---

name: risk-register
description: "Build and maintain a project or product risk register. Use when asked to create a risk register, identify project risks, build a risk matrix, or document risks and mitigations for a programme. Produces a complete risk register with likelihood/impact scoring, RAG status, ownership, and prioritised mitigations."

Risk Register Skill

This skill produces a complete risk register for a project, programme, or product. Output follows standard risk management practice with likelihood × impact scoring, RAG status, a risk heat map, and specific mitigation and contingency plans. Ready to share with a project board, steering committee, or programme office.

Required Inputs

Ask the user for these if not provided:

• Project or product name
• Project stage (discovery / delivery / launch / live / programme-level)
• Key objectives — what is the project trying to achieve?
• Known risks — anything already on the team's radar (even informal concerns count)
• Key dependencies — external vendors, teams, systems, or regulatory approvals
• Deadline or milestone sensitivity — are there hard dates that cannot move?
• Audience — who will read this? (internal team / executive steering / external board / regulator)

Output Structure

---

Risk Register: [Project / Product Name]

Project stage: [Discovery / Delivery / Launch / Live / Programme]
Version: [1.0]
Owner: [PM / Programme Manager / Risk Lead]
Last reviewed: [Date]
Next review: [Date — recommend weekly during delivery, monthly during discovery]
Status: [Active / Archived]

---

1. Risk Scoring Framework

Likelihood (L)

Score	Label	Definition
5	Almost certain	>80% probability of occurring
4	Likely	60–80% probability
3	Possible	40–60% probability
2	Unlikely	20–40% probability
1	Rare	<20% probability

Impact (I)

Score	Label	Definition
5	Critical	Programme failure, regulatory breach, major financial loss, safety event
4	High	Significant schedule delay (>4 weeks), scope reduction, reputational damage
3	Medium	Moderate delay (1–4 weeks), cost overrun, reduced quality
2	Low	Minor delay (<1 week), manageable cost increase
1	Negligible	Minimal impact, easily absorbed

Risk Score = L × I

Score	RAG	Action
20–25	🔴 Critical	Immediate escalation; active management required
12–19	🔴 High	Owner-assigned mitigation; weekly review
8–11	🟡 Medium	Mitigation planned; fortnightly review
4–7	🟡 Low	Monitor; monthly review
1–3	🟢 Negligible	Accept; review if context changes

---

2. Risk Register

ID	Risk	Category	L	I	Score	RAG	Owner	Status	Mitigation	Contingency	Review date
R01	[Risk description — be specific: "Third-party API may not support required volume, causing X to fail"]	[Schedule / Technical / Resource / Commercial / Compliance / External]	[1–5]	[1–5]	[L×I]	🔴/🟡/🟢	[Name]	[Open / Mitigating / Closed]	[What are we doing to reduce likelihood or impact?]	[What do we do if it happens?]	[Date]
R02	[...]	[...]	[...]	[...]	[...]	[...]	[...]	[...]	[...]	[...]	[...]

---

3. Risk Categories — Common Risks by Type

Use these to prompt risk identification. Add, remove, or customise for your project.

Schedule & Delivery

• Key milestone depends on a dependency that has not confirmed availability
• Team capacity reduced by planned or unplanned absence during critical period
• Technical complexity is underestimated — story points consistently overrun
• External approval (regulator, legal, procurement) takes longer than planned

Technical

• Integration with a third-party system not yet prototyped or agreed
• Existing technical debt makes the change harder or riskier than estimated
• Security or compliance review required before launch has not been scoped
• Performance under production load untested
• Key technical knowledge held by one person (single point of failure)

Resource & People

• Key SME or engineer leaving or unavailable during critical phase
• Budget not confirmed for Phase 2 of the project
• Stakeholder sponsor changes role or leaves the organisation
• Team not yet at full capacity (hiring lag, access issues, onboarding time)

Commercial & Financial

• Vendor or partner contract not yet signed
• Cost estimate based on assumptions that have not been validated
• Revenue or savings case depends on assumptions outside the team's control
• Currency exposure or exchange rate risk for international projects

