enterprise-risk-assessment

star 3

Enterprise risk assessment with risk register, heat map, mitigation planning, and KRI framework. USE THIS SKILL when the user asks about risk identification, risk register, risk heat map, ERM framework, enterprise risk management, risk appetite, risk tolerance, key risk indicators, risk scoring, risk universe, control effectiveness, residual risk, inherent risk, or "what are our biggest risks." Also trigger when asked to build a risk matrix, assess control effectiveness, design a KRI dashboard, evaluate ERM maturity, or develop a risk mitigation plan for any organization or business unit.

Kaakati By Kaakati schedule Updated 3/1/2026
play_arrow Run Skill in Manus View GitHub

name: enterprise-risk-assessment description: > Enterprise risk assessment with risk register, heat map, mitigation planning, and KRI framework. USE THIS SKILL when the user asks about risk identification, risk register, risk heat map, ERM framework, enterprise risk management, risk appetite, risk tolerance, key risk indicators, risk scoring, risk universe, control effectiveness, residual risk, inherent risk, or "what are our biggest risks." Also trigger when asked to build a risk matrix, assess control effectiveness, design a KRI dashboard, evaluate ERM maturity, or develop a risk mitigation plan for any organization or business unit.

Enterprise Risk Assessment

Required Inputs

  • Organization: Company or business unit name, industry, size (revenue and headcount).
  • Scope: Full enterprise risk assessment or specific category (Strategic, Operational, Financial, Compliance, Reputational).
  • Risk Context: Known incidents, near-misses, regulatory findings, audit observations, or strategic changes driving the assessment.
  • Existing Controls: Current risk management practices, policies, and control frameworks in place (if any).
  • Stakeholder Access: Availability of leadership, functional heads, and frontline staff for workshops and interviews.
  • Reporting Requirements: Board/audit committee reporting expectations; regulatory risk reporting obligations.

Execution Steps

1. Risk Universe Definition

Define the complete risk universe across 5 categories. Each category contains specific risk domains.

Category Risk Domains Example Risks
Strategic Market & competitive; M&A & partnerships; Innovation & disruption; Reputation & brand; Geopolitical New entrant disrupts core market; failed acquisition integration; technology paradigm shift; social media crisis; sanctions regime change
Operational Process failure; Supply chain; Technology & IT; People & talent; Health & safety; Business continuity Production line shutdown; single-source supplier failure; cyberattack; key person departure; workplace incident; natural disaster
Financial Liquidity & cash flow; Credit & counterparty; Market (FX, rates, commodities); Tax; Financial reporting Cash flow shortfall; customer insolvency; currency devaluation; aggressive tax position challenged; material misstatement
Compliance Regulatory; Legal & litigation; Data privacy; Anti-bribery & corruption; Sanctions; Environmental License revocation; class action lawsuit; GDPR breach; FCPA violation; sanctions violation; environmental contamination
Reputational Brand & trust; ESG & sustainability; Social license; Media & public perception; Employee advocacy Product recall; ESG rating downgrade; community opposition; viral negative press; Glassdoor reputation collapse

2. Risk Identification Methodology

Use four complementary methods to ensure comprehensive identification:

Method 1: Leadership Workshops (2-3 hours each)

  • Facilitated session with 6-12 participants per workshop.
  • Use risk universe as a prompt — walk through each category and domain.
  • Employ "pre-mortem" technique: "It is 12 months from now and [bad outcome] has happened. What caused it?"
  • Capture risks on a shared board; cluster and de-duplicate in real time.
  • Minimum: 1 workshop with executive team + 1 per major business unit.

Method 2: One-on-One Interviews (45-60 minutes each)

  • Interview functional heads and subject matter experts who may not speak freely in workshops.
  • Use semi-structured interview guide: "What keeps you up at night? What risk are we not managing well? What incident almost happened?"
  • Minimum: 8-12 interviews across functions.

