AiPro Institute™ Prompt Library
Risk Assessment Matrix
✅ Compatible With:
The Prompt
The Logic
This prompt is engineered around 6 core principles that ensure comprehensive, actionable risk assessment:
1. Six-Category Risk Taxonomy (Comprehensive Coverage)
The framework organizes risks into 6 distinct categories (Strategic, Operational, Financial, Compliance/Legal, Reputational, External/Environmental) to ensure comprehensive risk identification. This categorical structure prevents tunnel vision—teams naturally focus on familiar risks (e.g., financial teams see financial risks; tech teams see tech risks) while missing other dimensions. The 6-category mandate forces systematic scanning across all risk domains, typically surfacing 3-5 critical risks that would otherwise be overlooked.
2. Multi-Dimensional Impact Scoring (Beyond Financial)
Traditional risk assessment focuses exclusively on financial impact, missing reputational, operational, and strategic consequences. This framework evaluates impact across 4 dimensions: Financial (revenue/cost impact), Operational (business continuity disruption), Reputational (brand/trust damage), Strategic (objective achievement threat). The Composite Impact Score averages these 4 dimensions, ensuring holistic risk evaluation. Example: A data breach might have moderate financial impact ($500K) but catastrophic reputational impact (brand crisis) → Composite Impact = 4.0, not 3.0.
3. Quantitative Likelihood × Impact Scoring (Objective Prioritization)
The 5×5 Risk Matrix (Likelihood 1-5 × Composite Impact 1-5 = Risk Score 1-25) enables objective, data-driven risk prioritization. This quantitative discipline prevents subjective bias ("everything feels critical") and focuses resources on highest-risk items. Critical Risks (Score 15-25) get immediate executive attention and mitigation resources; Low Risks (Score 1-4) are accepted or monitored passively. The scoring framework also enables trend tracking—are risks increasing or decreasing over time?
4. Tiered Mitigation Response Strategy (Resource Allocation Discipline)
Organizations cannot actively mitigate every risk—resources are finite. This framework implements tiered response: CRITICAL (15-25) = Immediate action + executive escalation; HIGH (9-14) = Priority mitigation + active monitoring; MEDIUM (5-8) = Planned mitigation + regular check-ins; LOW (1-4) = Accept or passive monitoring. This triage approach focuses 80% of risk management resources on the 20% of risks that pose genuine threat, while avoiding analysis paralysis on low-probability, low-impact scenarios.
5. Residual Risk Assessment (Post-Mitigation Reality Check)
A common risk management mistake is assuming mitigation eliminates risk. This framework requires Residual Risk Assessment: after implementing mitigation actions, recalculate Likelihood and Impact to determine post-mitigation Risk Score. Example: Cybersecurity risk (Likelihood 4, Impact 5, Score 20) → Implement multi-factor authentication + employee training → Residual Risk (Likelihood 2, Impact 4, Score 8). Residual risk quantifies mitigation effectiveness and identifies when additional controls are needed. Contingency plans address residual risk if it materializes.
6. Dynamic Risk Monitoring Framework (Continuous Reassessment)
Risks are not static—they evolve as circumstances change. This framework establishes review cadence (Critical = Weekly, High = Bi-weekly, Medium = Monthly, Low = Quarterly) to continuously update risk scores, track emerging risks, and measure mitigation effectiveness. Dynamic monitoring prevents the "risk register gathering dust" syndrome where initial assessments become outdated. Risk trend analysis (Are aggregate risk scores increasing or decreasing?) provides early warning of strategic trajectory issues.
Example Output Preview
Example: TechFlow SaaS Platform — New Product Launch Risk Assessment
CONTEXT: B2B SaaS company launching AI-powered workflow automation product; $5M development investment; 12-month launch timeline; enterprise customer segment.
