A big part of a CRO's job is to take a flood of risk signals, like KRI data, control results, model outputs and incident reports, and turn them into decisions the board can rely on.
More and more of that is becoming something tools can help with. What they can't do is tell you how hard to push back when the CEO wants to tolerate a limit breach, which register entry will really detonate versus which is box-ticking, or what to write versus leave off the board paper.
This page sorts the two: what to hand your tools, and what only your team can answer. Built from the public record, every claim checked against the original.
Click a cell to open its story. Filter to read one zone at a time.
mostly a tool’spartlyonly in a head
AI is absorbing thisValue concentrates here →
System
What anyone qualified could do
AI is absorbing this
What your industry knows
AI is absorbing this
What's written down inside
your asset, worth codifying
What only your team knows
judgement, no system holds it
Risk register & appetite statement
register updates, KRI data entry
standard risk taxonomy, appetite frameworks
the register, appetite statement & thresholds
+
the register entry that will really detonate
+
Model, VaR & capital framework
model-run admin, output formatting
VaR methods, Basel rules, stress testing
model documentation & capital methodology
+
which model gives comfort rather than insight
+
GRC & controls-testing platform
control testing, compliance calendar
three lines of defence, CPS 220/230
controls register & testing results (scattered)
+
reading the risk culture before a loss event
+
Board risk committee pack
pack assembly, formatting, distribution
board reporting conventions, governance standards
the board risk papers & aggregate exposure metrics
The two left columns hold the fullest part of the job — the generic skills and your sector’s published rules. They’re also what AI absorbs fastest, because nothing org-specific anchors them. Your value concentrates to the right.