Compliance & Regulatory

• Data privacy impact assessment (DPIA) not yet complete
• Regulatory approval required and timeline is uncertain
• GDPR, HIPAA, SOC 2, or sector-specific compliance requirement not yet mapped
• Legal review of terms of service or contracts pending

Stakeholder & Adoption

• Key user group has low awareness or motivation to adopt the change
• Internal resistance from a team that will be affected by the change
• Executive sponsor not consistently engaged — decisions are slow
• Communications plan not yet agreed with change management team

External

• Market or competitive change could undermine the business case
• Macroeconomic conditions affect budget or priority
• Supplier or infrastructure provider risk (e.g. cloud provider, hardware)
• Geopolitical or regulatory environment change

---

4. Risk Heat Map

Plot risks by likelihood (Y axis) and impact (X axis):

         │  Low     Medium    High    Critical
         │  (1)      (2-3)    (4)      (5)
─────────┼────────────────────────────────────
Almost   │  🟡        🟡       🔴       🔴
certain  │
(5)      │
─────────┼────────────────────────────────────
Likely   │  🟡        🟡       🔴       🔴
(4)      │
─────────┼────────────────────────────────────
Possible │  🟢        🟡       🟡       🔴
(3)      │
─────────┼────────────────────────────────────
Unlikely │  🟢        🟢       🟡       🟡
(2)      │
─────────┼────────────────────────────────────
Rare     │  🟢        🟢       🟢       🟡
(1)      │

[Plot each risk ID on this grid — e.g. R01 lands at L4/I5 = 🔴 Critical]

---

5. Top Risks — Executive Summary

For steering committee or board-level reporting:

Rank	Risk	Score	RAG	Owner	Mitigation status
1	[Most critical risk — plain English description]	[X]	🔴	[Owner]	[Active / Planned / Not started]
2	[...]	[...]	🔴	[...]	[...]
3	[...]	[...]	🟡	[...]	[...]
4	[...]	[...]	🟡	[...]	[...]
5	[...]	[...]	🟡	[...]	[...]

Decisions required from steering:

• [Any risk that requires budget, scope, or timeline decision to mitigate]

---

6. Risk Changes Since Last Review

Risk ID	Change	Detail
[R03]	Score increased	[L moved from 2 → 4 — vendor confirmed delay in API availability]
[R07]	Risk closed	[Legal sign-off received on 12 May]
[NEW]	New risk identified	[R09 — budget freeze announcement affects Phase 2 funding]

---

7. Risk Closure Criteria

A risk is closed when:

• The risk event can no longer occur (e.g. milestone passed, contract signed), OR
• The residual risk score drops to Negligible (1–3) AND the team formally accepts it, OR
• The risk has materialised and transitioned to an issue (tracked separately)

Issues log: [Link to issues log — risks that have materialised and are now active problems being managed]

---

Quality Checks

• Every risk has a specific owner — not "the team" or "TBD"
• Mitigations describe what is actively being done — not "monitor and review"
• Contingency plans exist for all Critical and High risks
• Risk descriptions are specific — "vendor may be late" is not specific enough; name the vendor and the dependency
• Register has been reviewed in the last [X] days
• Closed risks are archived, not deleted — they provide audit trail
• Risks are distinguished from issues — a risk is something that might happen; an issue is something that has happened

Example Trigger Phrases

• "Build a risk register for our product launch"
• "Create a risk matrix for [project name]"
• "What risks should I document for a data migration project?"
• "Generate a risk register for our steering committee"
• "Help me identify and score risks for our Q3 delivery plan"

Anti-Patterns

• Do not assign risks to "the team" or "TBD" — every risk must have a named individual owner
• Do not write mitigations as "monitor and review" — mitigations must describe what is actively being done to reduce likelihood or impact
• Do not delete closed risks — they provide an audit trail; archive them instead
• Do not confuse risks with issues — a risk is something that might happen; an issue is something that has already happened
• Do not leave Critical or High risks without a contingency plan — what happens if the mitigation fails must be documented