Value-Risk Prioritizer
Overview
Prioritize AI capabilities using quantified value, assessed risk, and explicit mitigation requirements. The goal is a defensible prioritization that stakeholders understand and governance can approve.
Core principle: Don't compare "high value" to "medium risk" - quantify both to common scales, then score.
Priority Tiers
Every capability MUST be assigned to a tier with justification:
| Tier | Criteria | Action |
|---|---|---|
| DO_FIRST | Value justifies effort, risk manageable with standard controls | Include in next planning cycle |
| DO_WITH_CAUTION | High value but requires significant guardrails | Plan with explicit risk mitigation |
| DEFER | Value uncertain or risk requires validation | Prototype/pilot before committing |
| DONT_DO | Risk exceeds value even with mitigation | Remove from consideration (document why) |
Output Format
prioritization:
capability_name:
value_assessment:
annual_value: "$X.XM"
calculation: "[Show the math]"
value_type: "[Cost reduction | Revenue enablement | Risk avoidance | Strategic]"
confidence: "[HIGH | MEDIUM | LOW]"
confidence_rationale: "[Why this confidence level]"
risk_assessment:
primary_category: "[Regulatory | Operational | Reputational | Financial]"
secondary_categories: ["[Other applicable]"]
impact_range:
best_case: "$X"
worst_case: "$Y"
basis: "[How estimated - precedent, benchmarks, calculation]"
likelihood_without_mitigation: "[HIGH | MEDIUM | LOW]"
worst_case_scenario: "[Specific narrative]"
mitigation_requirements:
required_controls:
- control: "[Specific guardrail]"
purpose: "[What risk it addresses]"
cost: "[FTE, $, or effort estimate]"
residual_risk_after_mitigation: "[HIGH | MEDIUM | LOW]"
mitigation_confidence: "[HIGH | MEDIUM | LOW - will these actually work?]"
scoring:
value_score: [1-10]
risk_score: [1-10] # After mitigation
feasibility_score: [1-10]
weighted_total: [Calculated]
tier: "[DO_FIRST | DO_WITH_CAUTION | DEFER | DONT_DO]"
tier_justification: "[Why this tier]"
sequencing:
dependencies:
- capability: "[Name]"
enables: ["[Capabilities this unlocks]"]
requires: ["[Prerequisites]"]
recommended_order:
Q1: "[Capability] - [Rationale]"
Q2: "[Capability] - [Rationale]"
# etc.
build_logic: "[Why this sequence]"
summary:
do_first: ["[List]"]
do_with_caution: ["[List]"]
defer: ["[List]"]
dont_do: ["[List]"]
Value Quantification
Translation Formula
Convert vague claims to annual $ value:
| Claim Type | Formula | Example |
|---|---|---|
| Time savings | Hours × Rate × Days × Discount | 1,250 hrs × $50 × 250 days × 0.8 = $12.5M |
| Error reduction | Error rate × Volume × Cost per error | 5% × 10,000 × $500 = $250K |
| Capacity increase | Additional volume × Margin | 1,000 more × $100 = $100K |
| Risk avoidance | Probability × Impact | 2% × $10M = $200K expected |
Discount Factors
Apply discount for uncertainty:
- •HIGH confidence: 1.0 (verified data)
- •MEDIUM confidence: 0.8 (reasonable estimates)
- •LOW confidence: 0.5 (aspirational claims)
Value Type Classification
- •Cost reduction: Direct savings, headcount, efficiency
- •Revenue enablement: New capabilities, faster time-to-market
- •Risk avoidance: Prevented losses, compliance
- •Strategic: Market position, competitive advantage (hardest to quantify)
Risk Assessment
Impact Estimation
Always provide a range with basis:
impact_range: best_case: "$50K" # Minor incident, quick resolution worst_case: "$5M" # Major failure, regulatory involvement basis: "Industry benchmarks for settlement failures"
Precedent Reference
For financial services, reference known enforcement actions:
| Risk Type | Precedent Range |
|---|---|
| AML violations | $10M - $1B+ (OCC consent orders) |
| SEC filing errors | $1M - $100M (depending on materiality) |
| Settlement failures | $100K - $10M (per incident) |
| Customer harm | $500K - $50M (class action potential) |
Likelihood Assessment
- •HIGH: Has happened before, weak controls
- •MEDIUM: Plausible scenario, some controls exist
- •LOW: Rare occurrence, strong controls
Mitigation Requirements
Required Questions
Before ranking, ask for each capability:
- •What controls reduce likelihood?
