risk-reporting

Drafts the periodic management attestation pack a senior officer takes into the certification meeting: scope statement, source criteria, control inventory, evidence index, exceptions with compensating-control narrative, prior-period remediation status, sub-certification chain, reviewer questions, assertion language, and sign-off block. Output is the named-section pack the attesting officer (CEO, CFO, CRO, CCO, CISO, BSA officer, head of internal audit, fund CCO, function head, process owner) and the named reviewers (legal, internal audit, external assessor, regulator) carry into the sign-off conversation. Best for: - Periodic management attestation underpinning a formal certification (SOX 404 process-owner sub-certification; SOC 1 / SOC 2 management assertion package; FFIEC self-assessment; vendor-management annual attestation; BCBS 239 risk-data attestation; fund CCO Rule 38a-1 annual report; BSA officer annual certification; cyber annual certification including NYDFS Form B; privacy annual report under the GLBA Safeguards Rule). - Refreshing the attestation pack ahead of an external-assessor field visit (SOC auditor, internal audit, regulator-engaged third-party). - Producing the attestation evidence binder for a regulator response that requires named-control-by-named-control evidence. - Standing up the first attestation pack for a new process or product where no prior pack exists. Not the right tool when: - The artifact is the underlying risk-control matrix (use `risk-compliance-core/skills/control-matrix`; this skill consumes it). - The artifact is the issue write-up for an exception identified during attestation (use `risk-compliance-core/skills/issue-writeup`). - The artifact is a single control test workpaper (use `compliance-testing/skills/workpaper-drafter`). - The artifact is a management response to a regulator finding (use `management-response`). - The work is the executive certification under the relevant securities-law sections; this skill produces the process-owner and function-head sub-certifications that ladder to the executive certification, which is securities-counsel-led and out of scope.

Drafts a gap assessment of the firm's risk data aggregation and risk reporting posture against the fourteen BCBS 239 principles, organised by the four BCBS groups (overarching governance and infrastructure, aggregation, reporting, supervisory review). Produces a principle-by-principle matrix with rating, direction, evidence summary, gaps, owners, and target dates that the head of risk data, head of regulatory reporting, CRO office, and internal audit can take to the data-management committee after qualified review. Best for: - Standing up or refreshing a self-assessment ahead of a regulator-driven review (FRB horizontal review on RDARR, ECB SREP thematic, OCC Heightened Standards thematic). - Diagnosing why a risk committee pack carries a non-high data-confidence label; the gap assessment is the upstream artifact. - Refreshing the BCBS 239 posture after a material change (acquisition, system migration, source-of-record consolidation, taxonomy revision). - Pulling the cross-entity gap view across G-SIBs and D-SIBs where Principle 12 to 14 supervisory expectations apply. Not the right tool when: - The artifact is the committee pack itself; use `risk-committee-pack` and surface the BCBS 239 posture there as a data-confidence appendix. - The artifact is a single KRI commentary; use `kri-commentary`. - The artifact is a one-off data-quality issue write-up; use `risk-compliance-core/skills/issue-writeup`. - The work is enterprise data governance generally. BCBS 239 is risk-data anchored. SOX 404 financial-reporting data quality is a different regime.

Drafts the second-line readiness pack for SEC cybersecurity disclosure: 8-K Item 1.05 trigger and materiality workpaper for a live or suspected material incident, the 10-K Item 106 risk-management and governance disclosure for the annual filing cycle, and the disclosure controls and procedures (DCP) readiness map. The pack is what a disclosure committee, securities counsel, the CISO, and the CRO take into the materiality call and into the filing decision. Best for: - A material cybersecurity incident has occurred (or is suspected) and the disclosure committee needs the materiality determination, the 4-business-day clock posture, the parallel-regulator clocks, and the Item 1.05 disclosure draft pulled together. - The 10-K Item 106 cyber risk-management and governance disclosure is being refreshed for the upcoming filing cycle and second line is challenging the prior-year text. - The firm is standing up or refreshing its cyber disclosure controls and procedures under Exchange Act Rule 13a-15 and needs the second-line readiness view of the trigger flow. - A disclosure-machinery question that overlaps cyber and climate lands at the disclosure committee (the same DCP and the same 8-K mechanic handle both). Not the right tool when: - The artifact is the enterprise risk committee pack (use `risk-committee-pack`; cyber appears there as an overlay and pulls a brief from this skill). - The artifact is an internal incident response runbook or a forensic timeline (out of scope; this skill is the disclosure decision, not incident handling). - The artifact is a vendor cyber due-diligence pack (use `third-party-operational-resilience/skills/vendor-diligence`). - The trigger is a non-public regulator-only notification (NYDFS Part 500 §500.17, federal banking agencies' 36-hour rule, state breach-notification). Those clocks surface in the parallel-clocks table here, but the regulator-specific notification artifact lives elsewhere.

