Truvara is in Beta.
truvara
Back to ResourcesPrompt Packs
11 min read

Risk Assessment Prompt Pack (10 Prompts)

Introduction

This prompt pack provides 10 ready‑to‑use prompts for conducting AI‑assisted risk assessment activities. Designed for risk managers, auditors, compliance officers, and business leaders, these prompts help leverage large language models to streamline risk identification interviews, control gap analysis, risk prioritization workshops, risk register maintenance, and board‑level risk narrative generation. Each prompt is crafted to elicit structured, actionable outputs while maintaining the flexibility to adapt to organizational context, industry specifics, and regulatory requirements. Use these as starting points, customizing the bracketed placeholders with your specific details to get the most relevant results.

Prompt 1: Risk Identification Interview Guide

Role: You are a senior risk facilitator conducting interviews with business unit leaders to identify emerging risks.

When to use: Before risk workshops or when updating the risk register with frontline insights.

Prompt:

Conduct a semi‑structured interview to identify risks in [BUSINESS UNIT/FUNCTION]. Focus on: strategic objectives, operational processes, regulatory changes, technology dependencies, and external factors. For each risk discovered, capture: risk description, potential causes, affected objectives, likelihood (1‑5), impact (1‑5), velocity (speed of onset), and any existing mitigations. Ask open‑ended questions to uncover hidden risks and encourage concrete examples. Structure output as a table with columns: Risk ID, Risk Description, Category, Causes, Affected Objectives, Likelihood, Impact, Velocity, Current Mitigations, Owner.

Tips:

  • Replace [BUSINESS UNIT/FUNCTION] with specific areas like “Supply Chain” or “Digital Marketing.”
  • Adjust the scoring scale (1‑5) to match your organization’s risk matrix.
  • Add industry‑specific risk categories relevant to your sector (e.g., cyber, climate, geopolitical).

Expected output: A structured table of identified risks with preliminary assessment scores and metadata for further analysis.

Prompt 2: Control Gap Analysis Prompt

Role: You are an internal control specialist evaluating control effectiveness against identified risks.

When to use: After risk identification to assess whether existing controls adequately mitigate risks.

Prompt:

Analyze the following risks: [LIST OF RISKS FROM PREVIOUS STEP]. For each risk, identify: control objectives, key controls currently in place, control type (preventive/detective/corrective), control owner, testing frequency, and any noted control deficiencies. Then, identify gaps where: (a) no controls exist, (b) controls are poorly designed, or (c) controls are not operating effectively. For each gap, recommend: control improvements, implementation priority (high/medium/low), estimated effort, and potential residual risk after improvement. Present findings in a gap analysis matrix.

Tips:

  • Use actual risk descriptions from your risk register or workshop output.
  • Specify control frameworks you follow (e.g., COSO, ISO 27001, NIST CSF) for more targeted analysis.
  • Include regulatory requirements relevant to each risk (e.g., GDPR for data‑privacy risks).

Expected output: A control gap analysis matrix highlighting missing, inadequate, or ineffective controls with prioritized remediation recommendations.

Prompt 3: Risk Prioritization Workshop Facilitator

Role: You are a facilitator guiding a cross‑functional team through a risk prioritization exercise using a 5×5 risk matrix.

When to use: During risk assessment workshops to determine which risks require immediate attention versus monitoring.

Prompt:

Facilitate a risk prioritization session for the following risks: [LIST OF RISKS]. Guide the team to assess each risk on two dimensions: likelihood (Rare, Unlikely, Possible, Likely, Almost Certain) and impact (Insignificant, Minor, Moderate, Major, Catastrophic). Use group discussion to reach consensus scores, noting any significant disagreements. Plot each risk on a 5×5 matrix and categorize into: Low (green), Medium (yellow), High (orange), Extreme (red) risk levels. For High and Extreme risks, capture: justification for the rating, urgency of treatment, and resource implications. Output the final prioritized risk list with matrix positions and risk ratings.

Tips:

  • Provide clear definitions for each likelihood and impact level to ensure consistent scoring.
  • Use anonymous voting tools first to avoid groupthink, then discuss outliers.
  • Consider velocity (speed of impact) as a tie‑breaker for risks with similar scores.

Expected output: A prioritized risk list with likelihood/impact scores, matrix positions, risk ratings, and rationale for high‑priority risks.

Prompt 4: Risk Register Review and Update

Role: You are a risk analyst reviewing the existing risk register for completeness, accuracy, and relevance.

