The AI-Enabled Risk Manager

Examples of how AI is an opportunity, not just a risk, for Risk Managers.

Mark Scales

Professional woman in business suit standing on modern bridge overlooking office buildings

Most risk managers are spending too much time maintaining the machinery of risk management and not enough time influencing decisions.

This is a problem I keep seeing with my clients. But it’s also a problem I was experiencing myself.

Recently I facilitated a risk workshop and reflected on how I had run these session in the past. I would take photos of butcher’s paper. A team member would type up the notes. The framework changes get drafted. The risk register was manually updated. Then feedback comes back from executives, directors and committee members. The documents gets revised again. Then, three months later, the outcomes of the workshop finally get approved. There was a lot of activity, but very little practical improvement in risk management.

And here is the uncomfortable bit: a lot of that work is not where risk managers create the most value.

The value of risk management is not the register. It is not the framework. It is not the beautifully formatted heat map.

The value is better decisions.

Earlier insight. Clearer trade-offs. Stronger challenge. Better conversations about what the organisation is trying to achieve and what might stop it getting there.

That is why I pay very close attention to AI.

Not because AI replaces the risk manager (It doesn’t) but because AI can take a lot of the admin activity out of risk work and give good risk managers more capacity to do the work that actually matters.

Where AI helps in real risk work

I have been using AI in risk work in very practical ways.

  • Preparing slides for executive and director-level risk workshops.
  • Analysing butcher’s paper notes and audio recordings.
  • Drafting risk category definitions, appetite statements and consequence criteria.
  • Reflecting stakeholder feedback into updated documents.
  • Building maturity assessment criteria.
  • Developing surveys.
  • Capturing and analysing meeting notes.
  • Reviewing survey results and drafting findings.
  • Identifying risks raised in governance forums even where no one has formally said, “this is a risk”.

And the impact is not just speed, although speed matters. The bigger shift is quality of attention.

If AI can help turn three hours of workshop notes into a structured summary in ten minutes, the risk manager can spend their time asking better questions:

  • Does this risk actually belong at enterprise level?
  • Is this a control, or just an intention?
  • Does the rating make sense given what we know?
  • Is this risk outside appetite?
  • What decision does the executive team need to make?

That is the work.

AI helps clear the table so the risk manager can get to it.

A practical example

Now let’s come back to my earlier example of facilitating an annual risk workshop. In the table below I highlight the key steps in the process and how AI was used to save everybody time while producing a great outcome:

Activity Use of AI
Preparation for the workshop - I compared the existing risk framework to ISO31000 to identify gaps and areas for improvement
- I analysed their prior Board papers looking for trends and changes in reporting
- I researched their environmental factors to understand the impacts on the risk profile
I started prior the to workshop by holding 1-on-1 meetings with half a dozen representatives from the business from Directors and Managers. - I prepared a standard agenda for each interview
- I recorded transcripts of each interview
- I created a summary of key observations from the meetings based on the interview transcripts
Preparation of Pre-reading materials and workshop slides - I consolidated research notes and interview observations into some pre-reading materials
- I drafted workshop slides and speaking notes
- I asked for best practice examples to ensure my approach remained contemporary
Facilitation of the workshop - I took transcripts and images from the workshop and produced draft outputs during a lunch break that we then workshopped after the lunch break
Preparation of deliverables - I was able to draft the change to the risk framework (risk category definitions, risk appetite statements, consequence criteria changes) as well as document identified strategic risks for review on the same day as the workshop

What AI changed

The biggest benefits from the use of AI were:

  • It saved time on research.
  • It helped summarise interviews.
  • It helped draft pre-reading material, slides, speaking notes and workshop outputs.
  • It helped turn messy notes into something structured.
  • It helped me get from raw input to useful draft much faster than I could have manually.

But that was not the main benefit. The main benefit was that it changed the timing of the conversation.

In the past, I would run the workshop, capture the outputs, go away and draft the changes. Then the material would come back weeks or months later. By then, the energy of the conversation had moved on along with peoples focus. So people were reviewing words on a page, not continuing the discussion they had just been part of.

This time, we were able to test draft outputs while people were still in the room and still focussed on risk management.

Directors and executives could immediately say:

  • “No, that is not quite what we meant.”
  • “That wording is too broad.”
  • “That would not work in practice.”
  • “That threshold feels too low.”
  • “That is the conversation we need to have at Board level.”

That is very different from sending a paper to a committee meeting three months later and hoping people still remember the context. It made the workshop more useful.

The Directors were not just giving input. They were shaping the output. The executives were not just being consulted. They were testing whether the framework would actually work for the organisation.

