Use Case 11: Generate an Executive summary for Risk Assessment
Link to Video: Linkedin
In this case, we would like to generate a Risk Assessment summary that would analyze:
- Processes
- Risks for each of the processes
- Controls mitigating the above risks
- Issues identified for each controls
OpenPages Version required: 9.1 (required the ability to use views as input)
Model Definition
Model input: Here we build a view specifically for AI input allowing to selectively identify the information to be sent to the model
The View includes:
- A few key fields for the risk assessment
- Grid: Process with. a few key fields
- Grid Risk with a few fields ( including Inherent Risk Rating, Residual Risk Rating)
- Grid Contorls with a few key fields (including Design Effectiveness and Operating Effectiveness)
- Grid for Issue with a few key fields
The challenge was to make the model understand what risks are related to which Process and Which control is related to which Risk, and which issue would be mapped to which controls
Leveraging the Auto-naming that provides the name of the parent, we were able to instruct the model to look at the name.id to infer the dependencies
AI input View: See attached PDF
Model Used: Llama 3.3 70b
Prompt:
Analyze the risk assessment below which include Process, their respective risk, respective controls, and control issues
Try:
Identify weakness area
Identify inconsistencies
In your analysis provide:
1 Overview
2 Strength
3 Weakness area
4 Potential Inconsistencies (if some inconsistencies appear explain otherwise just write: no inconsistencies identified, review and provide final assessment). If a control is rated high but a number of issues are still open this would probably indicate inconsistencies (be explicit by listing or identifying the title of activities)
5 Recommendations
Risk Assessment information
{objectJson}
In the json above, processes have risks, risks have controls, and controls have issues. the ID fields provides the ID of the parent allowing to reconstruct the relationship between objects types and allows to spot inconsistencies such a control that is rated high with issues still open
as an example to understand dependencies in the data:
in the JSON data If an issue name.id is "ABC Financial Institution_PROC_000550_RIS_0000906_CON_00000596_ISS_002" then it would be related to:
process name.id that contains "PROC_000550"
risk name.id that contains "PROC_000550_RIS_0000906"
control name.id that contains "PROC_000550_RIS_0000906_CON_00000596"
The Analysis should be in HTML only, just the content of the analysis,
and title start at <h5> and we should have 2 line space <br><br> between each section
Bullets use <ul><li> tags
object title are in bold using <b> tags only
End the analysis after the recommendation section with <br><br>"Note: The analysis is based on the provided information and may not be comprehensive or exhaustive. Additional information and context may be necessary to provide a more detailed and accurate analysis." in bold text using <b>
Analysis:
The prompt has a few section
- Context
- Instruction on how to analyze the content
- Json Variable - when using a input view the variable is hardcoded {ObjectJson}
- The instruction to understand the dependencies
- Instruction for HTML output
- Instruction on how to end
Stop Sequence :
</h3>·
Variable example {objectJson}:
NOTE:In order to get the actual view you will need to go into the Debug Log for Machine Learning) to get the exact example you would get
{
"Process, Risk, Control information ": {
"Issues": {
"relationshipType": "descendants",
"objectTypeName": "SOXIssue",
"relatedObjects": [
{
"Status": "Open",
"Impact": "Significant",
"Description": "Finance Employee Circumvents Approval Workflow, Leading to $750,000 Fraudulent Vendor Payment\n\nIssue Description:\nA recent internal audit uncovered that an employee in the Accounts Payable department exploited a loophole in the Vendor Payment Approval Workflow, bypassing the required dual-approval process to authorize a fraudulent vendor payment of $750,000.\n\nThe fraudulent payment was made to a shell company that had been fraudulently registered as a legitimate vendor. Since the system lacked proper validation checks to ensure all approvals were completed, the employee was able to override the workflow and process the payment without senior management approval.",
"Priority": "High",
"Probability": "Likely",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000106_CON_00000196_ISS_002",
"title": "Bypass of Vendor Payment Approval Process Resulted in Fraudulent Payment"
}
},
{