When to use: Quarterly or semi‑annually to ensure the risk register reflects current realities.

Prompt:

Review the current risk register entries: [PASTE EXISTING RISK REGISTER CONTENT OR KEY FIELDS]. For each risk, evaluate: (1) Is the risk description still accurate and specific? (2) Have likelihood/impact ratings changed due to new information or environmental shifts? (3) Are existing controls still appropriate and effective? (4) Are risk owners and action owners still correct? (5) Are treatment plans and deadlines still valid? Identify risks that require: re‑assessment, new controls, ownership changes, archiving (if mitigated/obsolete), or escalation. Provide specific update recommendations for each risk requiring changes.

Tips:

  • Format your risk register as a table with consistent columns for easier AI processing.
  • Include dates of last review and next review scheduled for each risk.
  • Reference recent events, audit findings, or regulatory changes that might affect risk ratings.

Expected output: A marked‑up risk register with specific update recommendations, re‑assessment flags, and archiving candidates identified.

Prompt 5: Risk Treatment Plan Developer

Role: You are a risk officer developing treatment plans for high‑priority risks requiring active management.

When to use: After risk prioritization to define specific actions for unacceptable risks.

Prompt:

For each High and Extreme risk from the prioritization exercise: [LIST OF HIGH/EXTREME RISKS], develop a comprehensive treatment plan. Specify: treatment option (avoid, transfer, mitigate, accept), specific actions required, responsible owner, required resources (budget, personnel, technology), implementation timeline with milestones, key performance indicators to track effectiveness, and residual risk after treatment. Consider dependencies between risks and potential secondary effects of treatments. For risk transfer options, specify appropriate insurance or contractual mechanisms. Output as an actionable treatment plan table.

Tips:

  • Distinguish between preventive actions (reduce likelihood) and mitigative actions (reduce impact).
  • Include contingency planning for risks with high velocity or low predictability.
  • Align treatment timelines with budget cycles and strategic planning periods.

Expected output: A detailed risk treatment plan table with owners, timelines, resources, and success metrics for each high‑priority risk.

Prompt 6: Risk Scenario Analysis Generator

Role: You are a risk strategist exploring potential future risk scenarios to stress‑test organizational resilience.

When to use: During annual risk planning or when preparing for board strategy sessions.

Prompt:

Generate three plausible risk scenarios for [ORGANIZATION/INDUSTRY] over the next 12‑24 months. Each scenario should combine multiple risk factors (e.g., regulatory change + technology failure + supply‑chain disruption) into a coherent narrative. For each scenario, describe: triggering events, progression timeline, affected business areas, potential financial and operational impacts, effectiveness of existing controls, and gaps in preparedness. Include one baseline scenario (expected conditions), one moderate stress scenario, and one severe stress scenario. Suggest specific preparedness actions for each scenario.

Tips:

  • Base scenarios on current emerging risks identified in industry reports or regulatory warnings.
  • Use historical analogues (past crises) to increase scenario plausibility.
  • Quantify potential impacts where possible (revenue‑loss %, downtime hours, regulatory fines).

Expected output: Three detailed risk scenarios with narratives, impact assessments, and preparedness recommendations.

Prompt 7: Key Risk Indicator (KRI) Designer

Role: You are a risk analytics specialist designing leading indicators to monitor risk exposure.

When to use: When setting up or refining a risk monitoring dashboard for ongoing risk surveillance.

Prompt:

For each of the following risks: [LIST OF PRIORITIZED RISKS], develop 1‑3 Key Risk Indicators (KRIs) that provide early warning of increasing risk exposure. For each KRI, specify: what it measures, data source, calculation methodology, target threshold or trend direction, reporting frequency, and responsible owner. Distinguish between leading indicators (predictive) and lagging indicators (confirmatory). Ensure KRIs are quantifiable, regularly measurable, and directly linked to risk drivers. Output as a KRI dictionary table.

Tips:

  • Focus on indicators that change before the risk materializes (leading) rather than after (lagging).
  • Consider both quantitative metrics (e.g., % of overdue vendor assessments) and qualitative indicators (e.g., emerging regulatory comments).
  • Align KRI thresholds with risk appetite statements and tolerance levels.

Expected output: A KRI dictionary table with measurable indicators, data sources, thresholds, and owners for ongoing risk monitoring.

Prompt 8: Board Risk Narrative Composer

Role: You are a risk executive preparing risk reporting materials for the board of directors or risk committee.

When to use: Before board meetings or when preparing quarterly risk reports for executive leadership.

