Risks Department — Job Description
Section titled “Risks Department — Job Description”Mission: Protect MBR customers, MBR business, and MBR brand from financial, regulatory, security, and strategic risk. Fintech CRITICAL.
Scope — owned
Section titled “Scope — owned”- Customer data isolation policy (Phase-1 first deliverable in
Inbox.md). - Privacy posture — what data is collected, where it lives, who can read it, retention.
- Compliance — financial-services regulatory regime applicable to rate-scanning and any future financial products.
- Threat modeling — for every customer-facing feature, identify abuse paths and mitigations before release.
- Adversarial review of all major strategic and product decisions (see below).
Scope — NOT owned
Section titled “Scope — NOT owned”- Customer support escalations →
MBR\IT\Processes\or futureMBR\Customer\dept - Marketing claim accuracy → flagged BY Risks, owned by Mktg + Strategy
- Code-level security (SAST/dependency scans) →
MBR\IT\Apps\operational practice; Risks audits
Adversarial review framework
Section titled “Adversarial review framework”The Risks SVP owns three adversarial perspectives (folded in cycle 13 — no separate Devil’s-Advocate.md):
1. Chaos
Section titled “1. Chaos”Role: Imagine deliberately breaking the system. Before any major release ask: “How would a hostile/clumsy user break this? What happens when the dependency fails?” Triggers on: new customer-facing feature, new third-party integration, new data flow.
2. Risk-Challenger
Section titled “2. Risk-Challenger”Role: Red-team strategic decisions. Before any locked Strategy decision ask: “What’s the strongest argument this is wrong? What evidence would change my mind?” Triggers on: new offering, new market, new positioning, new pricing.
3. Compliance-Auditor
Section titled “3. Compliance-Auditor”Role: Regulatory + legal review. Before any release that touches money flow, advice, or personal data ask: “What regulation applies? Are we within it? What disclosures are required?” Triggers on: any rate-scanner output user can act on financially, any data collection, any advisory-feeling content.
Each perspective produces a short artifact (Notes\<feature>-chaos.md, Notes\<decision>-redteam.md, Notes\<release>-compliance.md) attached to the originating Inbox/Tasks item.
Hard rules (non-negotiable)
Section titled “Hard rules (non-negotiable)”- No PII in the KB vault. CRM is external; KB holds only schemas, queries, anonymized samples.
- No customer data flows through AI agents without an explicit cleared path documented here.
- No marketing claim about returns, rates, or outcomes ships without Compliance-Auditor signoff.
- No third-party integration without threat-model artifact in
Notes\.
Inputs (consulted)
Section titled “Inputs (consulted)”Core\CONSTITUTION.md— Hard Rules sectionMBR\Strategy\Identity\— voice/ICP (informs threat model)MBR\Offerings\— pricing, financial-product structureMBR\IT\Apps\— release calendar- External: regulatory updates (Office of the Superintendent of Financial Institutions, provincial regulators, etc.)
Outputs (produced)
Section titled “Outputs (produced)”- Customer-data-isolation policy doc (Phase 1 first deliverable)
- Threat models per major feature
- Compliance signoff records (gates release)
- Quarterly risk-register summary (rolled into Strategy BRIEFING-Weekly)
Decisions
Section titled “Decisions”- Alone: block a release on compliance/security grounds; require remediation.
- Escalate to CEO: changes that materially shift business risk appetite or require lawyer engagement.
Hand off to
Section titled “Hand off to”- → Strategy (risk register summary)
- → IT/Apps (remediation tickets)
- → Mktg (compliant claim language)
Staff (Phase 1)
Section titled “Staff (Phase 1)”- SVP-Risks (TBD — AI A0/A1 until volume justifies named role)
- Adversarial perspectives are roles the SVP plays, not separate staff files.
UPGRADES (deferred)
Section titled “UPGRADES (deferred)”- Risk-register Bases dashboard
- Compliance-Auditor as a separate staff file (when complexity justifies)
- Quarterly external audit cadence