Risk Register & Likelihood × Impact Scoring

The problem this kills

Most risk registers are a spreadsheet that goes stale the moment the kickoff meeting ends. Risks get a "High / Medium / Low" gut-feel label, the loudest person's pet worry jumps the queue, and nobody can tell you which five risks actually deserve attention this week. When the steering committee asks "what's our top exposure?" you're rebuilding the answer by hand — and two people score the same risk three different ways.

This tool replaces the gut feel with a consistent, defensible number. Every risk is scored the same way (your likelihood scale × your impact scale), ranked by exposure, and plotted on a heatmap everyone can read at a glance. The risk owner still has the final word — they review each computed score and can override it, but only with a written reason — so the register stays honest and auditable.

What you'll build

A small web app, just for your team, that:

• Imports your risk list from a CSV or Google Sheet (no integration required to start).
• Computes a score for each risk as likelihood × impact, using your scales and matrix — not a generic 1–5 someone else picked.
• Ranks risks by exposure so the top of the list is always the work that matters most.
• Draws a likelihood × impact heatmap — the classic red/amber/green grid — with every risk plotted in its cell.
• Tracks mitigation owner and target date, plus inherent vs. residual risk (before and after your controls).
• Routes each risk to its owner for review. They approve the computed score and rank, or override it with a mandatory reason.
• Publishes an approved register and exports it back to CSV in exactly the columns your PMO or system of record expects.

What's inside the Implementation Plan

The plan is a single file you paste into an AI coding agent (Claude Code), which then builds the tool with you, step by step.

It opens by interviewing you about your business — your current risk process, who owns what, the scales and matrix you actually use, your field names and risk-ID format, your typical and peak number of risks, your approval rules, and your messy edge cases (shared risks, risks that span projects, "accepted" risks you still want tracked). It reflects a short tailored spec back to you and waits for your thumbs-up before it builds anything. You get a register shaped to your governance, not a template you have to bend yourself into.

From there it walks through the database, the import, the scoring engine (configurable scales and matrix), the heatmap, the owner review-and-override gate, the approved/published view, and the CSV export — each step ending in a ready-to-paste prompt.

The governance it includes (this is the point)

• Login so only your team can open the register.
• Row-level security so each organization or project only ever sees its own risks.
• A complete audit trail — who imported, who scored, who overrode and why, and when.
• A human-in-the-loop approval gate: the tool computes the score and proposed rank, but nothing is published until the risk owner reviews and approves (or overrides with a written reason).
• Duplicate guards that dedupe on your risk ID so the same risk can't be imported and scored twice.

Who it's for

Project managers, risk owners, PMO and governance leads, and sponsors who want one trustworthy view of "what should we be worried about, in order." If you can keep a risk list in a spreadsheet, you can run this.

You've got this — paste the first prompt and let the agent interview you.