Drafts second-line commentary on KRI / KCI movement and breaches for a periodic risk report. Each per-KRI block carries trend, breach status against the firm's risk appetite statement, named root cause and contributing factors, action taken and action planned with role-level owners and dates, residual-risk view, linked issues and material events, and an explicit second-line challenge note where the second-line view diverges from first-line. Output is a per-KRI commentary block ready to drop into the risk committee pack, the divisional risk pack, the regulator response, or the board memo after qualified review. Best for: - Standing commentary block for each KRI / KCI flagged AMBER or RED in the period, with named root cause and remediation status. - Refreshing commentary on a watch-list KRI that has been at trigger or limit for multiple consecutive periods. - Rewriting first-line draft commentary to second-line standard (challenge, source-anchored, owner-named, evidence-pointed). - Producing the commentary appendix for a regulator response or a board memo when a specific KRI is the subject of supervisory interest. - KRI commentary across credit, market, liquidity, operational, compliance, financial-crime, model, third-party, cyber, climate, and conduct populations. Not the right tool when: - The artifact is the full committee pack (use `risk-committee-pack`; this skill produces the per-KRI blocks consumed there). - The artifact is a one-off issue write-up where the KRI breach is the symptom (use `risk-compliance-core/skills/issue-writeup` for the issue; use this skill for the commentary on the KRI itself). - The artifact is the data-quality root cause for the KRI (use `bcbs239-gap-assessment` if the breach is driven by upstream data lineage). - The work is defining the KRI itself (KRI design and threshold setting is risk-appetite work, out of scope here).

Drafts the enterprise risk committee pack a CRO carries into the meeting: heat map by risk type, top risks, material risk events, KRI movement and breaches against the risk appetite statement, issues and remediation, forward-looking commentary including scenario results, and decision items. The pack is the load-bearing governance instrument the risk committee of the board (or the enterprise risk committee) uses to discharge its oversight under the firm's risk governance framework. Best for: - Standing quarterly or monthly enterprise risk committee pack from upstream KRI feeds, the issue log, the loss-event register, and CRO commentary. - Board-level risk pack ahead of a regulator-attended meeting (FRB horizontal review, OCC Heightened Standards readiness, FRB CCAR cycle review). - A single committee view across credit, market, liquidity, operational, compliance, financial-crime, model, third-party, cyber, climate where in scope, strategic, and reputational risk. - An adviser-firm or insurer enterprise risk committee pack where the underlying taxonomy and regulators differ from the bank case. Not the right tool when: - The pack is the AI-committee-specific view (use `ai-governance-model-risk/skills/board-ai-risk-pack`; the ERM pack pulls a brief from there rather than re-anchoring the AI sources). - The work is a single KRI commentary block (use `kri-commentary`; this skill consumes its output). - The work is an SEC cyber Item 1.05 trigger analysis or 8-K disclosure decision (use `cyber-disclosure-readiness`). - The work is a management response to an MRA, MRIA, or audit finding (use `management-response`; this skill consumes its status into the issues section). - The data lineage feeding the pack is not yet fit for purpose (run `bcbs239-gap-assessment` first; this skill assumes BCBS 239 data quality is established and surfaces the residual limitations in the appendix).