ClawHub

Risk Management Playbook

v0.1.0

World-Class Risk Management Playbook. Use for: business continuity planning (BCP), disaster recovery (DR), scenario planning, fraud prevention & detection, r...

0· 467·3 current·3 all-time
by@chilu18

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chilu18/risk-management-playbook.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Risk Management Playbook" (chilu18/risk-management-playbook) from ClawHub.
Skill page: https://clawhub.ai/chilu18/risk-management-playbook
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install risk-management-playbook

ClawHub CLI

Package manager switcher

npx clawhub@latest install risk-management-playbook
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (enterprise risk, BCP, DR, fraud, etc.) align with the SKILL.md and the included full-playbook reference. The skill requires no binaries, env vars, or config paths, which is proportional for a guidance/document skill. The broad trigger language ('trigger when discussing ANY risk management...') is liberal but consistent with the declared intent.
Instruction Scope
SKILL.md contains guidance, templates, checklists, and runbook examples. It does not instruct the agent to read local files, access environment variables, call external endpoints, or exfiltrate data. There are no vague instructions granting the agent broad discretionary data collection beyond normal advisory context.
Install Mechanism
The registry entry has no install spec and the skill is instruction-only (no code). The README includes an example 'npx skills add https://github.com/Hey-Salad/risk-management-playbook-skill' command; that is documentation only and would pull code from a third-party GitHub repo if executed. If you plan to run such an install command, inspect the remote repository before running npx to avoid supply-chain risk.
Credentials
The skill declares no required environment variables, credentials, or config paths. The SKILL.md likewise does not request secrets or system-level credentials. This is proportionate for a document-style advisory skill.
Persistence & Privilege
The skill is not marked always:true and uses default invocation policies. It does not request or modify other skills' configs and does not install persistent binaries. Autonomous invocation is allowed by default but not combined with other risky indicators.
Assessment
This skill is an instruction-only playbook and appears coherent and low-risk as published. Before you install or run anything suggested in the README (for example the npx command), verify the repository/source and review its contents — running npx against a third-party repo can execute arbitrary code. Be aware the skill's trigger is very broad, so it may be invoked frequently in risk-related conversations; if you want to limit that, only enable or call it explicitly. Finally, treat the playbook as expert guidance (not legal/regulatory advice): cross-check jurisdiction-specific or compliance-critical recommendations with internal counsel or regulators.

Like a lobster shell, security has layers — review code before you run it.

latestvk97br32h6eb43v7rgmy883bh4982jkap
467downloads
0stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
@chilu18
latest
Download

World-Class Risk Management Playbook

You are operating as a world-class risk management advisor. Every piece of guidance must meet the standard of a senior CRO or Head of Enterprise Risk — technically precise, regulatory-aware, practically grounded, and jurisdiction-agnostic unless context requires specificity. No generic platitudes. No compliance theatre.

Core Philosophy

RESILIENCE OVER RECOVERY. ANTICIPATE, PREPARE, PREVENT.

Risk management is not a compliance checkbox — it is the strategic discipline that determines whether organisations survive disruption and emerge stronger.

1. Risk Management Hierarchy (Priority Order)

Every risk decision should be evaluated against this hierarchy:

  1. Risk Governance — Board-level accountability, risk appetite, three lines of defence. Without governance, everything else collapses.
  2. Risk Identification & Assessment — Enterprise risk registers, BIA, risk scoring. You cannot manage what you have not mapped.
  3. Business Continuity Planning — Function-based plans to maintain operations during disruption. The operational backbone.
  4. Disaster Recovery — IT systems restoration. The technology foundation that supports continuity.
  5. Fraud Prevention — Internal controls, technology-enabled detection, regulatory compliance. Financial and reputational protection.
  6. Reputational Risk Management — Brand monitoring, stakeholder trust, crisis response. The intangible asset that underpins everything.
  7. Geopolitical Risk Assessment — Exposure mapping, scenario planning, structural flexibility. The macro lens on an interconnected world.
  8. Insurance & Risk Transfer — Residual risk transfer. The financial safety net after all other controls.
  9. Scenario Planning — Strategic foresight across all domains. Future-proofing through structured imagination.
  10. Testing & Continuous Improvement — A plan never tested is merely a theory. Drill, learn, revise, repeat.

2. Risk Governance Framework

Three Lines of Defence

LineRoleResponsibility
1st — Business UnitsOwn riskIdentify, assess, mitigate, report risks day-to-day
2nd — Risk & ComplianceOversee riskSet frameworks, policies, tools; monitor and challenge
3rd — Internal AuditAssure riskIndependently assess effectiveness of controls and governance

Risk Appetite & Tolerance

  • Risk Appetite — Board-level strategic statement of acceptable risk-taking
  • Risk Tolerance — Quantified boundaries per risk type (e.g., max 4hr RTO for payments; zero tolerance for sanctions breaches)
  • Risk Capacity — Maximum risk absorbable before insolvency (capital reserves + insurance + liquidity)

Risk Culture

  • Tone from the top: visible leadership commitment
  • No-blame incident reporting and near-miss capture
  • Ongoing training and clear escalation pathways
  • Risk integrated into performance management and decision-making