SAMPLE RISKS (5 of 18 identified)
Risk STR-01: Competitive Pre-emption
- Category: Strategic
- Description: Major competitor (e.g., Salesforce, ServiceNow) launches similar AI workflow product before our launch, capturing market first-mover advantage
- Trigger Events: Competitor press releases, patent filings, job postings for AI product managers
- Impact Statement: Loss of differentiation; reduced pricing power; 40-60% lower market share than projected
- Likelihood: 4 (High — 60% probability; we know competitors are investing in AI)
- Composite Impact: 4.5 (Financial: 5, Operational: 3, Reputational: 4, Strategic: 6)
- Risk Score: 4 × 4.5 = 18 (CRITICAL)
Risk OPS-03: AI Model Performance Degradation
- Category: Operational
- Description: AI model accuracy degrades in production due to data drift, adversarial inputs, or edge cases not covered in training data
- Trigger Events: Customer complaints about inaccurate outputs; decline in model confidence scores; new customer data patterns
- Impact Statement: Customer dissatisfaction, churn; support ticket volume spike; negative reviews; need for manual intervention
- Likelihood: 3 (Medium — 40% probability; common issue with ML in production)
- Composite Impact: 3.75 (Financial: 3, Operational: 4, Reputational: 4, Strategic: 4)
- Risk Score: 3 × 3.75 = 11.25 (HIGH)
Risk FIN-02: Customer Acquisition Cost Overrun
- Category: Financial
- Description: CAC exceeds $15K budget (target: $10K) due to longer sales cycles, need for custom demos, or lower conversion rates than projected
- Trigger Events: Demo request → Closed-Won conversion rate <20%; sales cycle >90 days; paid acquisition CPL >$500
- Impact Statement: Unit economics break (LTV:CAC <3:1); need for additional funding; profitability timeline delay 12-18 months
- Likelihood: 3 (Medium — 50% probability; enterprise sales cycles unpredictable)
- Composite Impact: 3.5 (Financial: 4, Operational: 3, Reputational: 3, Strategic: 4)
- Risk Score: 3 × 3.5 = 10.5 (HIGH)
Risk COM-01: Data Privacy Compliance Violation
- Category: Compliance/Legal
- Description: AI model processing customer data violates GDPR, CCPA, or industry-specific regulations (HIPAA, SOC2) due to inadequate data governance
- Trigger Events: Customer audit findings; regulatory inquiry; data subject access request revealing non-compliant processing
- Impact Statement: Fines ($50K-$1M+); enterprise customer contract terminations; sales pipeline freeze pending compliance certification
- Likelihood: 2 (Low — 20% probability; legal team reviewing, but new territory for AI)
- Composite Impact: 4.25 (Financial: 4, Operational: 4, Reputational: 5, Strategic: 4)
- Risk Score: 2 × 4.25 = 8.5 (MEDIUM)
Risk REP-02: AI Bias Scandal
- Category: Reputational
- Description: AI model exhibits demographic bias (gender, race, age) in workflow recommendations, leading to customer complaints or negative press
- Trigger Events: Customer reports of biased outputs; social media backlash; journalist investigation; academic research critique
- Impact Statement: Brand crisis; customer churn; negative national press; executive testimony; product recall/redesign
- Likelihood: 2 (Low-Medium — 25% probability; bias testing conducted but not exhaustive)
- Composite Impact: 4.75 (Financial: 4, Operational: 4, Reputational: 6, Strategic: 5)
- Risk Score: 2 × 4.75 = 9.5 (HIGH)
RISK PRIORITIZATION MATRIX (Partial)
- 🟥 CRITICAL (4 risks): STR-01 (Competitive Pre-emption, Score 18), STR-02 (Product-Market Fit Failure, Score 16), FIN-01 (Funding Gap, Score 15), OPS-01 (Launch Delay, Score 15)
- 🟧 HIGH (6 risks): OPS-03 (AI Model Degradation, Score 11.25), FIN-02 (CAC Overrun, Score 10.5), REP-02 (AI Bias Scandal, Score 9.5), ...