"Status": "Open",
"Impact": "Significant",
"Description": "Duplicate Payment of Vendor Invoice Due to Inadequate Workflow Execution\n\nIssue Description:\nAn internal review identified a duplicate payment of $75,000 made to a legitimate vendor due to insufficient execution of the Vendor Payment Approval Workflow. The initial payment was properly approved; however, due to a system error, the same invoice was reprocessed and approved again without verification against previous payments. The issue was identified only after the vendor reported receiving duplicate funds.\n\nRoot Cause:\n\nLack of automated invoice reconciliation checks within the approval workflow.\nManual errors and oversight during second payment approval process.",
"Priority": "High",
"Probability": "Likely",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000106_CON_00000196_ISS_003",
"title": "Insufficient Approval Caused Duplicate Vendor Payment"
}
},
{
"Status": "Open",
"Impact": "Not Determined",
"Description": "During a recent audit by the regulatory body, it was discovered that the organization failed to implement Automated Compliance Checks as mandated under financial regulations. As a result, several high-value transactions were processed without proper screening, violating Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.\n\nSpecifically, the audit identified 15 transactions totaling $3.2 million that were conducted by entities flagged on global sanctions lists. The absence of automated compliance screening allowed these transactions to bypass manual reviews, exposing the company to regulatory penalties of up to $500,000 and reputational damage.",
"Priority": "Not Determined",
"Probability": "Not Determined",
"Name": {
"id": "Failure to Implement Automated Compliance Checks Led to Regulatory Violation",
"title": null
}
}
]
},
"Process included in Risk Assessment": {
"relationshipType": "children",
"objectTypeName": "SOXProcess",
"relatedObjects": [
{
"Status": "Awaiting Approval",
"Description": "Manages financial transactions including payments, refunds, and transfers. Ensures accuracy, detects fraudulent activities, and complies with financial regulations to prevent financial loss and operational risks.",
"Name": {
"id": "ABC Financial Institution_PROC_00042",
"title": "Transaction Processing"
}
},
{
"Status": "Awaiting Assessment",
"Description": "Conducts identity verification for new customers by collecting and validating personal data, government-issued IDs, and financial history. Ensures compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.",
"Name": {
"id": "ABC Financial Institution_PROC_00043",
"title": "Customer Onboarding & KYC"
}
},
{
"Status": "Awaiting Assessment",
"Description": "Handles vendor registration, invoice verification, and payment processing. Ensures payments are made to legitimate vendors, preventing fraud and payment discrepancies through approval workflows and reconciliation.",
"Name": {
"id": "ABC Financial Institution_PROC_00044",
"title": "Vendor Payments & Account Management"
}
}
]
},
"Risk": {
"relationshipType": "descendants",
"objectTypeName": "SOXRisk",
"relatedObjects": [
{
"Inherent Risk Rating": "High",
"Description": "Fraudulent or unauthorized transactions caused by weak authentication, system loopholes, or insider threats. Can lead to financial loss, reputational damage, and regulatory penalties.",
"Residual Risk Rating": "Low",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000101",
"title": "Unauthorized Transactions"
}
},
{
"Inherent Risk Rating": "Medium",
"Description": "Incorrect, incomplete, or tampered financial data due to human error, system failures, or cyberattacks. May impact financial reporting, compliance audits, and operational decision-making.",
"Residual Risk Rating": "Low",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000102",
"title": "Data Integrity Failures"
}
},
{
"Inherent Risk Rating": "Medium",
"Description": "Failure to meet financial regulations such as AML, GDPR, and SOX. Can result in heavy fines, operational restrictions, and loss of business licenses.",
"Residual Risk Rating": "Low",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000103",
"title": "Regulatory Non-Compliance"
}
},
{
"Inherent Risk Rating": "High",
"Description": "Failure to properly verify customers before allowing financial transactions, increasing the risk of money laundering, fraud, and regulatory violations.",
"Residual Risk Rating": "Low",
"Name": {
"id": "ABC Financial Institution_PROC_00043_RIS_0000104",
"title": "Inadequate Customer Due Diligence"
}
},
{
"Inherent Risk Rating": "Medium",
