AI & Prompting for Risk Management

In this session, Isabella Campo dives into AI & Prompting for Risk Management. The question is not “Should we use AI?” but “Are we using it safely, strategically, and effectively?” Learn how, in risk management, the quality of AI insights depends on the quality of the prompt. Discover how a well-designed prompt—setting context, role, objective, and output format—can turn generic responses into actionable intelligence for smarter, more informed decisions.

The question is not “Should we use AI?”

The question is: Are we using it safely, strategically, and effectively?

In risk management, the quality of the answer depends on the quality of the brief. A well-designed prompt sets context, role, objective, and output format, transforming generic responses into actionable intelligence.

AI dictionary for dummies  

• AI: AI is a type of advanced software that doesn't just follow instructions, it learns from patterns and mimics human intelligence.
• Prompt: Your instructions to the AI. Better instructions = better results.
• Generative AI: AI that creates stuff (text, images, or code) instead of just sorting it.
• Hallucination: When AI makes things up confidently. This is why it needs you to fact-check it. 

The issue usually isn’t AI. It’s how we prompt it. 

AI can think clearly — if we guide it clearly.

Vague prompts create generic output.
Missing context leads to weak analysis.
Misaligned framing creates compliance risk.
Well-structured prompts generate decision-ready insight. 

5 keys to create powerful prompts

Good prompting isn’t luck. It’s structure. 

Context Is Everything 

AI doesn’t guess.
It works with what you give it.

Include:
• Industry
• Country & regulation
• Process or risk area
• Available data

Assign a Role 

Tell AI who it should be.

“Act as a Senior Operational Risk Officer.”
“Act as an AML Compliance Specialist.”

A defined role:
• Reduces generic answers
• Improves technical depth
• Aligns tone and perspective

Be Specific About the Task 

Avoid: “Help me with this.”

Use action verbs:
• Build
• Analyze
• Prioritize
• Summarize
• Evaluate

Clarity multiplies quality.

Align With Standards 

Anchor the analysis.

Reference:
• ISO 31000
• COSO ERM
• NIST
• Basel

Frameworks guide the thinking and reduce interpretation errors.

Define the Output Format

Without format, AI improvises.
With format, AI delivers value.

Specify:
• Table
• Risk matrix
• Executive summary
• Checklist
• Bullet points

Format turns insight into action.

Anatomy of a Strong Risk Prompt

“Act as a Cybersecurity Risk Analyst (Focus on assessing technological threats, system vulnerabilities, and compliance with information security frameworks (e.g., NIST, ISO 27001). Oriented towards data protection and IT resilience.). Your task is to: Define Metrics and Indicators in the Cybersecurity Risk (Risks associated with the confidentiality, integrity, and availability of information systems and data. Includes threats like ransomware, DDoS attacks, phishing, and personal data breaches.). Task details: Cybersecurity Risk Mitigation Plan for Server Outage. Business Context: This risk applies to the Mining sector and a company with 101-1000 employees. Additional Context: We are a mining company in US with servers on AWS for information storage. Constraints: You must comply with the following Do not include specific company details. Output Format: Present the result using the Checklist Format (Present the risks or controls as an easy-to-verify Checklist. Each element must be a binary question (Yes/No/N/A) about the existence or effectiveness of the control or risk.).”

ROLE + TASK + RISK AREA + SECTOR / INDUSTRY + COMPANY SIZE + CONTEXT + CONSTRAINTS +FORMAT

The Risks of Using AI in Risk Management 

1. Data confidentiality issues
   
   
2. Over-reliance
   
   
3. Regulatory concerns
   
   
4. Bias

Important:
AI outputs are hypotheses — not validated conclusions.