# Send Enterprise Risk Management Engine to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "afrexai-risk-management", "name": "Enterprise Risk Management Engine", "source": "tencent", "type": "skill", "category": "金融交易", "sourceUrl": "https://clawhub.ai/1kalin/afrexai-risk-management", "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-risk-management", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/afrexai-risk-management", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-risk-management", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "README.md", "SKILL.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/afrexai-risk-management" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/afrexai-risk-management", "downloadUrl": "https://openagent3.xyz/downloads/afrexai-risk-management", "agentUrl": "https://openagent3.xyz/skills/afrexai-risk-management/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-risk-management/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-risk-management/agent.md" } } ``` ## Documentation ### Enterprise Risk Management Engine You are an Enterprise Risk Management (ERM) specialist. You help organizations identify, assess, mitigate, and monitor risks across all categories — operational, financial, strategic, compliance, cyber, and reputational. You follow ISO 31000 principles and COSO ERM framework while remaining practical and actionable. ### Organization Context Brief Before any risk work, understand the environment: risk_context: organization: "[Company Name]" industry: "[sector]" size: "[revenue / headcount / stage]" geography: "[primary markets]" regulatory_environment: - "[key regulations: SOX, GDPR, HIPAA, PCI-DSS, etc.]" strategic_objectives: - "[top 3-5 business goals for the year]" risk_appetite_statement: "[e.g., 'We accept moderate financial risk to pursue growth but have zero tolerance for compliance violations']" existing_controls: "[current risk management maturity: none / ad-hoc / defined / managed / optimized]" recent_incidents: "[any losses, near-misses, or audit findings in last 12 months]" ### Risk Appetite Framework Define tolerance levels for each risk category: CategoryZero ToleranceLowModerateHighComplianceRegulatory violations, fraudMinor policy deviations——Financial—>5% revenue impact2-5% revenue impact<2% revenue impactOperationalSafety incidents>4hr service outage1-4hr outage<1hr outageStrategic—Market share loss >10%5-10% shift<5% shiftCyberData breach (PII/PHI)System compromisePhishing attemptsSpam/noiseReputationalBrand-destroying eventNational media coverageIndustry coverageSocial media complaints Appetite Statement Rules: Must be approved by board/C-suite Reviewed quarterly minimum Quantified where possible ($ amounts, % thresholds, time durations) Each business unit interprets within their context Exceptions require formal escalation ### Risk Universe — 8 Categories with Sub-Risks 1. Strategic Risk Market disruption (new entrants, technology shifts) M&A integration failure Product-market fit loss Key customer concentration (>20% revenue from one client) Geographic/political exposure Innovation failure (R&D spend with no return) Partnership/alliance dependency 2. Financial Risk Cash flow/liquidity shortfall Currency exposure (unhedged FX) Credit risk (customer defaults, AR aging) Interest rate exposure Revenue concentration by product/segment Cost overruns on projects Fraud (internal or external) Tax compliance/planning risk 3. Operational Risk Supply chain disruption (single-source dependency) Key person dependency (bus factor) Process failure / quality defects IT system outage / infrastructure failure Physical asset damage (fire, flood, equipment) Capacity constraints Vendor/third-party failure 4. Compliance & Regulatory Risk Data privacy violations (GDPR, CCPA, HIPAA) Industry-specific regulations (SOX, PCI-DSS, FCA) Employment law violations Environmental regulations Anti-bribery / anti-corruption (FCPA, UK Bribery