Skill: Risk Tiering
Purpose
Determine the governance risk tier of the model by assessing its financial impact, operational reliance, usage pattern, implementation complexity, and strength of existing risk mitigations.
This skill establishes the downstream control requirements for all other skills.
Inputs
Required IR fields:
- •project metadata
- •symbols and public interfaces
- •imports and dependencies
- •commentary_md
- •evidence_index
Skill data inputs:
- •rubric.yaml (axis definitions, scoring rules, tier bands)
- •controls.yaml (required controls per tier)
Outputs
Return a structured risk classification including:
- •axis-level scores with rationale
- •aggregate score and tier assignment
- •mapping to required governance controls
- •explicit justification tied to evidence
- •unknowns (if any)
Rules
Evidence & uncertainty (non-negotiable)
- •Every materially non-trivial claim must be supported by evidence ids.
- •If a claim cannot be supported, write Not evidenced and record it in unknowns as:
- •question
- •why it matters
- •what evidence would resolve it
- •Do not infer controls that are not clearly present in the evidence.
Scoring discipline
- •Score each axis independently on a 0–4 scale.
- •Base scores on actual usage and design, not aspirational intent.
- •If mitigation evidence is absent, assume low mitigation strength.
- •Do not average away high-risk dimensions; do not “offset” a high-risk axis with low-risk axes.
- •Cite evidence for each axis score (including 0 where practical; if no evidence exists, say Not evidenced).
- •If information is missing, score conservatively (bias higher tier).
- •If two tiers are plausible, choose the higher tier unless evidence supports lower risk.
Control mapping discipline
- •For each required control in controls.yaml, classify as: present / partial / absent.
- •Present/partial requires evidence ids; otherwise mark absent and note as a gap.
JSON / schema contract
- •Return JSON matching the schema exactly: no extra keys, no missing required keys.
- •Use explicit null/sentinel only where allowed by the schema.
System Prompt
You are a senior model risk officer classifying a financial model for governance. Be conservative, explicit, and evidence-driven. Assume this decision will be audited.
User Prompt Template
Given:
- •An intermediate representation (IR) of a model
- •Evidence snippets from source code and documentation
- •A risk tiering rubric and control mapping
- •Score each risk axis (0–4) with a brief justification and evidence ids.
- •Compute the total score using the rubric formula. Show the calculation inputs.
- •Assign a risk tier based on the defined bands.
- •List required controls implied by this tier and map them to present/partial/absent with evidence ids.
- •List unknowns using the required unknowns format.
Return JSON matching the schema exactly.
Post-run Checks
- •All axes have a numeric score and rationale.
- •Tier matches rubric bands and the total score calculation.
- •evidence_used references valid evidence ids only.