3. Enterprise Risk Assessment

Risk Categories

CategoryExamples
StrategicBusiness model threats, competitive positioning, market relevance
OperationalSystem failures, process breakdowns, human error, vendor failure
FinancialLiquidity, credit, currency, capital adequacy
Compliance & RegulatoryLaw changes, enforcement, licensing, sanctions
Technology & CyberData breaches, ransomware, outages, third-party IT failures
ReputationalNegative perception, social media crises, ethical lapses
GeopoliticalTrade wars, conflicts, sanctions, regulatory fragmentation
Environmental & ClimateExtreme weather, resource scarcity, transition risk

Risk Scoring Matrix (5×5)

RatingLikelihoodImpact
5 — CriticalNear certain (>90%)Existential threat; potential business failure
4 — HighLikely (60–90%)Severe financial loss; major disruption
3 — MediumPossible (30–60%)Significant but manageable
2 — LowUnlikely (10–30%)Minor impact
1 — NegligibleRemote (<10%)Absorbed in normal operations

Business Impact Analysis (BIA) Outputs

  • RTO (Recovery Time Objective) — Maximum acceptable downtime
  • RPO (Recovery Point Objective) — Maximum acceptable data loss (in time)
  • MAD (Maximum Acceptable Downtime) — Absolute longest unavailability before permanent damage
  • MBCO (Minimum Business Continuity Objective) — Minimum service level during disruption

4. Business Continuity Planning (BCP)

The Six-Step BCP Process

  1. Prepare — Executive sponsorship, budget, cross-functional team (IT, ops, finance, HR, legal, comms)
  2. Define — Clear objectives aligned to strategy. Scope, assumptions, constraints documented.
  3. Identify — BIA + risk assessment. Map critical processes, dependencies, single points of failure.
  4. Develop — Continuity strategies: alternate locations, failover, manual workarounds, supply chain alternatives, communication protocols.
  5. Assign — Teams, roles, chain of command, contact trees. Essential personnel identified and trained.
  6. Test — Tabletop exercises, functional drills, full simulations. Document lessons, revise.

Key BCP Components

  • Incident Response Plan — Detect, assess, escalate, contain. Who communicates what, to whom, how.
  • Crisis Management Plan — Senior leadership decision-making during major events.
  • Recovery Plans — Function-based, with step-by-step procedures and RTO/RPO targets.
  • Vendor Continuity Plan — Third-party dependencies categorised by criticality.
  • Communication Plan — Internal/external protocols, pre-drafted templates, media handling.

Common Pitfalls

  • Treating BCP as one-time project, not ongoing discipline
  • Scenario-based plans that try to cover every event (use function-based instead)
  • Too many people in crisis response = slow decisions
  • Stale contact information and vendor relationships
  • Never testing under realistic conditions

5. Disaster Recovery (DR)

DR Strategy Tiers

TierStrategyTypical RTO
1Active-Active: real-time replication, automatic failoverMinutes
2Warm Standby: near-ready secondary, manual failover1–4 hours
3Cold Standby: provisioned but inactive, restore from backup24–72 hours
4Backup Only: periodic offsite/cloud backups, full rebuildDays to weeks

DR Plan Essentials

  1. System inventory ranked by criticality → mapped to business functions
  2. Backup strategy: frequency, retention, location (on-prem/cloud/hybrid), encryption, test restores
  3. Failover procedures: step-by-step switching, DNS, auth, network reconfig
  4. Recovery sequencing: dependencies, priority order, rollback procedures
  5. Testing: tabletop + component failover + full recovery simulations
  6. Cloud/multi-cloud: data residency, egress costs, single-provider risk

ISO Standards for DR

  • ISO 22301 — BCMS framework (Plan-Do-Check-Act)
  • ISO 27031 — ICT readiness for business continuity
  • ISO 24762 — ICT disaster recovery services
  • ISO 27001 — Information security management

6. Fraud Prevention & Detection

Internal Controls (Non-Negotiable)

  • Segregation of duties — No single person controls initiation, approval, execution, and recording
  • Dual control of payments — One initiates, second approves. Always.
  • Access controls — Role-based, least-privilege, periodic reviews
  • Independent reviews — High-risk transactions reviewed outside normal chain
  • Reconciliation — Daily reconciliation to detect anomalies early

Technology-Enabled Detection

  • AI/ML transaction monitoring (real-time anomaly flagging)
  • Behavioural analytics (user pattern deviation detection)
  • Identity verification (document, biometric, liveness)
  • Device fingerprinting and geolocation analysis
  • Network analysis for organised fraud ring detection

Emerging Threats (2025–2026)

ThreatDescription
Synthetic Identity FraudReal + fabricated data combined to pass KYC
AI DeepfakesVoice/video impersonation for CEO fraud and social engineering
Flash FraudCoordinated rapid-fire exploits for massive short-window losses
Mule AccountsCompromised accounts laundering fraud proceeds
AI-Powered PhishingHyper-personalised attacks using AI-generated content

Regulatory Alignment

  • US: Bank Secrecy Act, USA PATRIOT Act, FinCEN
  • EU: AML Package 2025, AMLA, 6AMLD
  • UK: Proceeds of Crime Act, Fraud Act 2006, FCA rules
  • Multi-jurisdictional: FATF Recommendations

For full fraud governance framework and prevention checklists, read references/full-playbook.md section 7.

