Risk Heatmap & Board Report Generator: Stop Rebuilding the Slide by Hand

The problem this kills

Every quarter, the risk lead becomes a slide factory. They pull the latest scored risk register into a spreadsheet, hand-color a likelihood-by-impact grid, eyeball which risks moved up or down since last time, copy the top handful into a deck, and then write — from scratch, again — a paragraph or two of commentary for the board or risk committee. The numbers are a day old by the time the pack is finished, the "movers" are remembered rather than measured, and the narrative reads a little differently every quarter depending on who wrote it and how tired they were.

It's slow, it's manual, and it's fragile: a risk that quietly crept from amber to red gets missed, a closed risk lingers on the chart, and the story the board hears doesn't quite match the register of record. You don't need to live like this, and you don't need to be a developer to fix it.

What you'll build

A simple internal web tool. You import your scored risk register (a CSV or Google Sheet with each risk's likelihood, impact, owner, and category) along with last period's scores. The tool plots every risk on a likelihood-x-impact heatmap, ranks the top risks by score, and calculates the biggest movers since the prior period — new, up, down, and closed — instead of you remembering them. Then AI drafts a board/committee narrative: a clear, plain-language commentary on where the portfolio sits and what changed. Your risk lead reviews and edits that draft and the selected top risks, then clicks Approve. Only then does the tool freeze a point-in-time snapshot for the record, email the finished board pack via Resend, and export both the heatmap data and the report (CSV and PDF).

What's inside the Implementation Plan

The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — what your risk register looks like, exactly how your columns are named, how you score likelihood and impact (a 3x3, a 5x5, a 1-25 product?), how you flag a risk as closed, how you store prior-period scores, who sits on your committee, and the messy edge cases your register throws — and then it tailors the data model, the heatmap bands, the movement logic, and every later step to your answers. This is not a generic template; the agent reflects a short spec back to you and waits for your thumbs-up before it builds anything. From there it walks the agent through the import, the heatmap and top-risks calculation, the period-over-period movers, the AI narrative draft, the risk-lead review-and-approve screen, the snapshot, the board-pack email, and the exports — each step with a ready-to-copy prompt. There's also a fallback so you can build the whole thing today even with no API to your GRC system.

The governance it includes (this is the point)

This is real risk-reporting tooling, so it ships with the controls a compliance function needs: login so only your team can use it, row-level security so you only ever see your own organization's risks, a complete audit trail of who edited and approved which board pack and when, a hard human-approval gate so no pack is finalized or distributed until your risk lead signs off on the commentary and the selected top risks, and duplicate guards keyed on risk ID so the same risk can't be double-counted. The AI only ever drafts — the narrative stays clearly editable and human-owned — and every published period is frozen as a snapshot so you always have the record of what the board was actually shown.

Who it's for

Risk managers, compliance officers, and quality leads who own the quarterly board or committee risk pack and are tired of hand-coloring the same heatmap and rewriting the same commentary. If you can describe how your register is scored and what your committee wants to see, you can build this.

You've got this — start with the plan, paste the first prompt, answer the interview, and you'll see your heatmap and movers light up the same afternoon.