"Description": "Fraudsters using stolen or fake identities to open accounts and conduct financial crimes. This risk affects customer trust and regulatory compliance efforts.",
"Residual Risk Rating": "Low",
"Name": {
"id": "ABC Financial Institution_PROC_00043_RIS_0000105",
"title": "Identity Fraud"
}
},
{
"Inherent Risk Rating": "Very High",
"Description": "Fraudulent transactions made to fake or compromised vendors, often through insider collusion or lack of proper payment verification controls.",
"Residual Risk Rating": "Low",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000106",
"title": "Vendor Fraud"
}
},
{
"Inherent Risk Rating": "Very High",
"Description": "Errors in processing payments such as duplicate payments, incorrect amounts, or misallocated funds. These errors can cause financial losses and disrupt operations.",
"Residual Risk Rating": "Low",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000107",
"title": "Payment Processing Errors"
}
},
{
"Inherent Risk Rating": "High",
"Description": "Fraudulent or unauthorized transactions caused by weak authentication, system loopholes, or insider threats. Can lead to financial loss, reputational damage, and regulatory penalties.",
"Residual Risk Rating": "Low",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000108",
"title": "Unauthorized Transactions"
}
}
]
},
"Controls": {
"relationshipType": "descendants",
"objectTypeName": "SOXControl",
"relatedObjects": [
{
"Description": "Requires users to verify their identity through multiple authentication methods, such as passwords, biometrics, or one-time passcodes, reducing the risk of unauthorized transactions.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000101_CON_00000181",
"title": "Multi-Factor Authentication (MFA)"
}
},
{
"Description": "Automated system that continuously monitors financial transactions in real-time, flagging suspicious activities for further investigation.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000101_CON_00000182",
"title": "Transaction Monitoring System"
}
},
{
"Description": "Systematically verifies the accuracy and consistency of transaction data, reducing human error and detecting fraudulent entries.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000102_CON_00000183",
"title": "Automated Data Validation"
}
},
{
"Description": "Maintains a detailed log of all financial activities, enabling forensic investigation and regulatory compliance audits.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000102_CON_00000184",
"title": "Audit Logging & Tracking"
}
},
{
"Description": "Ensures financial data integrity by implementing secure backups and data recovery procedures in case of data loss or cyber incidents.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000102_CON_00000185",
"title": "Backup & Recovery Protocols"
}
},
{
"Description": "Utilizes AI-driven technology to automatically verify regulatory compliance for financial transactions and risk management.",
"Operating Effectiveness": "Ineffective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000103_CON_00000186",
"title": "Regulatory Non-Compliance"
}
},
{
"Description": "Ongoing training programs for employees to enhance awareness of financial regulations, AML/KYC requirements, and fraud prevention techniques.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000103_CON_00000187",
"title": "Regulatory Training"
}
},
{
"Description": "Periodic audits conducted to assess adherence to regulatory requirements, identifying compliance gaps and recommending corrective actions.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00042_RIS_0000103_CON_00000188",
"title": "Internal Compliance Audits"
}
},
{
"Description": "AI-powered KYC solutions that verify customer identities against global watchlists and fraud databases to detect high-risk individuals.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00043_RIS_0000104_CON_00000189",
"title": "Automated KYC & Background Screening"
}
},
{
"Description": "Classifies customers based on risk factors such as transaction behavior, location, and financial history to apply appropriate due diligence measures.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00043_RIS_0000104_CON_00000190",
"title": "Risk-Based Customer Profiling"
}
},
{
"Description": "Stricter verification and monitoring processes for high-risk customers, ensuring thorough risk assessment and compliance with AML regulations.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00043_RIS_0000104_CON_00000191",
"title": "Enhanced Due Diligence (EDD)"
}
},
{
