Enterprise Risk Register & Scoring
Build your own risk register that scores inherent risk as likelihood × impact, records controls, computes residual risk, and keeps a full trail of who scored what and when — with a risk-manager approval gate before anything is published.
A working internal risk register where owners propose inherent and residual scores, the agent computes residual risk from your scoring scales, the risk manager reviews and approves each rating, the official register is published, owners are emailed their risks, and the whole register exports to a CSV that matches your existing columns.
Before you start
- A free Vercel account
- A free Supabase account
- A free Resend account (for owner notifications)
- Your existing risks in a CSV or Google Sheet (description, category, likelihood, impact, owner, controls)
- Your likelihood/impact scale definitions and risk appetite thresholds
The problem this kills
Most risk registers live in a spreadsheet that nobody fully trusts. Scores get overwritten with no record of who changed them or why. The likelihood and impact scales mean different things to different people. Controls are listed in one tab and the residual rating is hand-typed in another, so the math is never quite consistent. And when an auditor asks "who approved this rating, and when?" the honest answer is a shrug.
You don't need a six-figure GRC platform to fix this. You need a small, purpose-built tool that uses your scales, enforces your appetite thresholds, and keeps an honest trail.
What you'll build
A private web app for your risk team where:
- You import your existing risks from a CSV or Google Sheet.
- Each risk has a description, category, and an owner.
- The owner proposes the inherent score (likelihood × impact on your configurable scale) and lists the controls in place.
- The agent computes the residual score from your scales and your control logic.
- The risk manager reviews and approves each inherent and residual rating before it's published — no unreviewed scores ever reach the official register.
- Risks above your risk appetite threshold are flagged automatically.
- Every score change is kept as history, so you can see how a risk has moved over time.
- Owners get an email of the risks assigned to them.
- The whole register exports to a CSV in your exact columns, including inherent and residual.
What's inside the Implementation Plan
The plan is a single markdown file you paste into Claude Code. It walks the AI agent through the entire build, step by step, each step ending in a ready-to-paste prompt.
Crucially, it opens by interviewing you about your business — your current process, the systems and spreadsheets you use, your real field names and risk-ID conventions, your typical and peak volumes, your exact scoring scales and approval rules, and your messy edge cases. It then reads a short tailored spec back to you for a thumbs-up before it builds anything. You get a register shaped around how your organization actually works — not a generic template you have to bend to fit.
The governance it includes (this is the point)
This isn't a toy. The plan bakes in the controls that make a register defensible:
- Login so only your team can use the tool.
- Row-level security so people only see their own organization's risks.
- A complete audit trail — who scored, who approved, what changed, and when.
- A hard human-in-the-loop approval gate: the owner proposes, the AI drafts the residual, and the risk manager must approve before anything is written to the official register.
- Duplicate guards keyed on your risk ID so the same risk can't be imported or scored twice.
- Score history so rating movement is visible and explainable.
Who it's for
Risk managers, compliance leads, and ops directors maintaining an enterprise or departmental risk register — anyone who has outgrown a shared spreadsheet but doesn't want to buy and babysit a heavyweight GRC suite.
You've got this — paste the first prompt and let the agent interview you.