Overview
Guided elaboration of an ISO 31000:2018-aligned risk register: organizational context, risk criteria (likelihood/impact scales and appetite), structured register entries with cause, existing controls, consequence, treatment, residual risk, implementation deadline and owner, plus automated validation of completeness and L x I consistency.
Getting Started
Add your source materials to the project workspace, then activate the Risk Register ISO 31000 skill. The agent will guide you through the process step by step.
Example Conversation
You: We’re running a cloud migration project for our financial services company moving from on-premise to AWS. I need a risk register following ISO 31000. Key concerns are data breaches, service downtime during migration, regulatory non-compliance, vendor lock-in, and staff skill gaps.
Agent: I’ll build the register following the ISO 31000:2018 process. First I need to establish context and risk criteria before we assess risks. For context I’ll use your financial services cloud migration scope. Do you have specific risk appetite thresholds, or should I use the standard 5-point likelihood and impact scales with a treatment threshold at level 10?
You: Use the standard scales. Anything 10 or above needs treatment.
Agent: I’ve drafted the context section (scope, external and internal factors, stakeholders) and the risk criteria with 5x5 likelihood/impact scales and a treatment threshold of 10. Now I’ll create the five risk entries you mentioned with sequential IDs R-001 through R-005, each with cause, existing controls, consequence, likelihood, impact, risk level, treatment option, treatment action, implementation deadline, residual risk, owner, and review date. I’ll run
check_risk_registerafterwards to validate.Agent: The validation tool found 5 entries, 0 errors, and 1 warning: R-005 (staff skill gaps) is rated level 9 with treatment “Modify” but has no treatment action documented yet. I’ll add a training programme as the treatment action. All other entries passed, including L x I consistency checks.
You: Change R-003 (regulatory non-compliance) from Likely to Almost Certain – we just found out about new FCA requirements.
Agent: Updated R-003: Likelihood changed from 4 (Likely) to 5 (Almost Certain), risk level updated from 16 to 20 (Critical band). Re-running
check_risk_registerto confirm. All entries valid, 0 errors, 0 warnings.
Sample Output Excerpt
Below is an excerpt from a risk register showing context, criteria, and two risk entries.
1. Context and Scope
Scope: Cloud migration project – migration of core banking applications from on-premise data centre to AWS eu-west-1.
External context: FCA regulatory requirements for data residency and operational resilience; AWS shared responsibility model; sector-wide increase in cloud-targeted attacks.
Internal context: IT team of 12; limited AWS expertise; existing ISO 27001 ISMS; board-approved migration budget of GBP 1.2M.
Stakeholders: CTO (sponsor), CISO, Head of Compliance, external auditors, AWS solutions architect.
2. Risk Criteria
Risk appetite: Risks scoring 10 or above require treatment. Critical risks (15-25) require immediate action; Retain is not acceptable without board approval.
| Likelihood | Rating | Impact | Rating |
|---|---|---|---|
| Rare | 1 | Insignificant | 1 |
| Unlikely | 2 | Minor | 2 |
| Possible | 3 | Moderate | 3 |
| Likely | 4 | Major | 4 |
| Almost Certain | 5 | Catastrophic | 5 |
3. Risk Register (excerpt)
Risk ID: R-001
- Description: Unauthorised access to sensitive customer data during or after migration
- Cause: Misconfigured IAM policies, exposed S3 buckets, or insufficient encryption in transit
- Existing controls: ISO 27001 access control policy; encryption at rest (AES-256); quarterly access reviews
- Consequence: Regulatory fines (up to 4% revenue), reputational damage, customer attrition
- Likelihood: 3 (Possible)
- Impact: 5 (Catastrophic)
- Risk level: 15
- Treatment: Modify
- Treatment action: Implement AWS Config rules for S3 public access blocking; deploy GuardDuty; add migration-specific IAM review gate before each workload cutover
- Implementation deadline: 2026-04-15
- Residual risk level: 5
- Risk owner: CISO
- Review date: 2026-06-30
Risk ID: R-004
- Description: Vendor lock-in limiting future flexibility and increasing long-term costs
- Cause: Deep integration with AWS-proprietary services (Aurora, Lambda, SQS) without abstraction layers
- Existing controls: Architecture review board; multi-cloud policy (not yet enforced)
- Consequence: Inability to migrate away; escalating costs; reduced negotiating leverage
- Likelihood: 4 (Likely)
- Impact: 3 (Moderate)
- Risk level: 12
- Treatment: Modify
- Treatment action: Adopt container-based workloads (EKS) where feasible; use Terraform for IaC; document exit strategy with cost estimates
- Implementation deadline: 2026-07-01
- Residual risk level: 6
- Risk owner: CTO
- Review date: 2026-09-30
Built-in Validation Tools
The skill includes an extension tool that checks risk register documents for structural completeness, arithmetic consistency, and ISO 31000 compliance.
What the tool checks
| Check | check_risk_register |
|---|---|
| Context / scope section | Detects context, scope, mandate, or stakeholder keywords |
| Risk criteria / appetite | Detects risk criteria, risk appetite, acceptance criteria, tolerance, or threshold keywords |
| Entry detection | Parses Risk ID patterns (e.g. R-001, PROJ-042) and extracts each entry block |
| Mandatory fields (ERROR) | Risk ID, description, likelihood, impact, risk level, risk owner – missing = ERROR |
| Mandatory fields (WARNING) | Cause, consequence, existing controls, treatment, review date – missing = WARNING |
| Scale validation | Likelihood and impact values must match expected scales (1-5 or qualitative labels) – invalid = ERROR |
| L x I consistency | Risk level must equal likelihood x impact numerically – mismatch = ERROR |
| Treatment option | Must be one of: avoid, modify, share (transfer), retain (accept) – unrecognised = WARNING |
| Treatment action | Required for all treatments except retain/accept – missing = ERROR |
| Residual risk level | Recommended for non-retain treatments – missing = WARNING |
| Implementation deadline | Recommended for non-retain treatments – missing = WARNING |
| High risk band (10-14) | Warns if treatment action is not documented |
| Critical risk band (15-25) | Errors if treatment is retain/accept without board approval |
| Duplicate IDs | Flags any Risk ID that appears more than once – duplicate = ERROR |
Example validation output
======================================================================
RISK REGISTER COMPLETENESS REPORT
ISO 31000:2018
======================================================================
Document: docs/risk-register.md
Risk entries found: 5
--- FINDINGS ---
[WARNING] R-002: "residual risk level" recommended to demonstrate risk reduction after treatment (ISO 31000 clause 6.5.3).
[WARNING] R-005: missing or empty field "existing controls".
[ERROR] R-005: "treatment action" is required for treatment option "modify" (omit only when treatment is retain/accept).
--- SUMMARY ---
Entries: 5
Errors: 1
Warnings: 2
Info: 0
======================================================================
Run the tool on your risk register document after drafting or updating; address errors before management review.