"Description": "Verification of client's identity and ultimate beneficial ownership structure, by performing client name screening (against internal watchlists), determining nature of business activities (e.g. ACRA data, business license, financial statements), ultimate beneficial ownership structure (e.g. company shareholders)",
"Operating Effectiveness": "Not Determined",
"Design Effectiveness": "Not Determined",
"Name": {
"id": "ABC Financial Institution_PROC_00043_RIS_0000104_CON_00000221",
"title": "Check Customer Credentials"
}
},
{
"Description": "AI-driven document scanning tools that authenticate identity documents and detect tampering or forgeries.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00043_RIS_0000105_CON_00000192",
"title": "Document Verification Tools"
}
},
{
"Description": "Analyzes customer and employee transaction behavior patterns to identify deviations that indicate potential fraud or security threats.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00043_RIS_0000105_CON_00000193",
"title": "Behavioral Analytics"
}
},
{
"Description": "Uses facial recognition, fingerprint scanning, or voice authentication to ensure secure and accurate identity verification.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00043_RIS_0000105_CON_00000194",
"title": "Biometric Authentication"
}
},
{
"Description": "Evaluates potential vendors based on financial stability, past fraud incidents, and compliance history before onboarding.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000106_CON_00000195",
"title": "Vendor Risk Assessment"
}
},
{
"Description": "Requires multiple layers of approval for vendor payments to prevent fraudulent or unauthorized disbursements.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000106_CON_00000196",
"title": "Vendor Payment Approval Workflow"
}
},
{
"Description": "Matches payments with corresponding invoices and purchase orders to detect discrepancies or unauthorized transactions.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Effective",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000106_CON_00000197",
"title": "Transaction Reconciliation"
}
},
{
"Description": "Utilizes AI to compare financial transactions with accounting records, identifying mismatches in real-time.",
"Operating Effectiveness": "Not Determined",
"Design Effectiveness": "Not Determined",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000107_CON_00000198",
"title": "Automated Payment Reconciliation"
}
},
{
"Description": "Defines protocols for identifying and resolving payment processing errors efficiently.",
"Operating Effectiveness": "Not Determined",
"Design Effectiveness": "Not Determined",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000107_CON_00000199",
"title": "Exception Handling Procedures"
}
},
{
"Description": "Enforces a rule where high-value transactions require approval from at least two authorized personnel.",
"Operating Effectiveness": "Not Determined",
"Design Effectiveness": "Not Determined",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000107_CON_00000200",
"title": "Dual Approval for Payments"
}
},
{
"Description": "Requires users to verify their identity through multiple authentication methods, such as passwords, biometrics, or one-time passcodes, reducing the risk of unauthorized transactions.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Not Determined",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000108_CON_00000201",
"title": "Multi-Factor Authentication (MFA)"
}
},
{
"Description": "Automated system that continuously monitors financial transactions in real-time, flagging suspicious activities for further investigation.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Not Determined",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000108_CON_00000202",
"title": "Transaction Monitoring System"
}
},
{
"Description": "Ensures that critical financial functions (e.g., payment approval and fund disbursement) are handled by separate individuals to prevent fraud and errors.",
"Operating Effectiveness": "Effective",
"Design Effectiveness": "Not Determined",
"Name": {
"id": "ABC Financial Institution_PROC_00044_RIS_0000108_CON_00000203",
"title": "Segregation of Duties"
}
}
]
}
},
"guidance": {
"Risk Assessment - Preparation": "Two options available \n\n **Option 1** \n\nManual where Processes, Risks and Controls need to be manually selected, review and update the list of **Processes**, for each Process review the list of **Risks**, for each Risk, review the mitigating **Controls** \n\n\nThen, click on the RCSA Alignment helper, to automatically set the Processes and Risk as Awaiting Assessment \n\n\n **Option 2** \n\nLeverage the **Risk Assessment Helper**, the Risk Assessment Status will automatically updated and each Process will be set as Awaiting Assessment",
