Risk managers are expected to anticipate what can go wrong, quantify the impact, recommend mitigation strategies, and communicate complex information to leadership—all while keeping pace with an evolving regulatory landscape. AI tools can dramatically speed up the analytical, writing, and communication tasks that are core to the profession. These 35 prompts cover everything from risk identification to board reporting.
1. Risk Identification and Assessment
Prompt 1
Conduct a risk identification brainstorm for a mid-sized financial services company preparing for a core banking platform migration. Generate 20 potential risks across categories including technology, operational, regulatory compliance, third-party vendor, people, and reputational risk. For each risk, briefly describe the potential cause and impact.
Prompt 2
Create a risk register template for an enterprise risk management (ERM) program. Include columns for risk ID, risk description, risk category, likelihood rating (1-5), impact rating (1-5), inherent risk score, current controls, residual risk score, risk owner, and next review date. Provide 5 example rows.
Prompt 3
Write a risk assessment methodology section for an ERM framework document. Describe the qualitative and quantitative approaches used to assess risk likelihood and impact, the risk rating scale definitions, how risks are aggregated at the enterprise level, and how the risk universe is updated annually.
Prompt 4
Generate a bow-tie risk analysis for the risk of a critical vendor going out of business during a major contract period. Include at least 5 threat causes on the left side, the central risk event, at least 5 consequence outcomes on the right, preventive controls (threats to event), and recovery controls (event to consequences).
Prompt 5
List the top 10 emerging risks for a global manufacturing company in 2026. For each risk, explain the driving forces behind it, its potential impact on operations or financials, and one mitigation approach the company should consider. Include risks related to AI, climate transition, geopolitical instability, and supply chain resilience.
2. Risk Frameworks and Policy
Prompt 6
Write an enterprise risk management (ERM) policy statement for a publicly traded company with operations in 10 countries. Include purpose, scope, risk appetite statement, roles and responsibilities (board, audit committee, CRO, business units), risk management cycle description, and policy review schedule.
Prompt 7
Draft a risk appetite statement for a regional bank with a conservative risk culture. Include statements for credit risk, market risk, operational risk, liquidity risk, compliance risk, and reputational risk. Use quantitative thresholds where possible and qualitative descriptors where appropriate.
Prompt 8
Create a comparison of the COSO ERM framework and the ISO 31000 risk management standard. Include their key principles, structure, audience, integration with strategy, and practical differences. Recommend which framework is more appropriate for a healthcare system and explain why.
Prompt 9
Write a third-party risk management policy for a company that relies on 200+ vendors for critical business operations. Include vendor tiering criteria, due diligence requirements by tier, contract risk provisions, ongoing monitoring requirements, and incident notification obligations. Use a formal policy format.
Prompt 10
Draft a risk tolerance escalation matrix that defines when risks must be escalated from business unit level to senior management, from senior management to the CRO, and from the CRO to the board. Include trigger criteria based on risk score thresholds, risk velocity, and regulatory implications.
3. Operational and Business Continuity Risk
Prompt 11
Write a business impact analysis (BIA) template for a financial institution's IT department. Include sections for process inventory, criticality rating, maximum tolerable downtime (MTD), recovery time objective (RTO), recovery point objective (RPO), dependencies, and manual workaround availability. Provide example data for 3 processes.
Prompt 12
Create a tabletop exercise scenario for testing a company's incident response to a ransomware attack that has encrypted 60% of operational servers. Include an incident timeline, inject questions for participants at the 1-hour, 4-hour, and 24-hour marks, and debrief discussion questions for identifying gaps.
Prompt 13
Draft a crisis communication plan outline for a consumer products company facing a product recall affecting 500,000 units. Include stakeholder identification (regulators, customers, retailers, media, employees), communication channel strategy, messaging frameworks for each audience, spokespersons, and escalation triggers.
Prompt 14
Write a lessons learned report template following a major operational incident. Include sections for incident summary, timeline of events, root cause analysis (using the 5 Whys or fishbone method), control failures identified, corrective actions with owners and deadlines, and metrics for tracking remediation.
Prompt 15
Generate a supply chain disruption risk scenario for a pharmaceutical company that sources a key active pharmaceutical ingredient from a single supplier in one country. Describe the scenario, model the financial exposure using a simple impact calculation, and recommend 3 strategic risk mitigation options with trade-offs.
4. Compliance and Regulatory Risk
Prompt 16
Write a regulatory change management process document for a compliance team at a bank. Include steps for monitoring regulatory updates, assessing impact on policies and procedures, assigning remediation owners, tracking implementation, and reporting status to the compliance committee and board.
Prompt 17
Create a compliance risk assessment for a technology company subject to GDPR, CCPA, and SOC 2 requirements. For each regulatory framework, list the top 5 compliance risks, current control effectiveness rating, residual risk level, and recommended remediation actions.
Prompt 18
Draft an anti-money laundering (AML) risk assessment summary for a fintech company offering peer-to-peer payment services. Include customer risk factors, product and service risk factors, geographic risk factors, delivery channel risks, and an overall inherent and residual risk rating with supporting rationale.
