Board Technology & Risk Committee Immersion Β· Microsoft 365 Copilot
Incorrect password. Please try again.
Welcome, IT leadership
A guided show-and-tell across Microsoft 365 Copilot β built around a real morning in the life of a Group CTO and the IT leadership team that supports her.
Your Q2 BTRC is on Friday morning.
You have one working morning to assemble the entire Board Technology & Risk Committee pack β peer benchmark, IT budget variance, a vendor risk review on the Skylane Cloud renewal, the BTRC slide deck, and a follow-up on last quarter's action items. We will walk through how Microsoft 365 Copilot turns that morning from triage into curation.
π₯ Audience: IT department leadership (managers β CTO)π€ Persona: Aisha, Group CTOπ’ Company: Rivanta General Insuranceπ― Goal: BTRC-ready pack by lunchβ±οΈ Format: Show-and-tell walkthrough
What you'll see
Research & Reasoning
Web-grounded peer benchmarks and a multi-model "council" view on top tech risks for Malaysian insurers.
Numbers & Narrative
Excel Copilot + Analyst Agent turn raw cost-centre data into a board-ready variance commentary.
Drafting at Scale
Word and PowerPoint Copilot draft a contract risk review and a 6-slide BTRC deck from your own materials.
Delegation
Cowork dispatches five follow-on tasks β meeting summary, briefing note, email, calendar invite, Teams update β in parallel.
Custom Agents
Agent Builder produces a self-service IT & Tech Policy advisor grounded in your governance documents.
Tenant-fit Patterns
Use cases mapped to the everyday work of a Malaysian general insurer β RMiT, cyber, cloud, vendor concentration, AI strategy.
How this morning is structured
π
Your Story
Persona & mission
π
Get Started
Files & setup
1οΈβ£
Research & Frame
Researcher Β· Council Β· Word
2οΈβ£
Budget & Portfolio
Excel + Analyst
3οΈβ£
Risk & Briefing Pack
Word Β· PPT Β· Cowork
4οΈβ£
IT Policy Agent
Agent Builder
Your Story
You are Aisha, Group Chief Technology Officer at Rivanta General Insurance
M365 Copilot Β· Group Technology
From Triage to Curation
Persona
Aisha
Group Chief Technology Officer Rivanta General Insurance
The Mission
Q2 BTRC is on Friday morning. Half-year budget overruns, a risky cloud renewal, and a Steering Committee without a self-service policy tool. Clear it all in one morning.
The Punchline
One morning. Ten tasks. From research to agent.
Ten tasks across one morning
Researcher + Word
01Researcher Β· Critique
Benchmark the market
Benchmark Rivanta's tech posture against Etiqa, Allianz Malaysia, Tune Protect, and Liberty. Critique enforces citation grounding on every claim.
02Model Council
Challenge the view
Multiple AI models assess the top technology risks for Malaysian general insurers. The cover letter flags where they agree and diverge.
03Word Copilot
Write the brief
Export the Researcher report to Word. Copilot drafts a one-page CTO briefing note for the BTRC Chair.
Budget & Portfolio
04Excel Copilot
Analyse & comment
YTD variance with RAG flags + a CTO board commentary in one prompt. Cost centres breaching the 10% threshold flagged for action.
05Excel Copilot
Build the dashboard
Copilot builds a BTRC dashboard with a KPI row, a RAG bar chart, and a monthly trend line β formatted for the board pack.
06Analyst Agent
Interrogate the data
Drop in the budget data. Pivot tables, persistent-overspend flags, and a year-end exposure projection. No setup needed.
Risk & Briefing Pack
07Word Copilot
Find the risks
Copilot reads the Skylane Cloud contract and surfaces every HIGH and MEDIUM risk clause with RM exposure estimates.
08PowerPoint Copilot
Build the deck
Copilot generates a 6-slide BTRC deck from your contract risk and budget findings. No slide design needed.
09Cowork
Delegate five tasks
Five parallel tasks: meeting summary, briefing note, secretariat email, calendar invite, and a Teams update.
Build Your Agent
10Agent Builder
Build the future
Build a custom agent grounded in your team's published policies. Choose: IT & Tech Policy Advisor, Vendor Risk Assistant, or Tech Standards Coach.