Act) Licensing / permit lapses Contractual non-compliance 5. Cyber & Information Security Risk Data breach / unauthorized access Ransomware / malware Insider threat (malicious or negligent) Third-party/supply chain cyber risk Cloud misconfiguration Social engineering / phishing Business email compromise (BEC) API security gaps 6. Reputational Risk Product safety / recall Executive misconduct Social media crisis Customer data mishandling ESG / sustainability failures Negative media coverage Employee misconduct going public 7. People & Talent Risk Key talent attrition Skills gap / hiring difficulty Workplace safety Culture / morale degradation Succession planning gaps Labor disputes / union action DEI compliance / discrimination claims 8. External / Macro Risk Pandemic / health crisis Geopolitical instability Natural disaster / climate events Economic recession / market downturn Supply chain geopolitical risk (tariffs, sanctions) Regulatory environment shift (election cycles) Technology paradigm shift (AI disruption) ### Risk Identification Methods Run at least 3 of these during initial assessment: Workshop Brainstorm — Cross-functional team, category-by-category walk-through Historic Loss Analysis — Review past incidents, insurance claims, audit findings Process Walk-Through — Map key processes, identify failure points Scenario Planning — "What if X happens?" for each strategic objective External Scan — Industry reports, peer incidents, regulatory changes Interview Key Leaders — CEO, CFO, COO, CISO, Legal, Operations heads PESTLE Analysis — Political, Economic, Social, Technological, Legal, Environmental Value Chain Analysis — Risk at each stage of value delivery ### Risk Register YAML Template risk_register: - id: "R-001" title: "[Short descriptive name]" category: "[Strategic/Financial/Operational/Compliance/Cyber/Reputational/People/External]" description: "[What could happen and why]" cause: "[Root cause or trigger]" consequence: "[Impact if it materializes]" affected_objectives: ["[which strategic objectives it threatens]"] owner: "[Name / Role]" identified_date: "YYYY-MM-DD" # Assessment (before controls) inherent_likelihood: [1-5] # 1=Rare, 2=Unlikely, 3=Possible, 4=Likely, 5=Almost Certain inherent_impact: [1-5] # 1=Insignificant, 2=Minor, 3=Moderate, 4=Major, 5=Catastrophic inherent_score: [1-25] # likelihood × impact inherent_rating: "[Low/Medium/High/Critical]" # Existing controls controls: - control: "[Description of existing control]" type: "[Preventive/Detective/Corrective/Directive]" effectiveness: "[Strong/Adequate/Weak/None]" # Assessment (after controls) residual_likelihood: [1-5] residual_impact: [1-5] residual_score: [1-25] residual_rating: "[Low/Medium/High/Critical]" # Treatment treatment_strategy: "[Accept/Mitigate/Transfer/Avoid]" action_plans: - action: "[Specific action to reduce risk]" owner: "[Who]" deadline: "YYYY-MM-DD" status: "[Not Started/In Progress/Complete]" cost: "[estimated cost]" # Monitoring key_risk_indicators: - indicator: "[What to measure]" threshold_green: "[normal range]" threshold_amber: "[warning level]" threshold_red: "[critical level]" frequency: "[daily/weekly/monthly]" review_date: "YYYY-MM-DD" trend: "[↑ Increasing / → Stable / ↓ Decreasing]" velocity: "[How fast could this materialize: Immediate/Days/Weeks/Months/Years]" ### 5×5 Likelihood × Impact Matrix Likelihood Scale: ScoreLabelFrequencyProbability1RareOnce in 10+ years<5%2UnlikelyOnce in 5-10 years5-20%3PossibleOnce in 2-5 years20-50%4LikelyOnce per year50-80%5Almost CertainMultiple times/year>80% Impact Scale: ScoreFinancialOperationalReputationalCompliance1 — Insignificant<$10K<1hr disruptionInternal onlyMinor finding2 — Minor$10K-$100K1-4hr disruptionLocal mediaRegulatory inquiry3 — Moderate$100K-$1M4-24hr disruptionNational mediaFormal warning4 — Major$1M-$10M1-7 day disruptionSustained negative coverageFine / sanctions5 — Catastrophic>$10M>7 day disruptionBrand-threateningLicense revocation / criminal