Method 3: Scenario Analysis

  • Develop 3-5 plausible adverse scenarios relevant to the organization.
  • For each scenario: identify trigger events, transmission mechanisms, and impact pathways.
  • Stress test: "If [scenario] happened tomorrow, what would break first?"
Scenario Trigger Transmission Primary Impact Secondary Impact
Major cyber breach Phishing attack succeeds Data exfiltration; system lockout Operational shutdown; customer data loss Regulatory fine; reputation damage; litigation
Key customer loss Competitor underbids by 20% Revenue decline; utilization drop Cash flow shortfall; headcount reduction Talent attrition; supplier renegotiation
Regulatory change New regulation effective in 12 months Compliance cost increase; product redesign Margin compression; capex requirement Competitive disadvantage if slow to adapt

Method 4: Incident and Near-Miss Review

  • Review all incidents, near-misses, audit findings, and regulatory observations from the last 3 years.
  • Identify patterns and systemic root causes.
  • Determine whether existing controls failed, were absent, or were bypassed.

3. Risk Scoring: Likelihood

Rate likelihood on a 1-5 scale with specific, observable criteria:

Score Label Frequency Basis Probability Basis Description
1 Rare Less than once in 10 years <5% in next 12 months Has never occurred; would require extraordinary circumstances
2 Unlikely Once in 5-10 years 5-20% in next 12 months Has occurred in the industry but not at this organization; plausible but not expected
3 Possible Once in 2-5 years 20-50% in next 12 months Has occurred at this organization before or is occurring at peers; could reasonably happen
4 Likely Once in 1-2 years 50-80% in next 12 months Has occurred recently or conditions make it probable; trending upward
5 Almost Certain Multiple times per year >80% in next 12 months Is currently occurring or has occurred repeatedly; expected without intervention

4. Risk Scoring: Impact

Rate impact on a 1-5 scale across multiple dimensions. Use the highest dimension score as the overall impact rating.

Score Label Financial Operational Regulatory Reputational Safety
1 Insignificant <$100K or <0.1% revenue <1 day disruption Minor finding; self-remediated Internal awareness only; no media First aid only
2 Minor $100K-$1M or 0.1-0.5% revenue 1-3 day disruption Regulatory inquiry; remediation ordered Local media; limited duration Medical treatment; no lost time
3 Moderate $1M-$10M or 0.5-2% revenue 3-7 day disruption; workarounds needed Formal enforcement action; fine <$1M National media; short-term reputation impact Lost-time injury; hospitalization
4 Major $10M-$50M or 2-10% revenue 1-4 week disruption; partial operations Major fine ($1M-$10M); license conditions Sustained negative media; customer attrition Permanent disability; multiple injuries
5 Catastrophic >$50M or >10% revenue >1 month disruption; business continuity invoked License revocation; criminal prosecution; fine >$10M Viral global media; existential brand damage Fatality; mass casualty

Note: Adjust financial thresholds proportionally for organization size. The percentages of revenue serve as scale-agnostic anchors.

5. Velocity Assessment

Assess how quickly a risk event materializes from trigger to full impact:

Velocity Time from Trigger to Full Impact Implication for Response Examples
Immediate Minutes to hours Pre-positioned response required; no time to deliberate Cyberattack; workplace fatality; social media crisis; natural disaster
Days 1-7 days Rapid response team activation; executive decision within 24 hours Product recall; key customer termination notice; data breach discovery
Weeks 1-4 weeks Time to assess, plan, and respond; cross-functional coordination Regulatory investigation notice; competitive product launch; supply disruption
Months 1-12 months Strategic response; time to pivot or mitigate New regulation announced; market shift emerging; talent pipeline depleting
Years >12 months Monitor and prepare; incorporate into strategic planning Demographic shifts; technology disruption; climate change physical risks

High-velocity risks require standing response protocols. Low-velocity risks require monitoring and early-warning indicators.