THE VALUE: One CTO. One morning. Research, analyse, review contracts, build a board deck, and deploy a custom Copilot agent β all without leaving Microsoft 365.
M365 Copilot Tools You Will Use
π¬
Copilot Chat
Research, synthesis, and cross-file reasoning. Your AI research assistant.
Published IT & Tech Governance Policies β eight sections covering capex authority, vendor risk, RMiT, cyber, AI, and project assurance.
Before we begin
Download the four files above and save them into your OneDrive Β· Documents/BTRC-Q2 folder so Copilot can reference them by name.
Sign in to Microsoft 365 with a Copilot-licensed account on the web app or desktop client.
Open Microsoft 365 Copilot Chat at m365.cloud.microsoft in a fresh browser tab β keep it open through the morning.
Confirm the Work scope is selected (not Web) so Copilot grounds in your tenant content unless we explicitly switch it.
How to read this guide
π Copy the prompts
Every blue prompt block has a Copy button β paste straight into Copilot.
π Reference files by name
Use / in Copilot Chat to attach a specific file by name rather than describing it.
β οΈ Tenant-level features
Researcher and Cowork need to be enabled at the tenant level β orange notes flag where this matters.
π― GCSE
Goal Β· Context Β· Source Β· Expectation β the four moves that make every prompt sharper.
Exercise 1 Β· Research & Frame the BTRC
Use Microsoft 365 Copilot's research and reasoning surfaces to build the situational picture.
Tenant-level enablement. Researcher and the Model Council are advanced reasoning agents that your Microsoft 365 admin must enable at the tenant level. If you do not see them in your Agent store, ask your tenant administrator to switch them on for your group.
TASK 1Researcher
Benchmark Rivanta against four Malaysian peers
You want a defensible peer view to anchor the BTRC opening β RMiT compliance posture, cyber maturity, cloud adoption, AI strategy and IT spend ratios.
Where: Microsoft 365 Copilot Chat β Agents β Researcher.
I am the Group CTO of Rivanta General Insurance, a Malaysian general insurer (RM 1.4 bn GWP, ~210 IT staff). I am preparing the opening situation slide for our Q2 Board Technology & Risk Committee on Friday morning.
Benchmark our likely technology posture against four named Malaysian peers: Etiqa General Insurance, Allianz General Malaysia, Tune Protect, and Liberty Insurance Malaysia.
For each peer, give me 4β6 lines covering:
- Public signals on BNM RMiT compliance maturity (cloud risk, third-party risk, cyber resilience).
- Cloud adoption pattern (hyperscaler choice, hybrid posture, recent migrations).
- Any cyber incidents or regulatory actions in the last 24 months.
- AI / digital initiatives they have publicly signalled.
- Likely IT spend as a % of GWP if disclosed or estimable.
Then produce a 2-paragraph "implications for Rivanta" conclusion specifically framing where we are likely ahead, where we are likely behind, and the two strategic plays the BTRC should sponsor this year.
Cite every claim. Flag anything you cannot verify with at least one public source.
TASK 2Model Council
Stress-test the top tech risks for a Malaysian insurer
Get multiple frontier models to deliberate on the same question. Use it as a foil for your own risk register.
Where: Microsoft 365 Copilot Chat β Agents β Model Council (or "Compare models").
You are advising the CTO of a Malaysian general insurer preparing a Q2 Board Technology & Risk Committee.
Question: What are the top five technology risks a Malaysian general insurer should put in front of its board for 2026, in priority order?
For each risk:
- Name it in one short phrase.
- Explain in 3β4 lines why it matters specifically in the Malaysian / BNM RMiT context (not generic).
- Identify the leading indicator a board should track.
- Suggest the single mitigating investment the CTO should propose this year.
Have the models deliberate. Where they disagree, surface the disagreement explicitly under a section called "Where the council split".
Close with a 4-line synthesis I can paste into a slide titled "BTRC Q2 β Top 5 Technology Risks".
TASK 3Word Copilot
Draft the CTO briefing note for the BTRC Chair
Turn the research output into a one-page note the Chair can read in the car between meetings.
Where: Word for the web β blank document β Draft with Copilot.