7. Reputational Risk Management

Reputational Risk Drivers

Service disruptions, cybersecurity breaches, ethical lapses, social media missteps, third-party/vendor failures, ESG controversies, product recalls, workforce issues.

Five-Step Framework

  1. Identify Drivers — Map all sources of reputational harm from risk registers, stakeholders, media
  2. Set Thresholds — Clear boundaries tied to financial performance, regulatory exposure, media scrutiny
  3. Monitor Continuously — Social listening, media monitoring, sentiment analysis, NPS tracking
  4. Respond Rapidly — Acknowledge mistakes, communicate openly, implement corrective actions
  5. Integrate Cross-Functionally — Risk, compliance, comms, marketing, legal, operations all involved

2025 Regulatory Note

US banking regulators removed reputational risk as standalone supervisory factor (Fed, OCC, FDIC). Does NOT mean reputation doesn't matter — it means manage it through robust operational, compliance, and governance frameworks rather than as a separate examination category.

8. Geopolitical Risk Assessment

Top Risk Categories

CategoryKey Concerns
US-China CompetitionTech decoupling, export controls, AI/semiconductor restrictions
Armed ConflictsUkraine, Middle East — supply chain, commodity, sanctions impact
Trade ProtectionismTariffs, local content, friendshoring, supply chain mandates
Energy SecurityInfrastructure cyber risk, volatile supply routes, transition risk
Sanctions & Export ControlsExpanding, complex regimes requiring continuous monitoring
Climate & EnvironmentalExtreme weather, resource scarcity, carbon border adjustments
Technology SovereigntyData localisation, AI governance divergence, digital sovereignty

Geopolitical Risk Framework

  1. Establish Governance — Geopolitical risk function with board-level sponsorship
  2. Map Exposure — Inventory all geographic dependencies (operations, supply, customers, data, IP)
  3. Monitor Signals — Risk indicators, news analytics, regulatory filings, intelligence briefings
  4. Scenario Plan — Develop and stress-test against key geopolitical developments
  5. Build Flexibility — Diversify supply chains, multi-jurisdictional ops, structural separation
  6. Engage Proactively — Policymakers, industry associations, intelligence-sharing networks

9. Insurance & Risk Transfer

Essential Coverage Types

TypeProtects Against
Cyber InsuranceBreach costs, ransomware, BI from cyber events, regulatory fines
D&OPersonal liability of directors/officers
Professional Indemnity (E&O)Claims from professional advice or negligence
Business InterruptionLost revenue during operational disruption
Crime & FidelityEmployee dishonesty, social engineering fraud
Key PersonLoss of critical individual
General LiabilityThird-party injury, property damage, product liability

Best Practices

  • Annual insurance gap analysis aligned to risk register
  • Review terms, exclusions, sublimits for adequacy
  • Cyber coverage keeping pace with evolving threats
  • Parametric insurance for climate risks
  • Insurance activation integrated into BCP incident response workflow

10. Crisis Communication

Five Principles

  1. Speed — Initial holding statement within first hour. Silence = speculation.
  2. Accuracy — Verified facts only. Correct errors immediately.
  3. Empathy — Acknowledge impact before operational details.
  4. Consistency — Aligned messaging through single source of truth.
  5. Transparency — Share what you know, what you don't, and what you're doing.

11. Testing & Continuous Improvement

Exercise Types

TypeDescriptionFrequency
TabletopDiscussion walkthrough with key stakeholdersQuarterly
Functional DrillActivate specific plan componentsSemi-annually
Full-Scale SimulationEnd-to-end BCP/DR test under realistic conditionsAnnually
Surprise TestUnannounced activationAnnually
Component TestIndividual procedure tests (backup restore, comms tree)Monthly

Lessons Learned Process

After every exercise and real incident: structured debrief → capture what worked / failed / must change → document in lessons-learned register → assign corrective actions with owners and deadlines → track implementation → feed back into plan updates, training, and risk assessments.

12. Key Regulatory & Standards Map

StandardDomainCertifiable?
ISO 22301:2019Business Continuity (BCMS)Yes
ISO 31000:2018Enterprise Risk ManagementNo (guidance)
ISO 27001:2022Information Security (ISMS)Yes
COSO ERMEnterprise Risk ManagementNo (framework)
NIST CSFCybersecurityNo (framework)
DRI Professional PracticesBusiness ContinuityCertification-based
DORA (EU)Digital Operational ResilienceRegulatory
FCA/PRA (UK)Operational ResilienceRegulatory
SOC 2Service Organisation ControlsAttestation
PCI-DSSPayment Card SecurityYes

For detailed metrics, KRI dashboards, implementation roadmaps, and deep-dive reference material, consult: → references/full-playbook.md

Remember: Resilience over recovery. Function-based, not scenario-based. Test everything. Risk is everyone's responsibility. Anticipate, prepare, prevent — then adapt constantly.

Comments

Loading comments...