← All tools
Compliance Skill

Risk Assessment

Framework-directable 3x3 risk assessment for any compliance program

Read the skill on GitHub Want this run for you? Get a free Snapshot
What It Does

Identifies threats and vulnerabilities, evaluates likelihood and impact via a 3x3 risk matrix, maps findings to any compliance framework (NIST CSF 2.0 by default, or any framework you specify), and recommends risk treatment options with prioritization guidance.

How It Works

From document to output

Describe your environment

Provide a system description, asset inventory, questionnaire answers, or policy documents

Assets are classified

Data and systems are classified by sensitivity (regulated, business-critical, internal, public)

Threats are identified

The skill identifies reasonable threats and the vulnerabilities they could exploit

Risks are scored

Each finding is rated on a 3x3 likelihood/impact matrix and mapped to your target framework

Treatment is recommended

Remediate, accept, transfer, or avoid, with specific prioritized mitigation steps for each finding

Sample Output

What you get back

Every finding is structured JSON: status, evidence, risk level, and remediation in one package. No interpretation required before acting on it.

Example response 
{
  "risk_id": "RSK-001",
  "asset_or_system": "Remote Access Portal / EHR Database",
  "asset_classification": "regulated_data",
  "threat_event": "Credential compromise via phishing or brute force",
  "likelihood_score": 3,
  "impact_score": 3,
  "risk_score": 9,
  "risk_level": "high",
  "risk_treatment": "remediate",
  "recommended_mitigation": [
    "Implement MFA for all remote access connections",
    "Restrict remote access to trusted devices or VPN"
  ]
}
Get Started

Two ways to run this skill

MCP or any LLM
Risk Assessment SKILL.md

Install as an MCP server in Claude Code, or download the SKILL.md and use it as a system prompt with any LLM. Runs the full methodology against documents you provide. Apache 2.0. No account required.

Delivered as a service
AI Governance Snapshot

The Snapshot runs these skills against your full document corpus using workspace-isolated RAG: every finding is sourced to a specific document section, cross-referenced across your entire policy library, and delivered with a maturity score and remediation roadmap. Free. Delivered by Dan within a week.

Get a free Snapshot
More Skills

Seven more skills in the methodology.

HIPAA Gap Analysis, BAA Review, Framework Mapping, Control Assessment, Risk Assessment, Compliance Q&A, Compliance Posture Intake, and Document Finder. All open source under Apache 2.0.

See all skills Get a free Snapshot