Draft a one-page CTO briefing note for the Chair of the Board Technology & Risk Committee at Rivanta General Insurance, ahead of the Q2 BTRC.
Structure:
1. Headline β one sentence on where we sit going into the meeting.
2. Where Rivanta is ahead of peers β 3 bullets.
3. Where we are exposed β 3 bullets, each with a measurable indicator.
4. The two strategic plays the CTO is asking the BTRC to sponsor in 2026, with rough capex envelope.
5. The single decision we need from the Chair before the meeting opens.
Tone: confident, fact-led, no hedging adverbs. Length: under 400 words. Audience: a non-technical Chair who reads dozens of papers a week.
Use the peer benchmark and the council top-5 risks I just produced as the source material.
Exercise 2 Β· IT Budget Variance & Project Portfolio
Excel Copilot for the variance, the Analyst Agent for the harder reasoning underneath it.
TASK 1Excel Copilot
YTD variance and forward burn
From the FY26 monthly P&L (H1 actuals through 30 June filled, JulβDec still to come), build the standard variance view and project where each cost centre lands at year-end if the current run-rate continues.
Where: open 01_Rivanta_TechBudgetVariance.xlsx in Excel for the web β Copilot pane.
Using the Monthly_PnL sheet, do three things in order.
1. Build a YTD variance table by cost centre showing: YTD Budget, YTD Actual, Variance (RM), Variance (%), and a Status column flagged π΄ if adverse variance > 10%, π if 5β10%, π’ if within 5%.
2. Identify the five cost centres with the largest adverse variance. For each, write a one-line plain-English commentary I can paste into a board slide. No numbers in the commentary that aren't already on the page.
3. Project year-end full-year exposure for each of those five cost centres using the YTD trend, and give me the total group-level overspend if nothing changes.
Format the result so I can drop it into a BTRC slide. Currency in RM. No formulas visible β values only.
TASK 2Excel Copilot
BTRC dashboard view
Convert the variance into a single BTRC-grade visual.
Where: same workbook β new sheet called BTRC_Dashboard.
On a new sheet called BTRC_Dashboard, produce a board-ready dashboard with three components stacked vertically:
A) A horizontal bar chart of YTD variance by cost centre, sorted from worst adverse to best, with the 10% adverse threshold marked.
B) A summary KPI strip at the top: Total IT Budget YTD, Total Actuals YTD, Group Variance %, Number of cost centres in red, Forecast year-end overspend.
C) A "Top 3 watch items" table β the three cost centres I should personally walk the BTRC through, each with a one-line "what happened" and a one-line "what we're doing about it".
Make it print-friendly to A4 landscape.
TASK 3Analyst Agent
Why are these cost centres persistently over budget?
The Analyst Agent goes beyond Excel Copilot β it reasons across the data and explains itself. Use it for the harder "so what" question.
You are my tech finance analyst. Cross-reference the Monthly_PnL sheet with the ProjectStatus sheet.
Answer in this order:
1. Which cost centres have a persistent adverse variance β adverse in 3 or more of the last 6 months β versus those that just had a single bad month?
2. For each persistent overspender, identify which strategic projects in ProjectStatus are charging into that cost centre, and whether their RAG status, % complete, or any narrative line items hint at the root cause (scope creep, vendor unit-rate increase, RMiT remediation, cyber incident response, etc.).
3. Group the findings under three causes:
- Demand-driven (volume/scope went up β defensible)
- Supply-driven (vendor or unit cost went up β challengeable)
- Run-the-bank (BAU drift β fixable)
4. Tell me the year-end exposure for each cause and the three actions I should table at the BTRC to bring the group back under 5% adverse by Q4. Show your reasoning.
Exercise 3 Β· Risk Review & Briefing Pack
Word, PowerPoint, and Cowork β drafting and delegation in one motion.
TASK 1Word Copilot
Risk-review the Skylane Cloud managed services contract
Legal flagged the renewal but you want the risk view in your own voice β and grounded against your own governance policies.
Where: open 02_Rivanta_VendorContract.docx in Word β Copilot pane.
I am the CTO. Review this Skylane Cloud Solutions managed services contract for risks that the Rivanta Board Technology & Risk Committee should care about.