6. Inherent vs. Residual Risk Scoring

Score each risk twice:

Concept Definition When to Use
Inherent risk Risk level assuming NO controls are in place Shows the "raw" exposure; useful for understanding total risk landscape and control dependency
Residual risk Risk level AFTER existing controls are applied Shows the "current" exposure; basis for prioritization and mitigation decisions 
Risk Score = Likelihood x Impact (range: 1 to 25)
Score Range Risk Rating Required Action
20-25 Critical Immediate remediation required; executive escalation; board notification
12-19 High Remediation plan within 30 days; senior management ownership
6-11 Medium Remediation plan within 90 days; management ownership
1-5 Low Accept or monitor; review at next assessment cycle

The risk rating table aligned to the specified standard:

Rating Likelihood Impact Action
Critical Almost certain Catastrophic Immediate remediation required
High Likely Major Remediation within 30 days
Medium Possible Moderate Remediation within 90 days
Low Unlikely Minor Accept or monitor

7. Control Effectiveness Assessment

Rate existing controls for each risk:

Rating Label Criteria Residual Risk Adjustment
4 Effective Control is well-designed, consistently operating, tested regularly, documented, with clear ownership Reduces inherent risk score by 60-80%
3 Partially Effective Control exists and operates most of the time but has gaps in design, operation, or testing Reduces inherent risk score by 30-50%
2 Ineffective Control exists on paper but is not consistently operating, not tested, or has known design flaws Reduces inherent risk score by 0-20%
1 None No control in place for this risk No reduction; residual risk = inherent risk

Control assessment questions:

  • Is the control documented in a policy or procedure?
  • Is there evidence the control operates as designed (test results, logs, approvals)?
  • Is the control automated or manual? (Automated controls are inherently more reliable.)
  • Who is responsible for operating the control? Is that person aware?
  • When was the control last tested or audited?
  • Has the control failed in the last 12 months? What happened?

8. Risk Heat Map (5x5 Grid)

Plot risk IDs on a text-based 5x5 matrix:

RISK HEAT MAP — Residual Risk

Impact ->    1-Insignif.  2-Minor     3-Moderate   4-Major     5-Catastrophic
            +------------+------------+------------+------------+------------+
5-Almost    |            |            |            |            |            |
  Certain   |    [   ]   |    [   ]   |    [   ]   |    [   ]   |    [   ]   |
            +------------+------------+------------+------------+------------+
4-Likely    |            |            |            |            |            |
            |    [   ]   |    [   ]   |    [   ]   |    [   ]   |    [   ]   |
            +------------+------------+------------+------------+------------+
3-Possible  |            |            |            |            |            |
            |    [   ]   |    [   ]   |    [   ]   |    [   ]   |    [   ]   |
            +------------+------------+------------+------------+------------+
2-Unlikely  |            |            |            |            |            |
            |    [   ]   |    [   ]   |    [   ]   |    [   ]   |    [   ]   |
            +------------+------------+------------+------------+------------+
1-Rare      |            |            |            |            |            |
            |    [   ]   |    [   ]   |    [   ]   |    [   ]   |    [   ]   |
            +------------+------------+------------+------------+------------+

Zone Legend:
  Critical (Score 20-25): Cells at top-right — immediate action
  High (Score 12-19): Cells in upper-middle band — 30-day action
  Medium (Score 6-11): Cells in middle band — 90-day action
  Low (Score 1-5): Cells at bottom-left — accept or monitor

Place risk IDs (R01, R02, etc.) in the appropriate cell based on their residual likelihood and impact scores.

9. Risk Appetite Framework

Define acceptable risk levels by category. Risk appetite is set by the board; risk tolerance is the operational boundary.