- •What controls reduce impact?
- •What's the cost of these controls?
- •What risk remains after controls?
Mitigation Template
mitigation_requirements:
required_controls:
- control: "Human review for confidence < 0.95"
purpose: "Catch AI errors before action"
cost: "2 FTE ongoing"
- control: "Daily reconciliation audit"
purpose: "Detect errors within 24 hours"
cost: "0.5 FTE + tooling"
residual_risk_after_mitigation: "LOW"
mitigation_confidence: "HIGH - standard industry practice"
Scoring Model
Default Weights
Weighted Total = (Value × 0.4) + (Risk × 0.3) + (Feasibility × 0.3)
Adjust weights based on organizational priorities:
- •Risk-averse org: Risk × 0.5
- •Growth-focused org: Value × 0.5
- •Resource-constrained: Feasibility × 0.4
Score Guidelines
Value Score (1-10):
- •10: >$10M annual value, HIGH confidence
- •7-9: $1-10M annual value
- •4-6: $100K-$1M annual value
- •1-3: <$100K or LOW confidence
Risk Score (1-10, AFTER mitigation):
- •10: Negligible risk, strong controls
- •7-9: Low risk, proven mitigations
- •4-6: Medium risk, requires oversight
- •1-3: High residual risk even with controls
Feasibility Score (1-10):
- •10: FEASIBLE, data ready, skills exist
- •7-9: FEASIBLE_WITH_CONSTRAINTS
- •4-6: PROTOTYPE_FIRST needed
- •1-3: NOT_FEASIBLE or major unknowns
Sequencing Logic
Dependency Analysis
Identify three types of dependencies:
- •Technical: Capability A's infrastructure enables B
- •Skill: Building A teaches team skills for B
- •Governance: A establishes patterns B can follow
Build Order Principles
- •Start with lowest risk - Build competency before stakes rise
- •Unlock dependencies early - Don't block downstream capabilities
- •Cluster similar work - Document processing skills transfer
- •Space high-risk items - Don't overload governance review
Common Mistakes
| Mistake | Why It's Wrong | Do This Instead |
|---|---|---|
| "High value" without $ | Not comparable | Calculate annual $ value |
| "High risk" without range | No basis for decision | Provide $ impact range |
| Risk treated as fixed | Ignores mitigation | Assess residual risk after controls |
| Rank by single dimension | Oversimplified | Use weighted multi-factor score |
| Independent prioritization | Misses dependencies | Analyze sequencing |
| Defer = never | Loses potential value | Defer = validate then decide |
Red Flags in Your Output
If your prioritization has these, it's not ready:
- •Value claims without calculation
- •Risk assessment without impact range
- •No mitigation analysis
- •Single-dimension ranking
- •No sequencing recommendation
- •DONT_DO without alternative framing
- •Scores without rationale
Financial Services Context
Financial services prioritization requires:
Regulatory Risk Weighting
- •Compliance failures can be existential
- •Weight regulatory risk higher than operational
- •Reference actual enforcement precedent
Model Risk Governance
- •Some capabilities require MRM approval
- •Factor approval timeline into sequencing
- •Higher MRM burden = longer lead time
Audit Trail Requirements
- •Customer-facing AI needs more documentation
- •Factor documentation overhead into feasibility
Stakeholder Communication
- •CFO cares about $ value
- •CRO cares about risk ranges
- •COO cares about feasibility
- •Board cares about strategic alignment
Prioritization Checklist
Before finalizing:
- • All value claims have $ calculation with methodology
- • All risks have impact range with basis
- • Mitigation requirements specified for medium+ risk
- • Weighted scores calculated consistently
- • Tier assignment justified
- • Dependencies identified
- • Sequencing recommendation provided
- • DONT_DO items have clear rationale