Produce your output as a 5-row risk table with columns: Clause #, Issue (one line), Risk rating (High/Medium/Low), Quantified exposure if you can, Recommended position.
Specifically check for:
- Termination & auto-renewal notice periods (our policy is 90 days).
- Pass-through fees and audit rights on cost increases.
- Data ownership and rights to derived data.
- Audit and inspection rights on the supplier (RMiT outsourcing requirement).
- Liability cap as a multiple of annual fees (our policy is 12 months minimum).
Below the table, write a 3-line "CTO recommendation": do we sign as drafted, sign with conditions, or send back for renegotiation β and what are the deal-breakers.
Match the tone of an internal risk paper, not a legal brief.
TASK 2PowerPoint Copilot
Generate the BTRC deck
A six-slide pack the Chair can walk through in 15 minutes.
Where: PowerPoint for the web β blank deck β Create with Copilot.
Create a 6-slide BTRC deck for Rivanta General Insurance, Q2 FY26.
Slide titles, in order:
1. Where we sit β peer benchmark headline + 3 bullets.
2. Top 5 technology risks for 2026 β from the model-council synthesis.
3. IT budget at the half β RM 90.6 M FY26 plan, RM 45.3 M H1 budget vs actuals β variance KPI strip + 3 watch cost centres.
4. Skylane Cloud renewal β risk view β pull the 5-row risk table from my Word doc into a slide.
5. The two strategic plays we are asking the BTRC to sponsor β capex envelope per play.
6. What we need from the Board today β three explicit decisions.
Use a clean corporate look β navy and red accents, no stock imagery, no clip art. Speaker notes on every slide in my voice (first person, declarative). The deck is for an audience of one Chair plus six NEDs; assume technically literate but time-poor.
Tenant-level enablement. Cowork is an agent that runs follow-on tasks in the background while you keep working. It must be enabled at the tenant level β if you do not see Cowork in your Agent store, your administrator can switch it on.
TASK 3Cowork
Delegate five follow-on tasks in parallel
The deck is done. Cowork now picks up the housekeeping in parallel while you grab a coffee.
Where: Microsoft 365 Copilot Chat β Agents β Cowork.
Run these five tasks in parallel and bring me the outputs.
1. Meeting summary β read 03_Rivanta_BTRCMeeting_Transcript.docx from last quarter. Produce a 1-page summary: decisions taken, open action items by owner, and which actions are at risk of slipping past Q2.
2. Briefing note for the Chair β distil the Skylane risk review I just finished in Word into a half-page note: the headline risk, the quantified exposure (in RM), and the deal-breaker clause. The Chair will read this in the car.
3. Email to the BTRC secretariat β pre-circulate the deck. Subject line, 4-line body, attachment named explicitly. Cc the COO. Tone: professional, no exclamation marks.
4. Calendar invite for the Skylane renegotiation β Tuesday next week, 14:00β15:30 KL time, in-person at HQ Boardroom 2 if possible. Invitees: Head of Procurement, Head of Legal, Head of Cloud Platform, CFO. Body: 3 bullets on what we'll cover.
5. Teams message to the Tech Steering Committee β short note that BTRC pre-reads are out, the budget conversation will land Tuesday, and that the Skylane renewal is now on hold pending renegotiation. Two paragraphs, no jargon.
Exercise 4 Β· IT & Tech Policy Advisor
Stop being the help desk for your own policies. Build a self-service agent in five minutes.
Why this agent
Half of the questions that hit your inbox from project managers, vendors, and steering committee members are policy questions you have already answered in writing. Threshold for capex approval. Single-source procurement rules. Cloud region restrictions. RMiT outsourcing notification windows. The published Tech Governance Policies cover all of it. Building an agent that answers from those policies turns the inbox from a queue into a fallback.
STEP 1Describe
Describe the agent in plain English
Where: Microsoft 365 Copilot Chat β Create agent (or Copilot Studio Agent Builder).
Build me an agent called "Rivanta Tech Policy Advisor".
It is for project managers, vendor managers, and Tech Steering Committee members at Rivanta General Insurance.
It answers questions about our published IT & Technology Governance Policies β capex approval thresholds, procurement rules, vendor risk requirements, cloud and data residency, change management, cyber baseline, RMiT-aligned outsourcing notifications, and the project assurance gates.