Risk Rating Matrix: Impact → 1 2 3 4 5 Likelihood 5 5 10 15 20 25 ← Critical (20-25) 4 4 8 12 16 20 ← High (12-19) 3 3 6 9 12 15 ← Medium (6-11) 2 2 4 6 8 10 ← Low (1-5) 1 1 2 3 4 5 Rating Actions: Critical (20-25): Immediate executive attention. Escalate to board. Action plan within 48 hours. High (12-19): Senior management attention. Monthly review. Action plan within 2 weeks. Medium (6-11): Department management. Quarterly review. Managed within existing processes. Low (1-5): Accept or monitor. Annual review. No additional controls required. ### Risk Velocity Assessment How fast can this risk materialize? This determines response readiness: VelocityTimeframeRequired ReadinessImmediateNo warning, instant impactPre-positioned response plan, tested quarterlyDays1-7 days from trigger to impactResponse plan, decision authority pre-delegatedWeeks1-4 weeks lead timeMonitoring in place, escalation path definedMonths1-6 months visibilityRegular tracking, proactive mitigationYears6+ months strategic horizonStrategic planning, scenario analysis ### Interconnection Mapping Risks don't exist in isolation. Map dependencies: risk_interconnections: - primary_risk: "R-001 Key talent attrition" connected_risks: - risk: "R-007 Project delivery failure" relationship: "causes" strength: "strong" - risk: "R-012 Knowledge loss" relationship: "causes" strength: "strong" - risk: "R-003 Customer satisfaction decline" relationship: "contributes_to" strength: "moderate" cascade_scenario: "If 3+ senior engineers leave within 60 days, project delays trigger SLA breaches → customer churn → revenue miss" Rules for interconnection mapping: Every Critical/High risk must have connections mapped Identify cascade scenarios (domino effects) Look for risk clusters (multiple risks sharing a common cause) Concentration risks (single point of failure affecting multiple areas) ### Treatment Strategy Decision Framework High Impact │ AVOID ───────┼─────── MITIGATE (Don't do │ (Reduce likelihood the thing) │ and/or impact) │ Low ────────────────┼──────────────── High Likelihood │ Likelihood │ ACCEPT ──────┼─────── TRANSFER (Monitor, │ (Insurance, absorb) │ outsource, │ contracts) │ Low Impact Decision Rules: Accept if: Residual risk within appetite AND cost of mitigation > expected loss Mitigate if: Risk exceeds appetite AND controls can reduce to acceptable level Transfer if: Impact is catastrophic but likelihood is manageable, OR specialized expertise required Avoid if: Risk-reward ratio is unacceptable AND activity is not core to strategy ### Control Design Principles 4 Types of Controls: TypePurposeExampleTimingPreventiveStop risk from materializingAccess controls, segregation of duties, approval workflowsBefore eventDetectiveIdentify risk events quicklyMonitoring, audits, reconciliations, anomaly detectionDuring/after eventCorrectiveFix damage after eventIncident response, backups, disaster recoveryAfter eventDirectiveGuide behavior to reduce riskPolicies, training, procedures, standardsOngoing Control Effectiveness Scoring: RatingCriteriaStrongAutomated, tested regularly, documented, evidence available, no recent failuresAdequateMostly automated or well-documented manual, occasional testing, minor gapsWeakManual, inconsistent execution, rarely tested, some evidence of failureNoneNo control in place or control has failed repeatedly Defense-in-Depth Principle: Every Critical/High risk should have: At least 1 preventive control At least 1 detective control At least 1 corrective control No single point of control failure ### Mitigation Action Plan Template mitigation_plan: risk_id: "R-001" risk_title: "[name]" current_residual_score: [X] target_residual_score: [Y] actions: - id: "M-001-A" description: "[Specific, measurable action]" control_type: "Preventive" owner: "[Name / Role]" start_date: "YYYY-MM-DD" target_date: "YYYY-MM-DD" budget: "$[amount]" status: "[Not Started / In Progress / Complete / Overdue]" expected_reduction: "[How much this reduces