tAnnual risk assessment workshop, set risk appetite\nFebruary\tUpdate risk register, set KRI targets\nMarch\tQ1 board risk report, scenario testing\nApril\tRisk training refresh, control testing begins\nMay\tThird-party risk assessment reviews\nJune\tQ2 board risk report, mid-year BCP test\nJuly\tEmerging risk horizon scan\nAugust\tInsurance program review\nSeptember\tQ3 board risk report, crisis simulation exercise\nOctober\tAnnual control effectiveness assessment\nNovember\tRisk appetite review for next year\nDecember\tQ4 / Annual board risk report, program effectiveness review\nPhase 10: Advanced Frameworks\nQuantitative Risk Analysis (for mature organizations)\n\nMonte Carlo Simulation Setup:\n\nDefine risk events with probability distributions (not point estimates)\nModel correlations between risks\nRun 10,000+ simulations\nAnalyze output distribution (P50, P90, P99 outcomes)\nUse results to set reserves, insurance limits, capital allocation\n\nValue at Risk (VaR) for Operational Risk:\n\nOperational VaR = Expected Loss + Unexpected Loss (at confidence level)\n- 95% confidence: Plan for this level in budget\n- 99% confidence: Set aside reserves for this level\n- 99.9% confidence: Transfer via insurance or avoid activity\n\n\nLoss Distribution Approach:\n\nFrequency: How many events per year? (Poisson distribution)\nSeverity: How large is each event? (Lognormal distribution)\nAggregate loss = Sum of frequency × severity simulations\nBow-Tie Analysis (for complex risks)\nThreats → Preventive Controls → RISK EVENT → Mitigating Controls → Consequences\n │ │ │ │ │\n ├─ Threat 1 ├─ Control A │ ├─ Control X ├─ Impact 1\n ├─ Threat 2 ├─ Control B │ ├─ Control Y ├─ Impact 2\n └─ Threat 3 └─ Control C │ └─ Control Z └─ Impact 3\n │\n Escalation Factors\n (what makes it worse)\n\n\nUse bow-tie for:\n\nCritical risks where simple cause-consequence isn't enough\nRisks with multiple threat sources AND multiple consequence paths\nCommunication tool for non-risk specialists\nRisk-Adjusted Decision Making\n\nFor any major decision, attach a risk assessment:\n\ndecision_risk_assessment:\n decision: \"[What we're deciding]\"\n options:\n - option: \"Option A\"\n expected_return: \"$[X]\"\n risk_adjusted_return: \"$[X - expected losses]\"\n key_risks: [\"[list]\"]\n worst_case: \"$[X]\"\n best_case: \"$[X]\"\n \n - option: \"Option B\"\n expected_return: \"$[X]\"\n risk_adjusted_return: \"$[X - expected losses]\"\n key_risks: [\"[list]\"]\n worst_case: \"$[X]\"\n best_case: \"$[X]\"\n \n recommendation: \"[option with best risk-adjusted return]\"\n residual_risks_to_accept: [\"[list risks we're consciously accepting]\"]\n monitoring_plan: \"[how we'll track if risk materializes post-decision]\"\n\nEdge Cases & Special Situations\nStartup / Early-Stage Companies\nSimplify: Focus on top 10 risks, not comprehensive universe\nRisk appetite is naturally higher — document it explicitly\nKey person risk is your #1 risk — address founder dependency\nCash runway is THE financial risk — weekly monitoring\nSkip quantitative methods — qualitative 5×5 matrix is sufficient\nRegulated Industries (Healthcare, Financial Services, Legal)\nRegulatory risk gets its own dedicated section with specific regulations\nThird-party risk management program required (vendor assessments)\nIncident reporting timelines are legally mandated — know them\nRecord retention requirements affect risk documentation\nConsider industry-specific frameworks (NIST CSF, COBIT, Basel III)\nMulti-Entity / International Operations\nAggregate risks at group level AND track by entity\nFX risk, transfer pricing risk, multi-jurisdiction compliance\nCultural differences in risk reporting (some cultures underreport)\nTime zone challenges for crisis response\nLocal regulatory requirements vary significantly\nM&A Integration\nPre-deal: Due diligence risk assessment (hidden liabilities, culture clash, integration complexity)\nDay 1: Combined risk register, harmonize controls, retain key people\n100-day plan: Integrate risk frameworks, consolidate insurance, unified reporting\nOngoing: Track integration risks separately for 12-18 months\nBlack Swan Events\nBy definition, you can't predict them specifically\nBuild organizational resilience: diversification, cash reserves, flexible operations\nTest extreme scenarios even if \"impossible\"\nFocus on recovery capability, not just prevention\nMaintain crisis response muscle through regular exercises\nNatural Language Commands\n\nUse these to interact with this skill:\n\nCommand\tAction\n\"Assess risk for [situation]\"\tFull risk assessment using 5×5 matrix\n\"Build risk register for [company/project]\"\tCreate complete risk register YAML\n\"Design KRIs for [area]\"\tCreate key risk indicators with thresholds\n\"Run scenario analysis for [event]\"\tFull scenario template with impacts\n\"Create BIA for [process]\"\tBusiness impact analysis with RTO/RPO\n\"Draft risk report for [audience]\"\tBoard or management risk report\n\"Evaluate control effectiveness for [risk]\"\tControl assessment with recommendations\n\"Map risk interconnections for [risk set]\"\tDependency and cascade analysis\n\"Stress test [financial/operational scenario]\"\tMulti-severity stress test\n\"Design crisis response for [event type]\"\tCrisis management plan with comms\n\"Calculate risk-adjusted return for [decision]\"\tDecision framework with risk overlay\n\"Audit risk culture\"\tCulture health assessment with recommendations\n⚡ Level Up Your Risk Management\n\nThis free skill gives you the complete ERM methodology. Want industry-specific risk frameworks with pre-built registers, KRIs, and compliance checklists?\n\nAfrexAI Context Packs ($47 each) include tailored risk sections:\n\nHealthcare — HIPAA, patient safety, clinical risk, malpractice\nFintech — AML/KYC, market risk, Basel III, PCI-DSS\nLegal — Professional liability, client confidentiality, conflicts\nConstruction — Site safety, contract risk, weather, subcontractor\nSaaS — Uptime SLAs, data security, churn risk, vendor lock-in\nManufacturing — Supply chain, quality, workplace safety, environmental\nReal Estate — Market cycles, tenant risk, regulatory, environmental\nEcommerce — Fraud, inventory, logistics, platform dependency\nRecruitment — Compliance, candidate experience, placement risk\nProfessional Services — Utilization, scope creep, client concentration\n\nBrowse all packs: https://afrexai-cto.github.io/context-packs/\n\n🔗 More Free Skills by AfrexAI\nafrexai-contract-review — Legal contract review with CLAWS risk scoring\nafrexai-competitive-intel — 7-phase competitive intelligence system\nafrexai-fpa-engine — Financial planning & analysis\nafrexai-founder-os — Startup operating system\nafrexai-customer-success — 10-phase customer success & retention\n\nInstall: clawhub install afrexai-risk-management" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/1kalin/afrexai-risk-management", "publisherUrl": "https://clawhub.ai/1kalin/afrexai-risk-management", "owner": "1kalin", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/afrexai-risk-management", "downloadUrl": "https://openagent3.xyz/downloads/afrexai-risk-management", "agentUrl": "https://openagent3.xyz/skills/afrexai-risk-management/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-risk-management/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-risk-management/agent.md" } }