Identify, qualify and prioritize organization or process risks in 2-4 hours with exhaustive coverage.
Risk analysis is at the heart of auditor added value: identify what can go wrong, qualify severity, propose mitigation measures. Traditionally, it requires hours of document review, interviews, mapping. AI allows you to broaden coverage and accelerate production of structured matrices (probability × impact), while retaining auditor expertise for final arbitrage. This guide presents the rigorous workflow for exhaustive, defensible and actionable risk analyses.
Step-by-step Workflow
1
Frame the scope
Organization type, sector, size, process to analyze, applicable framework (COSO, ISO 31000, sector standards). Without clear framing, analysis is superficial.
2
Identify risk families
Have AI produce relevant risk families for the context: operational, financial, compliance, IT/cyber, reputational, strategic, ESG. Adapted to sector.
3
Detail risks by family
For each family: 5-10 concrete typical risks. AI is very good at not missing anything. Human validation to add what's specific to the client.
4
Qualify probability × impact
For each risk: probability (1-5) and impact (1-5). AI proposes estimates based on sector — auditor validates or adjusts based on client knowledge.
5
Propose mitigation measures
For major risks (red zone of matrix): preventive, detective, corrective measures. Prioritized by effort/effectiveness. Action plan for management.
Copyable Prompts
Sector risk mapping
You are a senior risk-management auditor. For this organization:nn**Sector** : [PRECISE SECTOR]n**Size** : [HEADCOUNT, REVENUE]n**Activity** : [5-LINE DESCRIPTION]n**Analysis scope** : [PROCESSES / FUNCTIONS]n**Applicable framework** : [COSO / ISO 31000 / SECTOR-SPECIFIC]nnProduce an exhaustive risk mapping:nn1. **Risk families** relevant for this context (5-8 families)nn2. **For each family**, list 5-10 concrete risks with:n - Precise descriptionn - Estimated probability (1-5) with justificationn - Estimated impact (1-5) on dimensions: financial / operational / reputational / compliancen - Criticality score (P × I)n - Materialization indicators (weak signals to watch)nn3. **Summary matrix**: top 15 risks by criticalitynn4. **Red zones**: risks requiring immediate mitigationnnMark [TO REFINE] anything that requires local validation (client-specific probability, impact depending on insurance coverage, etc.).
Mitigation plan for major risks
For these risks identified in red zone:nn[LIST RISKS + SCORES]nnProduce a structured mitigation plan for each risk:nn1. **Preventive measures**: what reduces probabilityn2. **Detective measures**: what allows rapid detection of materializationn3. **Corrective measures**: what allows effective response if risk materializesn4. **KRIs (Key Risk Indicators)**: 2-3 indicators to monitor continuouslyn5. **Suggested owner** in the organizationn6. **Implementation effort**: low / medium / highn7. **Estimated cost** (order of magnitude)n8. **Expected criticality reduction** after mitigationnnFormat: summary table + detail by risk. Prioritize by ROI (risk reduction / cost).
Audit of existing risk matrix
Audit this risk matrix:nn[PROVIDED MATRIX]nnClient context:n[CONTEXT]nnProduce:n1. **Consistency summary**: is the matrix exhaustive and well-calibrated?n2. **Missing risks**: families or risks not identifiedn3. **Over-estimated / under-estimated risks**: with justificationn4. **Lack of granularity**: risks too generic that deserve splittingn5. **Recommendations** to improve the matrix:n - Risks to add (3-5)n - Probability/impact recalibrationsn - Follow-up indicators to introducen6. **Format**: is the matrix usable by management? Or too technical / not actionable enough?
Emerging risks 2026
For sector [SECTOR] and organization [SIZE / CONTEXT], identify emerging risks 2026-2027:nn1. **AI-related risks**: internal use (GDPR, AI Act), supplier dependency, hallucinations in critical processesn2. **Cyber risks**: ransomware, supply chain attacks, AI model compromisen3. **Climate and ESG risks**: physical exposure, transition, CSRD compliancen4. **Regulatory risks**: foreseeable legislative changes in sectorn5. **Geopolitical risks**: impact on supply chain, data, talentn6. **Disinformation risks**: deepfakes, reputational harmnnFor each emerging risk: (a) description, (b) probability of impact at 12-24 months, (c) materialization indicators, (d) first measures to consider.
Recommended tools
Claude Opus 4.5
★ 4.9 (92) · 20 USD/mois
Claude Opus 4.5 : modèle premium d’Anthropic pour code, agents et tâches complexes en entreprise.
Why : Le meilleur sur les analyses de risques complexes nécessitant un raisonnement multi-niveaux et la capacité à proposer des nuances.
For common risks in a sector: its estimates are reasonable, based on sector patterns it knows. For client-specific risks (governance, culture, incident history): no, these nuances require auditor expertise. AI proposes, auditor adjusts.
How to integrate AI into ERM (Enterprise Risk Management)?
Three key uses: (1) initial mapping and annual update, (2) continuous watch on emerging risks (what external auditors often can't do continuously), (3) audit committee reporting. AI doesn't replace the risk manager, it augments them.
Bias risk in AI analysis?
Real. AI can overestimate media-hyped risks and underestimate less visible risks. Audit its analyses: (a) are results consistent with your sector intuition?, (b) are there obvious forgotten risks?, (c) does probability/impact calibration truly reflect your context?
Can AI detect potential fraud?
For pre-screening (statistical anomaly analysis, unusual ratios, suspicious patterns in entries): yes, one of its best use cases. For fraud qualification (intent, scheme): human judgment. Combination: AI for mass screening, auditor for targeted investigation.