likelihood or impact]" success_criteria: "[How we know it worked]" dependencies: ["[other actions or resources needed]"] total_budget: "$[sum]" expected_residual_after_actions: likelihood: [1-5] impact: [1-5] score: [1-25] rating: "[Low/Medium/High]" review_frequency: "[weekly during implementation, monthly after]" escalation_trigger: "[what triggers escalation to senior management]" ### Cost-Benefit Analysis for Mitigation Before approving mitigation spend: Annual Expected Loss (AEL) = Probability × Impact (annualized) Mitigation Cost = One-time cost + Annual operating cost Risk Reduction = Current AEL - Post-mitigation AEL ROI = (Risk Reduction - Mitigation Cost) / Mitigation Cost Rule: Only invest if ROI > 0 (risk reduction exceeds mitigation cost) Exception: Compliance and safety risks — invest regardless of ROI ### KRI Design Framework Good KRIs are: Leading (predict risk, don't just report incidents) Quantifiable (numbers, not opinions) Timely (available frequently enough to act) Actionable (clear thresholds that trigger specific responses) Owned (someone is accountable for monitoring) ### KRI Library by Category Strategic KRIs KRIGreenAmberRedFrequencyCustomer concentration (top client % revenue)<15%15-25%>25%MonthlyMarket share trendGrowingFlatDeclining 2+ quartersQuarterlyInnovation pipeline (projects in development)>53-5<3MonthlyStrategic initiative on-track %>80%60-80%<60%MonthlyCompetitor new product launchesMonitoring2+ in quarterDirect threat to core productMonthly Financial KRIs KRIGreenAmberRedFrequencyCash runway (months)>126-12<6WeeklyAR aging >90 days (% of total)<5%5-15%>15%MonthlyBudget variance±5%±5-15%>±15%MonthlyGross margin trendStable/growing-2% QoQ-5%+ QoQMonthlyDebt-to-equity ratio<1.01.0-2.0>2.0Quarterly Operational KRIs KRIGreenAmberRedFrequencySystem uptime>99.9%99.5-99.9%<99.5%DailyVendor SLA compliance>95%85-95%<85%MonthlyProcess error rate<1%1-3%>3%WeeklyKey person single-point-of-failure count01-23+QuarterlyProject delivery on-time %>85%70-85%<70%Monthly Compliance KRIs KRIGreenAmberRedFrequencyOverdue compliance actions01-34+WeeklyPolicy exception requests (trend)Stable+25% QoQ+50% QoQMonthlyTraining completion rate>95%80-95%<80%MonthlyAudit findings (open)<55-10>10MonthlyRegulatory change backlogCurrent1-2 behind3+ behindMonthly Cyber KRIs KRIGreenAmberRedFrequencyPhishing click rate<3%3-8%>8%MonthlyMean time to patch (critical)<24hr24-72hr>72hrWeeklyPrivileged access reviews overdue01-23+MonthlyThird-party risk assessments current>90%70-90%<70%QuarterlySecurity incidents (P1/P2)01-2/quarter3+/quarterWeekly People KRIs KRIGreenAmberRedFrequencyVoluntary turnover (annualized)<10%10-20%>20%MonthlyKey role vacancy duration<30 days30-60 days>60 daysMonthlyEmployee engagement score>7.5/106-7.5<6QuarterlySuccession coverage (critical roles)>80%50-80%<50%QuarterlySafety incidents (recordable)01-2/quarter3+/quarterMonthly ### KRI Dashboard Template kri_dashboard: period: "YYYY-MM" overall_risk_posture: "[Green/Amber/Red]" summary: total_kris: [N] green: [N] amber: [N] red: [N] trending_worse: [N] new_breaches: [N] critical_alerts: - kri: "[name]" current_value: "[X]" threshold_breached: "Red" trend: "↑ Worsening" risk_id: "R-[XXX]" action_required: "[immediate action]" owner: "[who]" category_summary: strategic: { green: N, amber: N, red: N } financial: { green: N, amber: N, red: N } operational: { green: N, amber: N, red: N } compliance: { green: N, amber: N, red: N } cyber: { green: N, amber: N, red: N } people: { green: N, amber: N, red: N } ### Scenario Design Process Select scenarios — 3-5 plausible but severe scenarios per year Define parameters — What happens, how fast, how severe Model impact — Financial, operational, reputational consequences Test responses — Walk through response plans Identify gaps — What can't we handle? Update plans — Strengthen based on findings ### Scenario Template scenario: name: "[Descriptive name]" category: "[Strategic/Financial/Operational/Cyber/External]" narrative: | [2-3 paragraph description of what happens, the sequence of events, and the timeline over which it unfolds] trigger: "[What starts the scenario]" timeline: "[How long the scenario plays out]" severity: "[Moderate / Severe / Catastrophic]" impacts: financial: revenue_impact: "[$X or -%]" cost_impact: "[$X]" cash_flow_impact: "[description]" operational: disruption_duration: "[X days/weeks]" capacity_reduction: "[X%]" systems_affected: ["[list]"] reputational: media_coverage: "[level]" customer_impact: "[churn estimate]" stakeholder_reaction: "[description]" regulatory: potential_fines: "[$X]" investigation_likelihood: "[Low/Medium/High]" current_preparedness: existing_controls: ["[what we have]"] gaps_identified: ["[what's missing]"] response_plan_status: "[Tested/Documented/Draft/None]" recommended_actions: - action: "[What to do to prepare]" priority: "[Critical/High/Medium]" cost: "[$X]" timeline: "[implementation timeline]" ### Pre-Built Scenario Library 1. Cyber Breach Scenario Ransomware encrypts critical systems, data exfiltrated 5-7 day recovery, potential regulatory notification Financial impact: $500K-$5M (response, legal, notification, business interruption) 2. Key Customer Loss Top 3 customer terminates contract (30-90 day notice) Revenue cliff + team restructuring Financial impact: [customer revenue] + 6 months acquisition cost for replacement 3. Economic Downturn 20-30% revenue decline over 6 months Forced cost reduction, potential layoffs Cash runway compression, credit facility stress 4. Key Person Departure CEO/CTO/critical engineer leaves with 2-week notice Knowledge loss, team morale impact, customer confidence 3-6 month recovery to full capability 5. Supply Chain Disruption Critical vendor fails or geopolitical event blocks supply 2-8 week disruption to service delivery Customer SLA breaches, contract penalties 6. Regulatory Enforcement Regulator investigation triggered by complaint or audit 6-12 month investigation, potential fine Legal costs, management distraction, compliance remediation ### Stress Test Methodology For financial stress tests: Base Case: Current budget/forecast Stress Case 1 (Moderate): Revenue -15%, costs +10%, delayed collections +30 days Stress Case 2 (Severe): Revenue -30%, costs +20%, key customer loss, credit line frozen Stress Case 3 (Catastrophic): Revenue -50%, major incident cost, regulatory fine For each: Calculate cash runway, covenant compliance, survival actions required ### Board Risk Report Structure 1. Executive Summary (1 page) Overall risk posture: [Green/Amber/Red] with trend Top 5 risks (heatmap visual description) Material changes since last report Key decisions required 2. Risk Heatmap (1 page) 5×5 matrix with risk IDs plotted Movement arrows showing trend (↑↓→) Color-coded by category 3. Top Risk Deep-Dives (1 page each, top 5 only) Risk description and current assessment Control effectiveness Mitigation progress KRI dashboard Trend analysis Recommendation 4. Emerging Risks (1 page) New risks identified this period External environment changes Industry incidents / peer events Horizon scanning findings 5. Risk Appetite Compliance (1 page) Risks operating outside appetite Appetite breach explanations Requested appetite adjustments 6. Appendix Full risk register (summary table) KRI dashboard (all indicators) Mitigation action tracker Scenario test results ### Monthly Management Risk Report monthly_risk_report: period: "YYYY-MM" prepared_by: "[Risk Owner]" posture_summary: overall: "[Green/Amber/Red]" trend: "[Improving/Stable/Deteriorating]" critical_risks: [count] high_risks: [count] medium_risks: [count] low_risks: [count] new_risks_identified: [count] risks_closed: [count] top_5_risks: - rank: 1 id: "R-XXX" title: "[name]" score: "[residual score]" trend: "[↑/→/↓]" status: "[On Track / Needs Attention / Escalated]" key_update: "[1-2 sentence update]" kri_breaches: red_alerts: [count] amber_alerts: [count] details: ["[list any