Risk Category Risk Appetite Risk Tolerance (Max Residual Score) Rationale
Strategic Moderate-High 16 Organization accepts strategic risk to pursue growth; no existential bets
Operational Low-Moderate 12 Operational disruptions must be contained; no prolonged outages
Financial Low 9 Protect balance sheet; no risk of covenant breach or liquidity crisis
Compliance Very Low 6 Zero tolerance for regulatory violations or legal non-compliance
Reputational Low 9 Protect brand; avoid any sustained negative media exposure

Appetite breach protocol: Any risk with a residual score exceeding the tolerance threshold requires a documented risk acceptance by the appropriate authority:

Residual Score vs. Tolerance Acceptance Authority Documentation
Within tolerance Risk owner (management) Standard risk register entry
1-4 points above tolerance Senior leadership / C-suite Written risk acceptance memo with rationale and timeline
5+ points above tolerance Board / Audit Committee Board paper with mitigation plan and progress tracking

10. Mitigation Strategy Selection

For each risk requiring mitigation, select from four strategies:

Strategy Definition When to Use Example
Accept Consciously accept the risk without additional mitigation Risk is within appetite; cost of mitigation exceeds expected loss; risk is inherent to the business model Accepting competitive risk in a mature market
Mitigate Implement controls to reduce likelihood, impact, or both Risk exceeds appetite and can be reduced to acceptable level with reasonable investment Installing backup generators; implementing fraud detection system
Transfer Shift risk to a third party through insurance, contract, or outsourcing Risk is insurable; contractual risk allocation is possible; outsourcing transfers operational risk Purchasing cyber insurance; contractual indemnities; outsourcing IT operations
Avoid Eliminate the risk by changing strategy, exiting a market, or stopping an activity Risk is unacceptable and cannot be mitigated or transferred at reasonable cost Exiting a market with unmanageable regulatory risk; discontinuing a product line

Mitigation plan template per risk:

Element Detail
Risk ID R-XX
Current residual score XX (Likelihood X x Impact X)
Target residual score XX (Likelihood X x Impact X)
Strategy Accept / Mitigate / Transfer / Avoid
Specific actions [Numbered list of mitigation actions]
Owner [Role — not individual name]
Timeline [Start date — completion date]
Cost estimate $[X]
Dependencies [Other actions, approvals, or resources required]
Success measure [How will we know the mitigation worked?]

11. Key Risk Indicators (KRIs)

Design KRIs with threshold-based alerting for continuous risk monitoring:

Risk KRI Green (Normal) Amber (Elevated) Red (Critical) Frequency Owner
Cyber breach Failed login attempts per day <100 100-500 >500 Daily CISO
Cyber breach Days since last penetration test <90 90-180 >180 Monthly CISO
Customer concentration Revenue from top customer (%) <15% 15-25% >25% Quarterly CCO
Talent attrition Voluntary turnover rate (annualized) <10% 10-18% >18% Monthly CHRO
Liquidity Days cash on hand >90 60-90 <60 Weekly CFO
Regulatory Open audit findings (past due) 0 1-3 >3 Monthly CCO/GC
Operational System uptime (%) >99.5% 99.0-99.5% <99.0% Weekly CTO
Supply chain Supplier on-time delivery rate >95% 90-95% <90% Monthly COO
Financial reporting Adjusting journal entries per close <5 5-15 >15 Monthly CFO
Reputation Social media sentiment score >0.7 0.5-0.7 <0.5 Weekly CMO

KRI design principles:

  • Each KRI must be measurable with available data (do not design KRIs that cannot be collected).
  • Green/Amber/Red thresholds must be calibrated to the organization's risk appetite.
  • Amber = investigate and prepare; Red = escalate and act.
  • Review thresholds semi-annually; recalibrate based on trends and incidents.

12. Risk Reporting and Governance

Reporting Level Audience Frequency Content Format
Operational Risk owners, functional teams Weekly / Monthly KRI dashboard; incident reports; control test results Dashboard with drill-down
Management C-suite, risk committee Monthly Top 10 risks; KRI summary; new/emerging risks; mitigation progress Risk report (3-5 pages)
Board / Audit Committee Board members Quarterly Risk heat map; appetite breaches; material incidents; ERM maturity progress Board paper (5-10 pages)
Regulatory Regulators (if required) As required Regulatory risk disclosures; compliance attestations Regulatory filing format

Governance structure:

Role Responsibility
Board / Audit Committee Approve risk appetite; oversee ERM program; review top risks quarterly
Chief Risk Officer (or equivalent) Own ERM framework; aggregate and report risks; challenge first-line risk assessments
Risk Committee (management) Review risk register monthly; approve mitigation plans; allocate resources
Risk Owners (functional heads) Own assigned risks; implement mitigations; report KRIs; escalate breaches
Internal Audit Independent assurance on control effectiveness; test risk management processes

13. ERM Maturity Model

Assess organizational ERM maturity on a 5-level scale:

Level Label Description Key Characteristics
1 Ad Hoc Risk management is reactive and informal No formal risk register; risks managed in silos; incident-driven only; no common risk language
2 Emerging Basic risk identification and reporting started Risk register exists but incomplete; annual assessment conducted; risk committee forming; basic reporting to board
3 Defined Formal ERM framework in place and operating Comprehensive risk register; defined risk appetite; regular reporting; KRIs tracked; roles and responsibilities clear; training provided
4 Managed ERM integrated into decision-making Risk considerations embedded in strategic planning, capital allocation, and project approvals; quantitative risk analysis used; forward-looking scenario analysis; strong risk culture
5 Optimized ERM drives competitive advantage Real-time risk monitoring; predictive analytics; risk-adjusted performance measurement; continuous improvement; recognized as industry benchmark

Maturity assessment by capability:

Capability Level 1 Level 2 Level 3 Level 4 Level 5
Risk identification Reactive Annual exercise Continuous + emerging risks Forward-looking scenarios Predictive analytics
Risk assessment Qualitative only Basic scoring Consistent 5x5 matrix Quantitative modeling (Monte Carlo) Real-time risk scoring
Risk appetite Not defined Implicit Documented and approved Cascaded to business units Dynamically adjusted
Reporting Ad hoc Annual report Quarterly board report Monthly management + quarterly board Real-time dashboards
Culture Risk avoidance Awareness growing Training in place Risk-aware decision making Risk intelligence embedded
Technology Spreadsheets Basic GRC tool Integrated GRC platform Automated monitoring + alerts AI-powered risk analytics

Output Template

## Enterprise Risk Assessment: [Organization Name]

**Date**: [Date] | **Industry**: [Industry] | **Revenue**: $[X]M | **Headcount**: [N]
**Scope**: [Full enterprise / Specific category]

### Executive Summary
[Organization] faces [N] identified risks across [X] categories. [N] risks are rated Critical,
[N] High, [N] Medium, and [N] Low on a residual basis. The top 3 risks are: (1) [Risk],
(2) [Risk], and (3) [Risk]. Current ERM maturity is Level [X] ([Label]). [N] risks exceed
the organization's stated risk appetite and require immediate attention. This report
provides a full risk register, heat map, mitigation plans, and KRI framework.

### Risk Register

| ID | Risk | Category | Inherent L | Inherent I | Inherent Score | Controls | Control Rating | Residual L | Residual I | Residual Score | Rating | Velocity | Owner |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R01 | [Description] | [Category] | X | X | XX | [Current controls] | [E/PE/IE/N] | X | X | XX | [Critical/High/Med/Low] | [Imm/Days/Wks/Mos/Yrs] | [Role] |
| R02 | [Description] | [Category] | X | X | XX | [Current controls] | [E/PE/IE/N] | X | X | XX | [Rating] | [Velocity] | [Role] |

### Risk Heat Map (Residual)

Impact -> 1-Insignif. 2-Minor 3-Moderate 4-Major 5-Catastrophic +------------+------------+------------+------------+------------+ 5-Almost | | | | | | Certain | [ ] | [ ] | [ Rxx ] | [ Rxx ] | [ Rxx ] | +------------+------------+------------+------------+------------+ 4-Likely | | | | | | | [ ] | [ ] | [ Rxx ] | [ Rxx ] | [ Rxx ] | +------------+------------+------------+------------+------------+ 3-Possible | | | | | | | [ ] | [ Rxx ] | [ Rxx ] | [ Rxx ] | [ ] | +------------+------------+------------+------------+------------+ 2-Unlikely | | | | | | | [ Rxx ] | [ Rxx ] | [ Rxx ] | [ ] | [ ] | +------------+------------+------------+------------+------------+ 1-Rare | | | | | | | [ Rxx ] | [ Rxx ] | [ ] | [ ] | [ ] | +------------+------------+------------+------------+------------+