"incompletedRequiredItems": [],
"incompleteOptionalItems": [],
"completedItems": [
"Creation Date",
"Description",
"Name"
]
},
"objectTypeLabel": "Risk Assessment",
"name": "Financial Fraud Prevention",
"objectTypeName": "RiskAssessment",
"header": {
"Creation Date": "Feb 22, 2025, 4:19:55 PM EST"
},
"RCSA Dates": {
"group-dates": {
"Start Date": "",
"End Date": ""
}
},
"Overview": {
"Status": "Awaiting Assessment",
"Description": "This risk assessment focuses on financial fraud prevention within an organization's transaction processing system.",
"Name": "Financial Fraud Prevention"
},
"id": "78542"
}
OpenPages Configuration
View configuration
Add the new AI button and plug the various information
And here the example output
Happy testing
------------------------------
Christophe Delauré
Principal Product Manager
IBM
Cambridge MA
6503050530
------------------------------
Original Message:
Sent: Wed April 16, 2025 02:48 PM
From: Christophe Delauré
Subject: watsonx.ai prompt for OpenPages examples
We have been demonstrating a number of use case with watsonx.ai
Here a few short videos posted on linkedin
https://www.linkedin.com/in/christophedelaure/recent-activity/videos/
Its now the time to share these prompts
These are starting points, and they can improved quite a bit and make more robust
| |
Use Case |
Benefit & Business Value |
Value Impact |
watsonx |
Cost/Effort profile |
| 1 |
PII Detection
Detect input of personal identifiable information. |
Prevent potential privacy breach and misuse of data. |
VERY HIGH |
watsonx.ai |
♦
|
| 2 |
5W Control Analysis |
Improved quality of control data and downstream processes for control assurance and testing. |
HIGH |
watsonx.ai |
♦ |
| Determine quality of documented controls using 5W model (Who, what, when, where and why) |
| 3 |
Issue Summarization and Rewrite Summarize incidents/issues and rewrite for clarity. |
Simplify reporting of incidents and issues by removing technical risk jargon. |
HIGH |
watsonx.ai |
♦
|
| 4 |
Auto tagging
Automatically add tags to records within OpenPages. |
Aids in creating accurate tags by filter.
Creates a system where tags become more used due to auto identification |
MEDIUM |
watsonx.ai |
♦ |
| 5 |
Emerging Risk
General potential emerging risk scenarios. |
Proactive, forward looking risk analysis. |
MEDIUM |
watsonx.ai |
♦
|
| 6 |
Semantic Data Similarity
Identify similar instances of data (e.g. incidents, risks, issues) across business units to share learnings and remediations from previous occurrences. |
Learn lessons from previous mistakes and share findings across the business. |
HIGH |
watsonx.ai |
♦♦ |
| 7 |
Obligation Generation
Generate obligations on regulatory change. |
Reduce time taken to create an obligation. Simplify obligation language for non-compliance staff. |
HIGH |
watsonx.ai |
♦ (9.1) |
| 8 |
Incident response
Generate incident response plans based on incident description. |
Proactive incident management. |
MEDIUM |
watsonx.ai |
♦♦ |
| 9 |
Incident Capture
User guided AI assistant to create new incidents. |
Simplify incident capture.Improve data quality.Reduce review time. |
VERY HIGH |
watsonx assistant |
♦♦ |
| 10 |
FAQ/Policy
Virtual assistant within & outside of OpenPages to respond to user questions. |
Improve usability of OpenPages.
24x7 support for end users.
Reduce support costs and time. |
HIGH |
watsonx assistant |
♦♦
|
| 11 |
Executive summary for complex dataset such as Audit, Risk Assessment |
In few seconds automatically generate the executive summary for Risk Assessment leveraging information on Processes, Risks, Controls, Issues for Risk Assessment |
HIGH |
watsonx.ai |
♦ (9.1) |
| 12 |
Same above on watsonx.ai, leveraging other LLM (Open AI, Anthropic, etc) |
Leveraging the same UI workflows, leverage third party LLM through a Python Notebook |
HIGH |
WML + Third party solution |
♦ (9.1) |
| 13 |
Coverage review / Update
Obligation/Control or Policy/Obligation, Risk/Control Coverage |
Automatically identify wether 1 activity covers the required related information: Are my controls sufficient for the oblgation mapped? Is my Policy sufficient for the Obligation mapped? Is my Risk covered by the controls, is there any gaps? |
HIGH |
watsonx.ai |
♦ (9.1) |
------------------------------
Christophe Delauré
Principal Product Manager
IBM
Cambridge MA
6503050530
------------------------------