risk-compliance-core

Builds the named-row risk-control matrix that maps obligations to control objectives, control activities, owners, frequency, evidence pointers, test methods, last-test results, and open issues. Foundational primitive: compliance-testing samples against it, vendor-diligence and exit-plan reference it, exam-brief reads it, model-card-builder pulls its controls section from it. Risk function and compliance function both consume the same matrix. Best for: - Standing up the matrix for a process, product, or function (lending, vendor lifecycle, model lifecycle, risk-data and risk reporting, cyber-disclosure governance, consumer-compliance management). - Refreshing an existing matrix after a regulatory change, an MRA, an audit finding, an incident, or a process redesign. - Translating a freshly mapped obligation set into the row structure that downstream testing and review will run against. Not the right tool when: - The obligations have not been extracted yet. Run `obligation-mapping` first; the matrix consumes its output. - The work is a single-control workpaper for an audit sample (use compliance-testing's `workpaper-drafter`). - The work is drafting a finding (use `issue-writeup`). - The work is portfolio-level coverage commentary across many matrices (the risk-committee pack, not this).

Assembles the evidence binder index for a regulatory exam, internal audit fieldwork pack, model-validation evidence pack, vendor-review pack, committee evidence pack, or issue-remediation file. One row per artifact, with system-of-record provenance, control and obligation linkage, sufficiency call, and reviewer sign-off. Reconciles a request list against the evidence on hand and surfaces the gaps before the reviewer does. Best for: - A compliance team building the response binder for a regulator exam against the examiner's request list (RFI). - An internal-audit lead assembling the fieldwork evidence pack for a control-test program. - A model-risk validator pulling the evidence pack for a model revalidation cycle under the firm's MRM frame (cadence per the firm's own policy, not assumed annual). - A TPRM team assembling the diligence evidence file for a critical or important vendor review. - A committee secretary compiling the evidence file behind a risk-committee or AI-risk-committee paper, where the committee will be asked "what supports this". - A second-line owner closing an issue and indexing the remediation evidence the issue-writeup will cite. Not the right tool when: - The work is producing the underlying evidence: running the source-system report, executing the control test, drafting the management memo. This skill indexes evidence; it does not generate it. - The work is drafting a finding from missing evidence (use `issue-writeup`). - The work is the committee narrative itself (use `risk-reporting/skills/risk-committee-pack`); this skill produces the evidence index the narrative cites. - The work is reviewing a vendor's published evidence pack against a deployment context (use `ai-governance-model-risk/skills/llm-vendor-evidence-review`).

Builds the named-gate matrix for an artifact, decision, or workflow: gate name, stage in workflow, trigger, required reviewers (with independence), required inputs, decision criteria, stop conditions, escalation path, documentation requirement, frequency, and source anchor. Foundational primitive: every output-builder skill in the repo emits an artifact that runs through one or more of these gates, and the skill exists so the gates themselves get built once and reused. Output is a gate matrix plus a one-page narrative an AI governance committee, vendor onboarding committee, model risk committee, or issue-rating committee can adopt as charter language. Best for: - Standing up a new committee or governance gate (AI use-case approval, vendor onboarding, model release, issue rating, customer-impact action, SAR filing approval, regulator-response sign-off). - Auditing an existing workflow for missing or under-specified human-review gates ahead of an exam, an internal audit, or a Heightened-Standards readiness review. - Translating a regulator-driven oversight expectation (SR 11-7 effective challenge, OCC Heightened Standards three-lines-of-defense, EU AI Act human oversight, NIST AI RMF Govern function) into firm-specific gate architecture. Not the right tool when: - The work is the per-instance approval memo for a specific decision (gates define the recurring review structure; the per-instance memo is downstream of the gate). - The work is a control matrix for a process (use `control-matrix`; gates are a subset of controls but reviewed differently because the gate decision is itself the control). - The work is the underlying artifact being gated (use `issue-writeup`, `model-card-builder`, `vendor-diligence`, etc.). - The work is committee-meeting administration (agenda, minutes, action tracking) — that is a secretariat function, not a gate-architecture skill.

Drafts a single issue write-up using the condition / criteria / cause / effect (CCCE) structure plus severity rationale, remediation, named owner, target date, closure evidence, and evidence-gap flag. Foundational primitive: exception-analysis chains it after a control-test exception, audit findings consume it as the issue artifact, regulator-response files cite it, and the issue log keys off it. The output is a one-issue artifact written in the shape an audit committee, regulator, or issue-tracking system will accept. Best for: - Drafting a finding from internal audit fieldwork, a compliance test exception, a vendor-monitoring exception, a model-validation finding, or a self-identified second-line observation. - Translating an MRA, MRIA, FINRA Letter of Caution, SEC EXAMS deficiency, NYDFS finding, or examiner-issued matter into the firm's internal issue format with traced criteria. - Re-papering a legacy issue whose criteria, cause, or closure evidence does not stand up to current review. Not the right tool when: - The work is the test that produced the exception. Use `compliance-testing/skills/workpaper-drafter`; the issue is downstream. - The work is a multi-issue summary or committee narrative. Assemble several issue-writeup outputs and use `risk-reporting/skills/risk-committee-pack`. - The condition is unconfirmed (an observation, not a finding). Issues require a confirmed condition; observations belong in the engagement notes until confirmed. - The work is policy-level gap analysis upstream of any specific exception. Use `policy-gap-review`.

Converts any source document (rule text, supervisory guidance, exam manual, exam request list, supervisory letter, regulator speech, internal policy, third-party SLA, contract clause) into a structured obligation register: one row per obligation, traced to source by section, with applicability, control objective, evidence required, owner, status, and open questions. Foundational primitive: control-matrix anchors its rows on this output, policy-gap-review triangulates against it, evidence-binder pulls evidence asks from it, exam-brief reads it, and almost every downstream second-line skill reaches for an obligation register at some point. Best for: - Standing up or refreshing the obligation register for a process, product, function, or regulatory domain. - Converting an exam manual section or an examiner document-request list into an internal obligation set the firm can respond to row by row. - Translating a supervisory letter, regulator speech, or interagency statement into discrete obligations and open questions. - Mapping a third-party SLA, vendor contract, or sponsor-bank agreement to the obligations it imposes on each party. Not the right tool when: - Input is a discrete piece of net-new rule text being absorbed for change-management purposes (use `regulatory-change-management/skills/rule-to-obligation-extraction`; that skill is tuned for rule deltas, this one is tuned for any source). - The mapping is from obligation to control (use `control-matrix`; this skill ends at the obligation, that skill begins from it). - The work is a gap analysis between firm policy and obligations (use `policy-gap-review`). - The work is drafting a finding (use `issue-writeup`).