That reduces re-work later. It also improves ownership. Because when people help shape the language, they are much more likely to use it.

There were other benefits too.

AI helped connect the dots between the interviews, the workshop discussion, the existing framework and the final deliverables. It helped identify repeated themes. It helped separate risks from issues, controls and general concerns. It helped create a clearer record of why certain changes were proposed.

But the most important thing was this:

It gave me more time to do the work I was actually there to do.

Not typing up notes. Not wrestling with formatting. Not trying to remember what someone said on butcher’s paper two weeks earlier.

The real work was listening carefully, challenging assumptions, testing the language, helping the group make trade-offs and getting the risk framework closer to how the organisation actually makes decisions.

That is where the risk manager adds value. AI did not replace that judgement. It created more room for it.

A prompt you can try

If you’re consider using AI as a Risk Manager, here is a practical prompt you could adapt to start with.

Role: You are acting as an experienced enterprise risk manager. Your role is to help analyse source material and prepare draft risk management outputs for human review. You do not make final risk decisions.

Task: Analyse the source material below and identify risk-related themes, possible changes to the current risk register, emerging risks, control gaps, and matters that require further human judgement.

Source material:

  • Meeting notes: [insert meeting notes]
  • Workshop transcript: [insert workshop transcript]
  • Current risk register: [insert current risk register]
  • Organisation strategy: [insert organisation strategy]
  • Risk appetite framework: [insert risk appetite framework]
  • Board paper: [insert board paper]
  • Survey results: [insert survey results]
  • Risk category to focus on: [insert risk category]

Output required:

  1. A plain-English summary of the main risk themes.
  2. A table of risks clearly supported by the source material, including the evidence for each risk.
  3. A table of possible risks that are based on interpretation or inference, clearly labelled as such.
  4. Suggested updates to existing risk statements, controls or treatment actions.
  5. Possible gaps in controls or assurance.
  6. Questions the risk manager should ask stakeholders before making any updates.
  7. Assumptions and limitations in your analysis.
  8. A short executive summary suitable for a CEO or board paper.

Rules:

  • Distinguish evidence from interpretation.
  • Do not invent facts that are not in the source material.
  • Use plain English.
  • Flag uncertainty clearly.
  • Treat all outputs as draft only.
  • State that a qualified human risk professional must validate, challenge and approve any changes before they are used.

That prompt will not give you a finished answer. What it gives you is a better starting point.

What still needs human judgement

The risk manager still owns the work.

AI does not understand organisational politics the way a person does. It does not know which executive is quietly worried about a project. It does not know which control works on paper but fails every second Friday because the only person who knows the process is on leave. It does not know what the board is really trying to get comfortable with.

AI can help identify patterns. It can draft language. It can challenge consistency. It can translate messy inputs into structured outputs.

But the human risk professional must decide what matters.

That means validating the evidence, checking context, testing ratings, challenging assumptions, considering ethics, applying judgement and deciding what should be escalated.

So while AI is a great support to the model. The risk manager is still critical to the model.

The guardrails matter

There is a right way and a wrong way to use AI in risk work.

Do not paste confidential information, personal information, sensitive board papers or commercially sensitive material into public AI tools unless you have permission and the platform is approved for that use.

If you organisation doesn’t have a defined AI Governance Policy in place yet - check out the article AI Governance for Small and Medium Businesses and Not-for-Profits. There is a link to download the actual AI Governance Policy template we use with our clients.

Most importantly, make sure there is a human review point before anything becomes part of a formal risk register, report or board paper.

Good AI use requires good inputs.

A vague prompt and poor source material will produce a vague answer. Clear context, quality documents, a structured prompt and disciplined review will produce something much more useful. In the case of the StartRisk platform, we build your specific risk framework and ley organisational context into the AI recommendations as essential context. This significantly improves the quality and relevance of recommendations.

The opportunity

There is already a lot of commentary about the risks of AI. Fair enough. Risk people should be part of that conversation.

But we should not stop there.

Risk managers should not sit on the sidelines of AI adoption, warning everyone else about the dangers while ignoring the opportunity in their own work.

The future risk manager is not less human. The future risk manager is more judgement-driven.

Less time formatting registers. More time advising leaders.

Less time chasing updates. More time identifying what has changed.

Less time translating risk language after the fact. More time helping decision-makers understand trade-offs before they commit.

You probably will not lose your job to AI.

But you may lose it to someone who knows how to use AI better than you.

Does adopting AI into your risk workflows sound interesting?
Book a free 30-minute discussion with me and I’d be happy to share my experiences with you.

Book now

More articles