Tone: direct, plain English, no jargon, no hedging. Always cite the section number from the policy document. If a question is not covered by the policies, say so explicitly and route the user to the right human owner.
Greeting: "Hi β I'm the Rivanta Tech Policy Advisor. I answer from our published IT & Tech Governance Policies. What do you need to check?"
STEP 2Configure knowledge
Ground the agent in your policy document
Add the published Tech Governance Policies as the agent's knowledge source.
In the agent setup pane, open the Knowledge section.
Select 04_Rivanta_TechGovernancePolicies.docx from your OneDrive.
Set scope to only this file β we want the agent grounded, not creative.
Save and wait for indexing to complete.
STEP 3Test & share
Three real Steering Committee questions
Use the test pane on the right of the Agent Builder to put these three prompts in. The third one is deliberately tricky β it spans procurement and vendor risk.
I have a project requiring RM 350,000 capex over two years for a single piece of infrastructure. Who approves it, what's the paperwork, and how long should I expect the approval to take? Cite the policy section.
I want to single-source a vendor for a specialist core-system migration tool. The contract value is RM 180,000 over 18 months. Is single-sourcing allowed at this value? What approvals do I need and what evidence must I file? Cite the policy section.
The vendor I want to onboard is offering a liability cap of 6 months of fees in their standard managed-services contract. Does this comply with our governance policies? If not, what is the minimum acceptable position, and who can approve a deviation? Cite the policy section.
Once you are happy with the answers, click Share in the top right and publish to the Tech Steering Committee group.
What just happened. You built, grounded, tested, and published a policy advisor β without writing a single line of code, and without leaving the Microsoft 365 Copilot interface. The same pattern works for the Underwriting Authority Matrix, the Claims Handling Manual, the Information Security Standards β anywhere you have a stable document and recurring questions.
Use Cases
Five scenarios across Group Technology and five across Procurement & Vendor β every prompt tagged with the GCSE moves it uses.
1 Β· Monthly tech budget commentary for the GCEO
Turning the cost-centre run into a board-grade narrative every month, not just at quarter-end.
GoalContextSourceExpectation
Write a 3-paragraph monthly IT budget commentary for the GCEO of Rivanta General Insurance, using 01_Rivanta_TechBudgetVariance.xlsx. Cover: where we sit YTD, the two cost centres I am personally watching, and what changes by next month. Plain English, no IT acronyms, under 250 words.
2 Β· Capex business case for a new core insurance platform
Anchoring the investment story for a 5-year platform replacement.
GoalContextSourceExpectation
Draft the executive summary of a capex business case for a new core policy administration platform at Rivanta General Insurance. We are a Malaysian general insurer with RM 1.4 bn GWP. Indicative envelope: RM 110 M over 5 years. Audience: Group Investment Committee. Cover the strategic rationale, the alternative options considered, the headline business case (NPV, payback, capability uplift), the key risks, and the decision asked. Tone: declarative. Length: under 600 words. Use the peer benchmark and the council top-5 risks I produced earlier as supporting context.
3 Β· Cyber posture briefing β pre-board
A CISO-grade brief in CTO voice ahead of the BTRC.
GoalContextSourceExpectation
Produce a 1-page cyber posture brief for the BTRC of Rivanta General Insurance. Sections: 1) external threat landscape for Malaysian general insurers (last 90 days, cite sources); 2) our current control coverage versus the BNM RMiT minimums; 3) top three open items from internal audit and external pen test; 4) the three things the Board should be reassured about; 5) the one thing the Board should be worried about. Under 500 words. Frame in the voice of the CTO addressing the Chair.
4 Β· RMiT self-assessment refresh
Annual self-assessment letter to BNM β first draft from policy + evidence.
GoalContextSourceExpectation
I need to refresh the annual RMiT self-assessment for Rivanta General Insurance. Use 04_Rivanta_TechGovernancePolicies.docx as the policy baseline. For each of the eight policy sections, draft a 4β5 line statement of how our practice meets the BNM RMiT requirement, what the evidence is, and where we have remaining gaps. Output as a structured table I can hand to Risk & Compliance for sign-off.