- 🟨 MEDIUM (5 risks): COM-01 (Data Privacy Violation, Score 8.5), ...
- 🟩 LOW (3 risks): ...
MITIGATION STRATEGY (Example: STR-01 Competitive Pre-emption)
- Current Risk Score: 18 (Likelihood 4 × Impact 4.5)
- Strategy Type: Reduce (lower likelihood via speed) + Accept (acknowledge some competitive risk unavoidable)
- Specific Actions:
- Accelerate Launch Timeline: Compress 12-month timeline to 9 months via agile sprints, scope prioritization (MVP vs. full feature set), parallel workstreams
- Competitive Intelligence Monitoring: Weekly competitor tracking (product updates, job postings, patents, press); set up Google Alerts; subscribe to industry newsletters
- Differentiation Moat Building: File 3 provisional patents on unique AI workflow techniques; secure 5 early customer testimonials; develop proprietary dataset advantage
- Pre-Launch Waitlist & Beta Program: Build 500-person waitlist; launch closed beta with 20 design partners to generate early traction and case studies
- Responsible Owner: VP of Product + CTO
- Timeline: Actions 1-2 immediate (Week 1); Action 3-4 by Month 3
- Budget: $200K (legal for patents, marketing for waitlist, beta support)
- Residual Risk Assessment:
- Post-Mitigation Likelihood: 3 (reduced from 4 via faster launch)
- Post-Mitigation Impact: 4.0 (reduced from 4.5 via differentiation moat)
- Residual Risk Score: 3 × 4.0 = 12 (HIGH)
- Risk Reduction: 18 → 12 = 33% reduction
- Contingency Plan (If Competitor Launches First):
- Early Warning: Competitor product launch announcement, pricing revealed, beta program opened
- Response Actions: (1) Rapid competitive analysis (feature comparison, pricing positioning); (2) Accelerate differentiation messaging (emphasize our unique capabilities); (3) Offer early adopter discounts (30% off Year 1) to capture customers before competitor establishes dominance; (4) Pivot positioning from "first-to-market" to "best-in-class"
- Recovery Timeline: 4-6 weeks to stabilize messaging and pipeline
- Escalation: Immediate CEO/Board notification; weekly executive risk reviews until stabilized
Prompt Chain Strategy
For maximum impact, use this 3-step prompt sequence:
Step 1: Comprehensive Risk Identification
Prompt: "Using the Risk Assessment Matrix framework, identify 20-25 risks across all 6 categories (Strategic, Operational, Financial, Compliance/Legal, Reputational, External/Environmental) for [PROJECT/INITIATIVE]. For each risk, provide: Risk ID, Name, Description, Trigger Events, and Impact Statement. Aim for 3-5 risks per category to ensure comprehensive coverage."
Output: 20-25 identified risks with detailed descriptions and trigger analysis; organized by category.
Step 2: Risk Scoring & Prioritization
Prompt: "For the 20-25 risks identified in Step 1, conduct detailed risk evaluation: (1) Assess Likelihood (1-5 scale) with justification; (2) Score Impact across 4 dimensions (Financial, Operational, Reputational, Strategic) using 1-5 scale; (3) Calculate Composite Impact (average of 4 dimensions); (4) Calculate Risk Score (Likelihood × Composite Impact); (5) Plot risks on 5×5 Risk Matrix and assign tier (Critical/High/Medium/Low). Identify top 10 risks (Critical + High tiers) for mitigation planning."
Output: Scored and prioritized risk matrix; visual heat map; top 10 risks flagged for mitigation.
Step 3: Mitigation Strategies & Contingency Plans
Prompt: "For the top 10 risks (Critical + High) from Step 2, develop comprehensive mitigation strategies: (1) Select strategy type (Avoid/Reduce/Transfer/Accept); (2) Define 3-5 specific mitigation actions with owners, timelines, and budgets; (3) Estimate Residual Risk (post-mitigation Likelihood and Impact); (4) Calculate risk reduction percentage; (5) Create contingency plans including early warning indicators, response actions, recovery timeline, and escalation protocol. Present as actionable risk mitigation roadmap."
