Risk Review Cadence & Owner Attestation: Keep Your Risk Register Alive
Put your risk register on a schedule — prompt each owner to confirm or update their risks as they come due, let the risk manager approve every score and control change, and keep dated attestation evidence audit-ready all year.
A web tool that schedules every risk's review, emails each owner when theirs is due, collects their confirm-or-update response, lets the risk manager approve score and control changes before the official register moves, then logs a dated attestation, sets the next review date, and exports a review-cycle evidence CSV.
Before you start
- A Supabase account (free)
- A Vercel account (free)
- A Resend account (free)
- Your risk register as a CSV or Google Sheet (risks, owners, scores, review frequency)
- Claude Code or any AI coding agent
The problem this kills
Your risk register was beautiful the day it was built. Then it sat. Six months later, half the risks are out of date, nobody remembers whether that score still holds, the "new control" someone mentioned in a meeting never made it in, and the next time the auditor asks "when did the owner last review this?" you have no answer. So you fire off a frantic round of emails, chase the same three people who never reply, and rebuild the register from memory the week before the audit.
The register isn't the problem. The cadence is. Risks need to be revisited on a schedule by the people who own them — quarterly, monthly, whatever you set — and someone needs to keep proof that it happened. Doing that by hand across a spreadsheet and an inbox is exactly the kind of nagging, repetitive, evidence-gathering grind that quietly eats your week. You don't need to live like this, and you don't need to be a developer to fix it.
What you'll build
A simple internal web tool. You import your risk register (risks, owners, current scores, controls, and each risk's review frequency). The tool puts every risk on a schedule and, as each one comes due, emails the owner a short prompt: is this risk still valid? Has the likelihood or impact changed? Any new or retired controls? The owner answers right in the tool — and "no change" is a valid, recorded answer, not silence. Their proposed updates land in a queue for the risk manager to review and approve. Only after approval does the official register move: the score or control change is committed, a dated attestation is logged (who attested, what they said, when), and the next review date is set automatically. Owners who don't respond get escalated, you can watch your review-completion percentage climb, and at the end you export a clean review-cycle evidence CSV for the auditor.
What's inside the Implementation Plan
The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — what your register looks like today, the exact columns and naming you use, how you score risks (1–5? high/medium/low? a 5×5 heat map?), each risk's review frequency, who the owners are, your escalation rules, and your messy edge cases — and then it tailors the data model, the scoring fields, and every later step to your answers. This is not a generic template; the agent reflects a short spec back to you and waits for your thumbs-up before it builds anything. From there it walks the agent through the import, the review scheduler, the owner attestation form, the manager review-and-approve queue, the register update with automatic next-review scheduling, the escalation and completion tracking, and the evidence export — each step with a ready-to-copy prompt. There's also a fallback so you can build and run the whole thing today even with no API to your GRC system or register-of-record.
The governance it includes (this is the point)
This is risk and compliance tooling, so it ships with the controls an auditor expects to see: login so only your team can use it, row-level security so you only ever see your own organization's risks, a complete audit trail of every prompt sent, every owner attestation, and every manager approval with who and when, a hard human-approval gate so no score or control change touches the official register until the risk manager signs off, and duplicate guards keyed on risk-id + review-cycle so the same risk can't be attested twice in one cycle. Every attestation — including "no change" — is stored with a date and owner, so your evidence file is always ready before the audit, not scrambled together after the request.
Who it's for
Risk managers, quality leads, and compliance officers who own a risk register and are tired of nagging owners by email and rebuilding the thing before every audit. If you can describe how your risks get scored and how often each one should be reviewed, you can build this.
You've got this — start with the plan, paste the first prompt, answer the interview, and you'll watch your first review cycle go out the same afternoon.