Zerisk Group
Independent Governance & Assurance Readiness for Automated Decision Systems
Zerisk is an independent, evidence-forward advisory practice specializing in governance and assurance readiness for automated and data-driven decision systems in regulated financial services.
As reliance on automated decisioning grows, regulators and examiners are placing greater emphasis on accountability — extending expectations beyond models and technology to the governance, controls, and evidence that support automated decision systems in practice. Zerisk translates those expectations into operational governance structures that withstand scrutiny.
01
Governance frameworks
Enforceable structures aligned to SR 11-7, NIST AI RMF, ISO 42001, and CRI FS AI RMF.
02
Control-to-evidence mapping
Explicit traceability from control objectives to examination-ready evidence artifacts.
03
Examination readiness
Programs designed so evidence is produced as a continuous byproduct of operations — not assembled reactively before an exam.
Zerisk does not provide legal advice, audit services, or compliance certifications. Work is non-audit, non-legal, and non-attestative in nature. Responsibility for decisions, controls, and outcomes remains with the organization.
Scope
Scope and Boundary of Work
Zerisk’s scope is limited to governance and assurance-readiness activities related to automated and data-driven decision systems operating in regulated environments.
In scope
- Governance structures and accountability frameworks for automated decision systems
- Control objectives, documentation standards, and examination-ready evidence requirements
- Assurance-readiness support for internal audit, risk oversight, and regulatory examinations
- Regulatory and supervisory evaluation considerations, framed through established examination and oversight practices
Out of scope
- Legal advice or legal interpretations
- Audit opinions or compliance certifications
- Technology implementation or system operation
- Model development or model validation
- Data engineering or personnel decisions
- Regulatory representation or examiner communication
Framework alignment
- SR 11-7
- NIST AI RMF
- ISO/IEC 42001
- COSO ERM
- CRI FS AI RMF
- OCC/Fed AI guidance
- ECOA / Fair Lending
Zerisk’s work is non-audit, non-legal, and non-attestation in nature. Zerisk does not certify compliance, provide legal interpretation, assume decision-making authority, or operate client systems. Responsibility for decisions, controls, and outcomes remains with the organization.
Audience
Who Zerisk Works With
Zerisk’s work is intended for regulated organizations operating automated and data-driven decision systems, and for the oversight functions responsible for governance, accountability, and assurance readiness of those systems.
Risk management & enterprise risk oversight
Functions responsible for identifying, assessing, and monitoring risks associated with automated decision systems across the enterprise.
Compliance & regulatory affairs
Functions responsible for interpreting supervisory expectations and maintaining examination readiness for automated decisioning programs.
Internal audit
Teams evaluating governance design, control effectiveness, and evidence sufficiency for automated and AI-driven decision systems.
Model, data & decision governance
Functions responsible for oversight of automated decision logic, data usage, accountability structures, and model risk governance.
Second-line oversight & control functions
Functions supporting management in maintaining defensible governance and assurance practices for automated decision systems.
Zerisk’s work is designed to support these functions without assuming management, audit, legal, or decision-making authority.
Approach
Assurance-Readiness Approach
Zerisk’s approach is structured, bounded, and evidence-driven. Governance infrastructure comes first — program architecture, regulatory requirements, and control frameworks are established before applying them to individual automated decision systems. This sequencing mirrors how regulators evaluate programs.
Governance evaluation & baseline
Assess the current state of ADS governance against supervisory expectations. Identify gaps in structure, controls, and evidence. Establish a baseline for remediation prioritization.
Control & evidence architecture
Design enforceable controls aligned to regulatory expectations. Map each control to specific evidence artifacts with defined acceptance criteria, frequency, and owner roles.
Operational embedding
Translate governance frameworks into operating procedures and documentation standards that produce examination-ready evidence as a natural byproduct of day-to-day operations.
Continuous assurance & examination readiness
Support ongoing monitoring advisory, regulatory change response, and examination preparation. Evidence remains current and examiner-navigable at all times.