Prompt:

Compose a concise risk narrative for the board covering the period [TIMEFRAME]. Structure the narrative as: (1) Changes in the risk landscape since last report (new risks, rating changes, emerging trends), (2) Status of high‑priority risks and treatment plan progress, (3) Effectiveness of key controls and any significant control failures, (4) Key Risk Indicator trends and what they signal, (5) Resource allocation for risk management activities, and (6) Emerging risks to watch. Use clear, non‑technical language appropriate for non‑risk‑expert directors. Include one visual recommendation (e.g., heat map, trend chart) to support the narrative.

Tips:

  • Focus on material risks that could significantly impact strategy, reputation, or financial performance.
  • Connect risk updates to strategic objectives and business initiatives mentioned in board packs.
  • Be transparent about uncertainties and limitations in risk assessments.

Expected output: A board‑ready risk narrative in plain language with suggested visual aids for presentation.

Prompt 9: Risk Culture Assessment Survey

Role: You are an organizational development consultant assessing risk‑culture maturity.

When to use: Periodically to evaluate how well risk‑aware behaviors are embedded across the organization.

Prompt:

Design a survey to assess organizational risk culture across these dimensions: tone from the top, accountability, risk communication, learning from mistakes, and risk‑informed decision‑making. For each dimension, create 3‑5 Likert‑scale questions (1‑5: Strongly Disagree to Strongly Agree) that gauge perceptions and behaviors. Include a few open‑ended items for comments and suggestions. Provide guidance on sample size, distribution method, and how to analyze results to produce a culture maturity score and actionable improvement roadmap.

Tips:

  • Keep the survey short enough to achieve a high response rate (15‑20 questions total).
  • Pilot the questionnaire with a small group to refine wording.
  • Align questions with your organization’s risk appetite and governance framework.

Expected output: A ready‑to‑deploy risk‑culture survey template together with analysis instructions.

Prompt 10: Continuous Improvement Log

Role: You are a risk manager tracking the effectiveness of risk‑management initiatives over time.

When to use: After each risk‑management cycle (e.g., quarterly, after major incidents).

Prompt:

Create a log that captures: (1) Initiative description, (2) Objective, (3) Implementation date, (4) Owner, (5) Success metrics, (6) Actual results, (7) Lessons learned, and (8) Next‑step actions. Populate the log with the most recent three initiatives from your department. Highlight any gaps between planned and actual outcomes and suggest adjustments for future cycles.

Tips:

  • Use a simple spreadsheet or a project‑management tool that all stakeholders can access.
  • Review the log during risk committee meetings to keep improvement top‑of‑mind.
  • Link each initiative back to a specific risk or control gap it was meant to address.

Expected output: A populated continuous‑improvement log that visualizes performance trends and informs future risk‑management planning.

Key Takeaways

  • Start with structured interviews – Use Prompt 1 to capture rich, consistent risk data directly from business owners.
  • Validate controls early – Prompt 2 helps you spot missing or weak controls before you waste time on low‑impact risks.
  • Prioritize visually – Prompt 3’s matrix makes it easy to see which risks need immediate action versus monitoring.
  • Keep the register fresh – Prompt 4 ensures your risk register stays accurate and aligned with the latest business reality.
  • Turn priorities into plans – Prompt 5 translates high‑risk items into concrete treatment actions, owners, and timelines.
  • Stress‑test the future – Prompt 6’s scenario building prepares you for “what‑if” events that could catch the organization off guard.
  • Monitor with KRIs – Prompt 7 gives you early‑warning metrics so you can act before a risk materializes.
  • Speak the board’s language – Prompt 8 crafts a concise, non‑technical narrative that senior leaders can quickly digest.
  • Measure risk culture – Prompt 9 provides a survey framework to gauge how risk‑aware your people really are.
  • Learn and adapt – Prompt 10 creates a living log of what worked, what didn’t, and how to improve next time.

Conclusion

These ten prompts give you a complete, end‑to‑end toolkit for AI‑assisted risk assessment. By customizing the placeholders to your organization’s terminology and feeding real‑world data into each step, you’ll generate outputs that are both actionable and aligned with governance standards. Treat the pack as a living framework: run the prompts, review the results, tweak the language, and iterate. Over time the process becomes faster, more consistent, and better integrated into your overall risk‑management program. Start with the interview guide, work through the analysis and prioritization stages, and finish with board‑ready reporting and continuous‑improvement tracking. Your risk function will be more proactive, data‑driven, and ready to support strategic decisions in an increasingly uncertain world.