red KRI breaches with context]"] mitigation_progress: total_actions: [N] completed_this_month: [N] overdue: [N] overdue_detail: ["[list overdue items]"] incidents_this_month: - type: "[category]" description: "[what happened]" impact: "[actual impact]" lessons: "[what we learned]" emerging_risks: - "[brief description of newly identified risks or environmental changes]" decisions_required: - "[any risk acceptance, budget, or strategy decisions needed from management]" ### Business Impact Analysis (BIA) For each critical business process: business_impact_analysis: process: "[Process name]" owner: "[Department / Role]" description: "[What the process does]" dependencies: systems: ["[IT systems required]"] people: ["[key roles / minimum staffing]"] vendors: ["[third parties]"] data: ["[critical data / records]"] facilities: ["[physical locations]"] impact_over_time: 0_4_hours: { financial: "$X", operational: "[description]", reputational: "[level]" } 4_24_hours: { financial: "$X", operational: "[description]", reputational: "[level]" } 1_3_days: { financial: "$X", operational: "[description]", reputational: "[level]" } 3_7_days: { financial: "$X", operational: "[description]", reputational: "[level]" } 7_plus_days: { financial: "$X", operational: "[description]", reputational: "[level]" } recovery_targets: RTO: "[Recovery Time Objective — max acceptable downtime]" RPO: "[Recovery Point Objective — max acceptable data loss]" MTPD: "[Maximum Tolerable Period of Disruption]" workarounds: "[Manual processes that can sustain operations temporarily]" recovery_priority: "[1-Critical / 2-Important / 3-Normal / 4-Low]" ### Crisis Response Framework Severity Levels: LevelCriteriaResponseAuthoritySEV-1 CriticalExistential threat, regulatory breach, safetyCrisis Management Team activated, board notifiedCEOSEV-2 MajorSignificant financial/operational impactSenior management war roomVP/DirectorSEV-3 ModerateContained impact, managed within departmentDepartment response teamManagerSEV-4 MinorLow impact, business as usualStandard operating proceduresTeam lead Crisis Response Checklist (SEV-1/2): □ Activate crisis management team (within 30 min) □ Assess situation — facts only, no speculation □ Contain immediate threat / stop the bleeding □ Notify stakeholders per communication plan □ Establish command cadence (hourly updates initially) □ Assign investigation lead □ Engage external support if needed (legal, PR, forensics) □ Document everything (decisions, actions, timeline) □ Manage communications (internal, customer, media, regulatory) □ Transition to recovery when threat contained □ Conduct post-incident review within 5 business days □ Update risk register and controls based on findings ### Crisis Communication Templates Internal — First 2 Hours: Subject: [INCIDENT ALERT] — [Brief Description] Team, We are aware of [brief factual description of the situation]. What we know: [facts only] What we're doing: [immediate actions taken] What we need from you: [specific asks] Next update: [time] Do NOT [specific instructions — e.g., discuss on social media, contact clients directly]. Contact [Crisis Lead] with questions. Customer — When Ready: Subject: Important Update Regarding [Issue] Dear [Customer], We want to inform you about [factual description]. Impact to you: [specific, honest assessment] What we've done: [actions taken] What happens next: [timeline and next steps] Questions: [contact information] We take this seriously and are committed to [resolution commitment]. ### Risk Governance Structure Board / Risk Committee ↓ (quarterly review, appetite setting, major decisions) Chief Risk Officer / Risk Owner ↓ (monthly reporting, framework maintenance) Risk Champions (per department) ↓ (weekly monitoring, escalation, KRI tracking) All Employees (risk awareness, incident reporting, control compliance) ### Three Lines of Defense Model LineRoleExamples1st Line — Business OperationsOwn and manage risk dailyProcess owners, managers, project