Framework alignment
SR 11-7 / NIST AI RMF
AI-specific risk functions and model risk governance
ISO/IEC 42001
AI management system procedures and records
COSO ERM
Enterprise risk taxonomy and board reporting
CRI FS AI RMF
Sector-specific AI governance with CO-level traceability
Work is scoped through written agreements and bounded to support internal governance and assurance-readiness objectives. Zerisk does not provide ongoing operational management, execute compliance functions, or assume regulatory, audit, or decision-making authority.
Governance
Governance & Independence
Zerisk operates under formal governance and independence principles designed to align with regulatory, audit, and assurance expectations. Structural commitments preserve objectivity and examiner credibility across all engagements.
Professional boundaries
What Zerisk does not do
- Perform audits, attestations, or compliance certifications
- Provide legal advice or legal interpretations
- Assume compliance, regulatory, or decision-making authority
- Communicate directly with regulators on behalf of clients
Internal governance
Formal operating controls
- Independence and conflict-of-interest management
- Public-source data usage standards
- Client acceptance and engagement controls
- Risk management and assurance posture
Data usage
Public analysis standards
- Public analyses use publicly available information only
- Client-specific information governed by contractual confidentiality
- Private engagement data not incorporated into public materials
Kenneth Jones, MBA, CDMP
Founder & Principal, Zerisk Group
Kenneth brings 15+ years of governance and assurance experience across regulated financial services, enterprise SaaS, and data-intensive environments, with deep expertise in SR 11-7, NIST AI RMF, ISO/IEC 42001, and the CRI FS AI RMF. Prior to founding Zerisk, he supported governance and operational risk programs at Moody’s Analytics, JLL Technologies, Truist, and CBRE.
Zerisk maintains formal written policies addressing independence, data usage, client acceptance, and risk management. Supporting documentation may be made available upon request, subject to scope and confidentiality considerations.
Insights
Practitioner-grade governance briefs on how regulators and examiners evaluate automated decision systems — written for risk, compliance, and governance leaders in regulated financial services.
How Regulators Evaluate Automated Decision Systems
Governance, Controls, and Assurance Readiness — Written from a Supervisory Evaluation Perspective
Regulators do not evaluate automated decision systems primarily as technical artifacts — they evaluate them as end-to-end decision processes that must be governed, controlled, and supported by credible evidence. This brief describes how regulators frame, assess, and form judgments about automated decision systems in practice, covering governance structures, evidence expectations, common failure modes, and what assurance readiness looks like under examination.
Upcoming topics
- Agentic AI governance & oversight
- Examination readiness for model risk programs
- CRI FS AI RMF in practice
- Third-party AI governance
Zerisk does not comment on, assess, or draw conclusions about individual organizations. Any illustrative analysis is based solely on publicly available information and does not constitute evaluation, opinion, or assurance regarding any organization’s practices or compliance posture. Advisory work is non-audit, non-legal, and non-attestative in nature.
Engage
Work With Zerisk
Zerisk works with regulated financial services organizations where AI and automated decision systems are subject to formal oversight. If your organization is preparing for regulatory examination, building a governance program, or assessing assurance readiness for automated decision systems, we’d welcome the conversation.
Assessment & readiness review
Evaluate current ADS governance maturity against supervisory expectations and identify priority gaps.
Governance program design
Build program charter, control architecture, and evidence standards for new or maturing ADS governance programs.
Examination preparation
Prepare for regulatory examination of automated decision systems with structured response packs and evidence organization.
Continuous assurance advisory
Ongoing monitoring advisory, regulatory change response, and annual control effectiveness review.
Zerisk Group
Thank you for your inquiry.
We’ll review your message and follow up directly if there’s a fit for Zerisk’s governance and assurance-readiness work. In the meantime, the resources below may be relevant to your current work.
While you wait
Read the practitioner brief
How Regulators Evaluate Automated Decision Systems — a governance, controls, and assurance readiness overview written from a supervisory evaluation perspective.
Review the Zerisk approach
Understand how Zerisk structures governance and assurance-readiness engagements, including scope, framework alignment, and service architecture.
Connect on LinkedIn
Follow Zerisk Group and Kenneth Jones for regulatory signals, governance insights, and practitioner perspectives on automated decision system oversight.
Zerisk reviews inquiries to ensure alignment with its governance and assurance-readiness mandate. Advisory work is non-audit, non-legal, and non-attestative in nature.