Prompt 19
Write a model risk management policy section covering model validation requirements for a bank that uses credit scoring, stress testing, and fraud detection models. Include model inventory requirements, validation frequency standards, independent review requirements, model risk rating definitions, and escalation procedures.
Prompt 20
Generate a regulatory examination preparation checklist for a bank's upcoming examination by a federal banking regulator. Include documentation to prepare, areas likely to be reviewed, key metrics regulators typically focus on, self-assessment steps, and tips for managing examiner requests efficiently.
5. Financial and Quantitative Risk
Prompt 21
Explain Value at Risk (VaR) to a non-technical board member. Include what it measures, its limitations, what a 95% 1-day VaR of $10M means in plain language, and what other metrics should be used alongside VaR to give a complete picture of market risk. Avoid mathematical formulas.
Prompt 22
Write a stress testing scenario narrative for a financial institution testing the impact of a simultaneous 30% equity market decline, 200 basis point interest rate increase, and 15% commercial real estate value decline. Include assumptions, transmission mechanisms to the bank's balance sheet, and a summary impact table.
Prompt 23
Create a Monte Carlo simulation explanation for a risk committee unfamiliar with probabilistic modeling. Include what the technique does, how it applies to financial risk, a simple example using project cost overrun uncertainty, and what the output distribution tells decision-makers about risk.
Prompt 24
Draft a credit risk concentration analysis framework for a commercial bank's loan portfolio. Include definitions of concentration risk, types of concentrations to monitor (geographic, industry, borrower, product), proposed concentration limits, early warning indicators, and reporting frequency to senior management.
Prompt 25
Write a risk-adjusted return on capital (RAROC) primer for a business unit leader who must understand why capital allocation decisions are made. Explain the concept, how it is calculated, why it matters for pricing decisions and performance measurement, and how their business unit's RAROC compares to hurdle rates.
6. Risk Reporting and Communication
Prompt 26
Write a quarterly risk dashboard narrative section summarizing the current top 5 enterprise risks for a board of directors. Assume risks include cybersecurity, talent retention, regulatory change, macroeconomic uncertainty, and climate transition. For each risk, include a status indicator (increasing, stable, or decreasing) and a one-paragraph update.
Prompt 27
Create a board risk committee report template for a publicly traded company. Include sections for executive summary, risk appetite utilization summary, top risk heat map discussion, key risk indicator (KRI) dashboard, emerging risks, audit and control findings summary, and management actions for approval.
Prompt 28
Draft a risk culture assessment survey with 15 questions for employees at all levels of an organization. Include questions targeting risk awareness, leadership tone, psychological safety to raise concerns, clarity of risk responsibilities, and use of risk information in decision-making. Include a 5-point Likert scale with anchor descriptions.
Prompt 29
Write an internal communication memo to all business unit leaders announcing the launch of a new enterprise risk management program. Explain the purpose, what will be expected of each business unit, the implementation timeline, how the program supports strategic objectives, and who to contact for questions.
Prompt 30
Generate a set of 15 key risk indicators (KRIs) for a technology company's operational risk profile. For each KRI, specify the risk it monitors, the data source, the measurement frequency, the green/amber/red threshold values, and the escalation action triggered at the red threshold.
7. Cyber, Technology, and AI Risk
Prompt 31
Write a cybersecurity risk assessment framework aligned with the NIST Cybersecurity Framework (CSF) 2.0. Include coverage of the Govern, Identify, Protect, Detect, Respond, and Recover functions. For each function, list 3 priority risk questions and the risk indicators that signal control weakness.
Prompt 32
Create an AI risk taxonomy for a financial services company deploying machine learning models in credit decisioning, customer service, and fraud detection. Include categories for model risk, data risk, algorithmic bias, explainability risk, regulatory compliance risk, and operational dependency risk. Define each category with examples.
Prompt 33
Draft a technology vendor risk due diligence questionnaire covering the top 20 questions a risk team should ask a SaaS provider before signing a contract. Cover categories including data security, business continuity, subcontractor management, data residency, incident notification, and right-to-audit provisions.
Prompt 34
Write a cloud migration risk assessment for a company moving its core HR and finance systems to a multi-cloud environment. Include pre-migration risks, migration execution risks, post-migration risks, regulatory considerations, and a risk mitigation roadmap with owners and timelines.
Prompt 35
Generate a risk management playbook section for responding to a data breach involving personally identifiable information (PII) for 100,000 customers. Include immediate containment steps, regulatory notification obligations (GDPR, CCPA timelines), customer notification strategy, forensic investigation process, and post-incident remediation checklist.
Get All 35 Prompts in One Place
If these prompts were useful, I've compiled all 35 into a ready-to-use toolkit with bonus prompts and usage notes.
Get the complete AI Prompt Toolkit for this profession →
Works with ChatGPT, Claude, and DeepSeek.
Top comments (0)