Output: Detailed mitigation plans for top 10 risks; residual risk assessment; contingency playbooks; risk mitigation roadmap with timelines.
Human-in-the-Loop Refinements
Enhance AI output with these 6 strategic refinements:
1. Pre-Mortem Analysis (Assume Failure, Work Backward)
Conduct a "pre-mortem" workshop: Assume the project failed catastrophically 12 months from now. Ask team members: "What went wrong?" This reverse-engineering exercise surfaces risks people are reluctant to voice in traditional forward-looking risk assessment (political sensitivity, fear of negativity). Pre-mortem typically identifies 3-5 critical risks that standard brainstorming misses, particularly organizational/cultural risks (leadership conflict, resource battles, strategic misalignment).
2. Historical Failure Case Studies (Learn from Others' Mistakes)
Research 5-10 similar projects, product launches, or initiatives in your industry that failed. Analyze: (a) What risks materialized? (b) Which were anticipated vs. blindsides? (c) What mitigation strategies failed? (d) What would have prevented failure? Map these historical risks to your current risk inventory. Example: If launching AI product, study IBM Watson Health failure, Google Health shutdown, Zillow iBuying disaster—what risks can you learn from their failures?
3. Second-Order Risk Analysis (Risk Cascades)
For each Critical risk, identify "second-order effects"—what other risks are triggered if this risk materializes? Example: Primary Risk = "Key engineer quits" → Second-Order Risks = (1) Knowledge loss delays product; (2) Team morale drops, triggering more departures; (3) Customer confidence erodes if engineer was client-facing. Create risk cascade maps showing domino effects. This systems thinking reveals concentration risk—single events that trigger multiple failures—and guides prioritization toward preventing cascade triggers.
4. Red Team Challenge (Adversarial Stress-Testing)
Assign a "Red Team" (3-4 skeptical, critical thinkers) to challenge risk assessment: (a) Are likelihood scores too optimistic? (b) Are impact scores underestimating worst-case scenarios? (c) Are mitigation strategies realistic or wishful thinking? (d) What risks are missing from the inventory? Red Team's job is constructive antagonism—poke holes in the analysis. This adversarial review typically increases aggregate risk scores by 15-20% and surfaces 3-5 overlooked risks, producing more realistic, defensible risk assessments.
5. Risk Budget Allocation (Forced Trade-offs)
Assume you have a fixed "risk mitigation budget" (e.g., $500K, 3 FTEs, 6 months of leadership attention). Force prioritization decisions: Which risks get active mitigation resources? Which are accepted? Which are transferred (insurance, outsourcing)? This constraint-based exercise prevents the "mitigate everything" trap and focuses resources on highest-ROI risk reduction. Calculate "risk reduction per dollar" for each mitigation strategy to optimize allocation: Mitigation A reduces Risk Score from 18→8 (10-point reduction) for $100K = 0.1 point per $1K; Mitigation B reduces 12→6 (6-point reduction) for $30K = 0.2 point per $1K → prioritize B.
6. Risk Appetite Calibration Workshops (Define "Acceptable Risk")
Risk appetite is often vague ("we're moderate risk-takers"). Make it concrete via calibration workshops: Present 5-7 real or hypothetical risk scenarios with quantified likelihood and impact. Ask leadership: "Would you proceed given this risk profile?" Example: "Risk of 30% probability of $2M loss vs. 70% probability of $8M gain—proceed or not?" Map responses to establish quantitative risk thresholds (e.g., "We accept risks up to Score 12; anything 15+ requires Board approval"). This calibrated risk appetite guides consistent decision-making and prevents ad-hoc, emotion-driven risk responses.