### Risk Appetite Compliance
| Category | Appetite | Tolerance (Max Score) | Highest Residual Score | Status |
|---|---|---|---|---|
| Strategic | [Level] | XX | XX | Within / Breach |
| Operational | [Level] | XX | XX | Within / Breach |
| Financial | [Level] | XX | XX | Within / Breach |
| Compliance | [Level] | XX | XX | Within / Breach |
| Reputational | [Level] | XX | XX | Within / Breach |

### Mitigation Plans (Critical and High Risks)

#### R-[XX]: [Risk Name]
| Element | Detail |
|---|---|
| Current residual score | XX ([Rating]) |
| Target residual score | XX ([Rating]) |
| Strategy | Accept / Mitigate / Transfer / Avoid |
| Actions | 1. [Action] 2. [Action] 3. [Action] |
| Owner | [Role] |
| Timeline | [Start] — [Completion] |
| Cost | $[X] |
| Success measure | [Measure] |

### KRI Dashboard
| Risk | KRI | Current Value | Status | Threshold (G/A/R) | Trend | Owner |
|---|---|---|---|---|---|---|
| [Risk] | [KRI] | [Value] | Green/Amber/Red | [Thresholds] | Up/Stable/Down | [Role] |

### ERM Maturity Assessment
| Capability | Current Level | Target Level | Gap | Priority Actions |
|---|---|---|---|---|
| Risk identification | X | X | X | [Action] |
| Risk assessment | X | X | X | [Action] |
| Risk appetite | X | X | X | [Action] |
| Reporting | X | X | X | [Action] |
| Culture | X | X | X | [Action] |
| Technology | X | X | X | [Action] |
| **Overall** | **X** | **X** | | |

### Governance and Reporting Cadence
| Forum | Frequency | Content | Owner |
|---|---|---|---|
| [Forum] | [Frequency] | [Content] | [Role] |

### Recommendations
1. [Highest-priority recommendation with rationale]
2. [Second priority]
3. [Third priority]
4. [Continue as needed]

Quality Checks

  • All 5 risk categories covered in the risk universe (Strategic, Operational, Financial, Compliance, Reputational).
  • Risk identification used at least 2 of the 4 methods (workshops, interviews, scenario analysis, incident review).
  • Every risk scored on both likelihood (1-5) and impact (1-5) using the defined criteria — no scores assigned without justification.
  • Impact scoring uses the highest relevant dimension (financial, operational, regulatory, reputational, safety).
  • Velocity assessed for every risk (Immediate / Days / Weeks / Months / Years).
  • Both inherent and residual risk scores calculated for every risk in the register.
  • Control effectiveness rated for every risk using the four-level scale (Effective / Partially Effective / Ineffective / None).
  • Risk heat map plotted as a 5x5 grid with risk IDs placed in the correct cells based on residual scores.
  • Risk appetite defined by category with tolerance thresholds; appetite breaches flagged.
  • Mitigation plans documented for all Critical and High risks with strategy, actions, owner, timeline, cost, and success measure.
  • KRIs designed with Green/Amber/Red thresholds, data source, frequency, and owner for at least the top 10 risks.
  • ERM maturity assessed against the 5-level model with current state, target state, and gap actions.
  • Governance structure defined with clear roles (Board, CRO, Risk Committee, Risk Owners, Internal Audit).
  • Reporting cadence specified for each governance level (operational, management, board, regulatory).
  • Risk owners assigned as roles (not individual names) to every risk in the register.
Install via CLI
npx skills add https://github.com/Kaakati/managing-director --skill enterprise-risk-assessment
Repository Details
star Stars 3
call_split Forks 0
navigation Branch main
article Path SKILL.md
Occupations
Financial Risk Specialists
More from Creator
Kaakati
Kaakati Explore all skills →