Risk-to-Control Mapping & Gap Finder

The problem this kills

You have a risk register. You have a pile of controls. And you have a nagging suspicion that they don't actually line up — that some of your scariest risks are "covered" by a control nobody owns, a control that runs once a year, or no control at all.

Most teams check this with a heroic spreadsheet that goes stale the moment it's saved. Cross-referencing every risk against every control by hand is slow, error-prone, and impossible to keep current. So the gaps hide. And gaps in risk coverage are exactly the things that turn into incidents, audit findings, and uncomfortable board conversations.

This tool finds those gaps for you — and keeps a clean, auditable record of which links are real and approved versus which are just AI suggestions waiting for your sign-off.

What you'll build

A private web app, just for your team, that:

• Imports your risk register and your control inventory from CSV or a Google Sheet.
• Uses AI to suggest and validate the links between risks and controls (a single risk can have many controls; a single control can cover many risks — handled cleanly).
• Surfaces the dangerous gaps: risks with no control, controls with no owner, and high-residual-risk-leaning-on-weak-control combinations.
• Keeps AI suggestions strictly separate from the official, approved mapping — nothing is "real" until you say so.
• Lets the risk manager review and approve the mapping and the remediation priorities behind a human gate.
• Emails gap owners their items via Resend.
• Exports both the approved mapping and a prioritized gap list as clean CSVs.

What's inside the Implementation Plan

A complete, paste-and-go runbook written for a non-coder. You paste the whole thing into Claude Code (an AI coding agent) and it builds the tool with you, step by step.

The best part: the plan opens by interviewing you about your business. Before it writes a line of code, the agent asks how your risk register is structured, what your controls look like, how you score residual risk, what "weak control" means in your world, and where your messy edge cases live. Then it reflects a short tailored spec back to you, gets your thumbs-up, and shapes the data model, the gap rules, and every later step around your answers — not a generic template.

Inside you'll find: the discovery interview, the exact stack, an architecture diagram, and copy-paste prompts for each build step — from import, to AI link suggestions, to the gap engine, to the approval gate, to email and export. Plus a "No API yet?" fallback so you can build the whole thing today using only spreadsheets.

The governance it includes (this is the point)

This isn't a toy. The plan bakes in the controls a risk and compliance team actually needs:

• Login, so only your team can use the tool.
• Row-level security, so people only ever see their own organization's data.
• A complete audit trail — who approved which link, who changed which priority, and when.
• A hard human-in-the-loop approval gate — the AI drafts the mapping and the gap list; a person reviews and approves; only then is it committed as the official record.
• Duplicate guards — the same risk-control link can't be created twice (dedupe key = risk-id + control-id).

Who it's for

Risk and compliance managers who suspect their controls don't actually cover their top risks — and who want proof, not a hunch. If you own a risk register and a control inventory and you've ever wondered "are we actually covered?", this is for you. No developer needed.

You've got this — paste the first prompt and let the agent interview you.