5 Β· AI strategy β the 1-page narrative
A defensible position before someone else writes one for you.
GoalContextSourceExpectation
Draft a one-page AI strategy narrative for Rivanta General Insurance, written by the CTO for the Board. Cover: 1) where AI realistically helps a Malaysian general insurer in the next 18 months (underwriting, claims triage, fraud, customer service, internal productivity); 2) what we will not chase and why; 3) our governance posture (BNM expectations, model risk, data residency); 4) the three concrete pilots we will run this year and the success measures. Plain English, under 500 words, no buzzwords.
1 Β· Cloud vendor due diligence pack
Standardising the diligence question set before any cloud RFP closes.
GoalContextSourceExpectation
Generate a cloud vendor due diligence questionnaire for Rivanta General Insurance aligned to BNM RMiT outsourcing and cloud requirements. Group questions under: data residency & sovereignty, security architecture, business continuity & exit, sub-contracting transparency, audit rights, regulatory cooperation, financial viability, and ESG. Each question must be answerable as evidence, not as opinion. Output as a numbered table I can paste into our RFP template.
2 Β· Vendor renewal strategy β annual review
A repeatable lens for every renewal that hits the Steering Committee.
GoalContextSourceExpectation
Build a vendor renewal review template for Rivanta General Insurance's Tech Steering Committee. Sections: contract summary at a glance, performance against SLAs, commercial trend (3-year), strategic alignment, RMiT outsourcing rating, exit readiness, and the four-option recommendation (renew as-is / renegotiate / multi-source / replace). Each section in 3β4 lines max. Designed to be filled in for any vendor renewal in under 90 minutes.
3 Β· IT spend analysis by category
A category view across the IT spend base β not just cost centre.
GoalContextSourceExpectation
Using 01_Rivanta_TechBudgetVariance.xlsx, produce an IT spend analysis grouped by category: cloud & infrastructure, application licensing, professional services, telco, cyber, and people cost. For each category give YTD spend, % of total, year-on-year direction, and the single supplier dependency to watch. Add a 4-line commentary on where the largest concentration risk sits.
4 Β· RMiT-aligned outsourcing notification β first draft
The first cut of a notification letter to BNM, every time.
GoalContextSourceExpectation
Draft a first-cut BNM RMiT outsourcing notification letter for a new cloud-hosted core insurance platform we intend to onboard at Rivanta General Insurance. Cover: nature of the arrangement, materiality assessment, due diligence summary, risks identified and mitigations, exit and contingency arrangements, and Board approval status. Length: 2 pages. Tone: regulatory correspondence. Use 04_Rivanta_TechGovernancePolicies.docx Section 5 (Vendor & Outsourcing Risk) as the framing reference.
5 Β· Tender evaluation β core platform RFP
A defensible evaluation matrix for the largest tender of the decade.
GoalContextSourceExpectation
Build a tender evaluation matrix for a core insurance platform RFP at Rivanta General Insurance. Weighting: functional fit 30%, technical architecture 20%, vendor viability 10%, implementation track record 15%, total cost of ownership over 7 years 15%, regulatory & RMiT alignment 10%. For each weighted line, list the 3β5 evidence-based scoring sub-criteria. Output as a scorable spreadsheet structure with explicit pass/fail thresholds for the regulatory line.
Prompting Tips
The four moves that make every Copilot prompt sharper β and a small library to copy from.
The GCSE framework
Every strong prompt names four things. Skip any one and the response gets vaguer.
G β GOAL
What you want produced
Output type, length, format, audience, decision it enables. "A 1-page CTO briefing note" beats "summarise this".
C β CONTEXT
Who you are and where you sit
Your role, the company, the meeting, the constraint. Copilot gets specific when you do.
S β SOURCE
The material to ground in
Reference files by name with /, name the policy section, paste the data β don't make Copilot guess.
E β EXPECTATION
The standard to hit
Tone, voice, format, citations, what to leave out. The most-skipped move.
Prompt library β copy & adapt
Take a position
Add "Don't list both sides β give me the position you would defend, and the one assumption it depends on."
Force evidence
Add "Cite every claim. Mark anything you cannot verify with a public source as [unverified]."