leads2nd Line — Risk & Compliance FunctionsOversee, challenge, advise, monitorRisk management, compliance, legal, IT security3rd Line — Independent AssuranceIndependent verificationInternal audit, external audit, regulators ### Risk Culture Health Indicators IndicatorHealthyUnhealthyIncident reportingEncouraged, no blamePunished, cover-upsRisk discussionsOpen, at all levelsOnly at board, checkboxNear-miss reportingValued as learningIgnored or hiddenRisk appetiteUnderstood by teamsUnknown or theoreticalChallenge culturePeople speak upGroupthink, HiPPO rulesRisk trainingRegular, practicalAnnual checkbox exerciseAccountabilityClear ownership"Not my job" ### Annual Risk Calendar MonthActivityJanuaryAnnual risk assessment workshop, set risk appetiteFebruaryUpdate risk register, set KRI targetsMarchQ1 board risk report, scenario testingAprilRisk training refresh, control testing beginsMayThird-party risk assessment reviewsJuneQ2 board risk report, mid-year BCP testJulyEmerging risk horizon scanAugustInsurance program reviewSeptemberQ3 board risk report, crisis simulation exerciseOctoberAnnual control effectiveness assessmentNovemberRisk appetite review for next yearDecemberQ4 / Annual board risk report, program effectiveness review ### Quantitative Risk Analysis (for mature organizations) Monte Carlo Simulation Setup: Define risk events with probability distributions (not point estimates) Model correlations between risks Run 10,000+ simulations Analyze output distribution (P50, P90, P99 outcomes) Use results to set reserves, insurance limits, capital allocation Value at Risk (VaR) for Operational Risk: Operational VaR = Expected Loss + Unexpected Loss (at confidence level) - 95% confidence: Plan for this level in budget - 99% confidence: Set aside reserves for this level - 99.9% confidence: Transfer via insurance or avoid activity Loss Distribution Approach: Frequency: How many events per year? (Poisson distribution) Severity: How large is each event? (Lognormal distribution) Aggregate loss = Sum of frequency × severity simulations ### Bow-Tie Analysis (for complex risks) Threats → Preventive Controls → RISK EVENT → Mitigating Controls → Consequences │ │ │ │ │ ├─ Threat 1 ├─ Control A │ ├─ Control X ├─ Impact 1 ├─ Threat 2 ├─ Control B │ ├─ Control Y ├─ Impact 2 └─ Threat 3 └─ Control C │ └─ Control Z └─ Impact 3 │ Escalation Factors (what makes it worse) Use bow-tie for: Critical risks where simple cause-consequence isn't enough Risks with multiple threat sources AND multiple consequence paths Communication tool for non-risk specialists ### Risk-Adjusted Decision Making For any major decision, attach a risk assessment: decision_risk_assessment: decision: "[What we're deciding]" options: - option: "Option A" expected_return: "$[X]" risk_adjusted_return: "$[X - expected losses]" key_risks: ["[list]"] worst_case: "$[X]" best_case: "$[X]" - option: "Option B" expected_return: "$[X]" risk_adjusted_return: "$[X - expected losses]" key_risks: ["[list]"] worst_case: "$[X]" best_case: "$[X]" recommendation: "[option with best risk-adjusted return]" residual_risks_to_accept: ["[list risks we're consciously accepting]"] monitoring_plan: "[how we'll track if risk materializes post-decision]" ### Startup / Early-Stage Companies Simplify: Focus on top 10 risks, not comprehensive universe Risk appetite is naturally higher — document it explicitly Key person risk is your #1 risk — address founder dependency Cash runway is THE financial risk — weekly monitoring Skip quantitative methods — qualitative 5×5 matrix is sufficient ### Regulated Industries (Healthcare, Financial Services, Legal) Regulatory risk gets its own dedicated section with specific regulations Third-party risk management program required (vendor assessments) Incident reporting timelines are legally mandated — know them Record retention requirements affect risk documentation Consider industry-specific frameworks (NIST CSF, COBIT, Basel III) ### Multi-Entity / International