runbookify
← All plans
Project & Work Management / Risks, Issues & Dependencies

Risk-Mitigation Action Tracker

Turn each risk's vague mitigation note into concrete actions with owners and due dates, let AI draft the breakdown, and update a risk's status only after the risk owner approves the actions and signs off each one as done — with an overdue-mitigation report that names which top risks are still exposed.

BeginnerAn afternoonBuilds onNext.jsSupabaseResend
What you'll build

A web tool where you import your risk register and your people list, AI drafts each risk's mitigation plan into concrete actions with a suggested owner and due date, the risk owner reviews and approves the breakdown, the team tracks actions to done with the owner signing off completion, and the tool produces an overdue-mitigation report that flags high-exposure risks with no or overdue actions — plus a clean CSV export.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A Supabase account (free)
  • A Vercel account (free)
  • A risk register with mitigation notes (CSV or Google Sheet is fine)
  • A list of your people / owners (CSV is fine)
  • Claude Code or any AI coding agent

The problem this kills

Your risk register looks healthy until you actually try to act on it. Every risk has a "mitigation" — but it's a sentence, not a plan. "Engage backup vendor." "Add monitoring." "Train the team." Nobody owns it, nothing has a due date, and three weeks later the status is still "Open — mitigation in progress" because no one can say what "in progress" even means.

So your top risks sit there, scored red, with a paragraph of good intentions and zero movement. The PMO asks for a status and you scramble: which risks have real actions behind them? Which actions are overdue? Which high-exposure risk has no mitigation at all? You rebuild that answer by hand in a spreadsheet every steering meeting, and by the next one it's stale again.

This is exactly the kind of follow-through problem a small internal tool solves better than a register: break each mitigation into concrete, owned, dated actions, track them to done, and let the system tell you which risks are still exposed — and you don't need to be a developer to build it.

What you'll build

A simple internal web tool for your risks and their mitigations. You import your risk register (with whatever mitigation notes you already have) and your people list. For each risk, AI reads the mitigation note and drafts it into concrete actions — a short verb-first task, a suggested owner from your people list, and a suggested due date. Nothing is committed yet: it's a draft breakdown.

The risk owner reviews that breakdown on one screen, edits the actions, owners, and dates, adds or removes any, and approves. Only an approved action plan starts tracking. As work happens, owners mark actions done — and the risk owner signs off each completion before it counts, which is what moves the risk's status forward. At any moment you can pull the overdue-mitigation report: which top risks have open or overdue actions, and which high-exposure risks have no mitigation at all — and export the whole action tracker as CSV.

What's inside the Implementation Plan

The plan is a single file you paste into an AI coding agent. It opens by interviewing you about your business — how your risks are scored and what makes one "top" or "high-exposure," the exact columns and IDs in your register, how you name owners, your approval and sign-off rules, your due-date and escalation conventions, and your messiest edge cases — and then tailors the data model, the action breakdown, and every later step to your answers. This is a tracker shaped around your risk process, not a generic template.

From there it walks the agent through the database schema, importing your register and people list with duplicate guards, the AI action-breakdown drafting, the risk owner's review-and-approve screen, tracking actions to done with completion sign-off, and the overdue-mitigation report and CSV export. Every step ends with a ready-to-copy prompt. Because the whole thing runs on CSV in and CSV out, you can build and use it this afternoon even with no connection to your existing risk tool.

The governance it includes (this is the point)

This drives whether a risk is treated as controlled, so it's built like it matters: login so only your team can use it, row-level security so you only ever see your own organization's risks, and a complete audit trail of every import, draft, edit, approval, and sign-off — who did what, and when. Nothing changes a risk's status automatically: the AI-drafted action plan is a draft until the risk owner approves it, and each action's completion is a claim until the owner signs it off. Both are hard human-in-the-loop gates. Duplicate guards on (risk id + action) mean the same action can't be added twice, and a re-imported register won't create phantom duplicate risks.

Who it's for

Project managers, risk owners, PMO leads, and delivery managers who keep a risk register and are tired of mitigations that are all words and no follow-through. If you can explain how you decide a risk is handled, you can build this.

You've got this — open the plan, paste the first prompt, and let it interview you about your risks.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.