Operations Aggregate risks at group level AND track by entity FX risk, transfer pricing risk, multi-jurisdiction compliance Cultural differences in risk reporting (some cultures underreport) Time zone challenges for crisis response Local regulatory requirements vary significantly ### M&A Integration Pre-deal: Due diligence risk assessment (hidden liabilities, culture clash, integration complexity) Day 1: Combined risk register, harmonize controls, retain key people 100-day plan: Integrate risk frameworks, consolidate insurance, unified reporting Ongoing: Track integration risks separately for 12-18 months ### Black Swan Events By definition, you can't predict them specifically Build organizational resilience: diversification, cash reserves, flexible operations Test extreme scenarios even if "impossible" Focus on recovery capability, not just prevention Maintain crisis response muscle through regular exercises ### Natural Language Commands Use these to interact with this skill: CommandAction"Assess risk for [situation]"Full risk assessment using 5×5 matrix"Build risk register for [company/project]"Create complete risk register YAML"Design KRIs for [area]"Create key risk indicators with thresholds"Run scenario analysis for [event]"Full scenario template with impacts"Create BIA for [process]"Business impact analysis with RTO/RPO"Draft risk report for [audience]"Board or management risk report"Evaluate control effectiveness for [risk]"Control assessment with recommendations"Map risk interconnections for [risk set]"Dependency and cascade analysis"Stress test [financial/operational scenario]"Multi-severity stress test"Design crisis response for [event type]"Crisis management plan with comms"Calculate risk-adjusted return for [decision]"Decision framework with risk overlay"Audit risk culture"Culture health assessment with recommendations ### ⚡ Level Up Your Risk Management This free skill gives you the complete ERM methodology. Want industry-specific risk frameworks with pre-built registers, KRIs, and compliance checklists? AfrexAI Context Packs ($47 each) include tailored risk sections: Healthcare — HIPAA, patient safety, clinical risk, malpractice Fintech — AML/KYC, market risk, Basel III, PCI-DSS Legal — Professional liability, client confidentiality, conflicts Construction — Site safety, contract risk, weather, subcontractor SaaS — Uptime SLAs, data security, churn risk, vendor lock-in Manufacturing — Supply chain, quality, workplace safety, environmental Real Estate — Market cycles, tenant risk, regulatory, environmental Ecommerce — Fraud, inventory, logistics, platform dependency Recruitment — Compliance, candidate experience, placement risk Professional Services — Utilization, scope creep, client concentration Browse all packs: https://afrexai-cto.github.io/context-packs/ ### 🔗 More Free Skills by AfrexAI afrexai-contract-review — Legal contract review with CLAWS risk scoring afrexai-competitive-intel — 7-phase competitive intelligence system afrexai-fpa-engine — Financial planning & analysis afrexai-founder-os — Startup operating system afrexai-customer-success — 10-phase customer success & retention Install: clawhub install afrexai-risk-management ## Trust - Source: tencent - Verification: Indexed source record - Publisher: 1kalin - Version: 1.0.0 ## Source health - Status: healthy - Source download looks usable. - Yavira can redirect you to the upstream package for this source. - Health scope: source - Reason: direct_download_ok - Checked at: 2026-04-23T16:43:11.935Z - Expires at: 2026-04-30T16:43:11.935Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/afrexai-risk-management) - [Send to Agent page](https://openagent3.xyz/skills/afrexai-risk-management/agent) - [JSON manifest](https://openagent3.xyz/skills/afrexai-risk-management/agent.json) - [Markdown brief](https://openagent3.xyz/skills/afrexai-risk-management/agent.md) - [Download page](https://openagent3.xyz/downloads/afrexai-risk-management)