# Risk Register ISO 31000 > Guided elaboration of an ISO 31000:2018-aligned risk register: organizational context, risk criteria (likelihood/impact scales and appetite), structured register entries with cause, existing controls, consequence, treatment, residual risk, implementation deadline and owner, plus automated validation of completeness and L x I consistency. Tags: Risk Management, ISO 31000:2018, GRC, Risk Register, Compliance, ERM ## Example Prompts - Create a risk register for our IT infrastructure project following ISO 31000 - Define risk criteria and populate a register with our identified operational risks - Validate our existing risk register for completeness and L x I consistency URL: https://rakenne.app/skills/risk-register-iso31000/index.md Try this skill: https://rakenne.app/a/?skill=risk-register-iso31000 ## Overview Guided elaboration of an ISO 31000:2018-aligned risk register: organizational context, risk criteria (likelihood/impact scales and appetite), structured register entries with cause, existing controls, consequence, treatment, residual risk, implementation deadline and owner, plus automated validation of completeness and L x I consistency. ## Getting Started Add your source materials to the project workspace, then activate the *Risk Register ISO 31000* skill. The agent will guide you through the process step by step. ## Example Conversation > **You:** We're running a cloud migration project for our financial services company moving from on-premise to AWS. I need a risk register following ISO 31000. Key concerns are data breaches, service downtime during migration, regulatory non-compliance, vendor lock-in, and staff skill gaps. > > **Agent:** I'll build the register following the ISO 31000:2018 process. First I need to establish context and risk criteria before we assess risks. For context I'll use your financial services cloud migration scope. Do you have specific risk appetite thresholds, or should I use the standard 5-point likelihood and impact scales with a treatment threshold at level 10? > > **You:** Use the standard scales. Anything 10 or above needs treatment. > > **Agent:** I've drafted the context section (scope, external and internal factors, stakeholders) and the risk criteria with 5x5 likelihood/impact scales and a treatment threshold of 10. Now I'll create the five risk entries you mentioned with sequential IDs R-001 through R-005, each with cause, existing controls, consequence, likelihood, impact, risk level, treatment option, treatment action, implementation deadline, residual risk, owner, and review date. I'll run `check_risk_register` afterwards to validate. > > **Agent:** The validation tool found 5 entries, 0 errors, and 1 warning: R-005 (staff skill gaps) is rated level 9 with treatment "Modify" but has no treatment action documented yet. I'll add a training programme as the treatment action. All other entries passed, including L x I consistency checks. > > **You:** Change R-003 (regulatory non-compliance) from Likely to Almost Certain -- we just found out about new FCA requirements. > > **Agent:** Updated R-003: Likelihood changed from 4 (Likely) to 5 (Almost Certain), risk level updated from 16 to 20 (Critical band). Re-running `check_risk_register` to confirm. All entries valid, 0 errors, 0 warnings. ## Sample Output Excerpt Below is an excerpt from a risk register showing context, criteria, and two risk entries. --- ### 1. Context and Scope **Scope:** Cloud migration project -- migration of core banking applications from on-premise data centre to AWS eu-west-1. **External context:** FCA regulatory requirements for data residency and operational resilience; AWS shared responsibility model; sector-wide increase in cloud-targeted attacks. **Internal context:** IT team of 12; limited AWS expertise; existing ISO 27001 ISMS; board-approved migration budget of GBP 1.2M. **Stakeholders:** CTO (sponsor), CISO, Head of Compliance, external auditors, AWS solutions architect. ### 2. Risk Criteria **Risk appetite:** Risks scoring 10 or above require treatment. Critical risks (15-25) require immediate action; Retain is not acceptable without board approval. | Likelihood | Rating | Impact | Rating | |---|---|---|---| | Rare | 1 | Insignificant | 1 | | Unlikely | 2 | Minor | 2 | | Possible | 3 | Moderate | 3 | | Likely | 4 | Major | 4 | | Almost Certain | 5 | Catastrophic | 5 | ### 3. Risk Register (excerpt) #### Risk ID: R-001 - **Description**: Unauthorised access to sensitive customer data during or after migration - **Cause**: Misconfigured IAM policies, exposed S3 buckets, or insufficient encryption in transit - **Existing controls**: ISO 27001 access control policy; encryption at rest (AES-256); quarterly access reviews - **Consequence**: Regulatory fines (up to 4% revenue), reputational damage, customer attrition - **Likelihood**: 3 (Possible) - **Impact**: 5 (Catastrophic) - **Risk level**: 15 - **Treatment**: Modify - **Treatment action**: Implement AWS Config rules for S3 public access blocking; deploy GuardDuty; add migration-specific IAM review gate before each workload cutover - **Implementation deadline**: 2026-04-15 - **Residual risk level**: 5 - **Risk owner**: CISO - **Review date**: 2026-06-30 #### Risk ID: R-004 - **Description**: Vendor lock-in limiting future flexibility and increasing long-term costs - **Cause**: Deep integration with AWS-proprietary services (Aurora, Lambda, SQS) without abstraction layers - **Existing controls**: Architecture review board; multi-cloud policy (not yet enforced) - **Consequence**: Inability to migrate away; escalating costs; reduced negotiating leverage - **Likelihood**: 4 (Likely) - **Impact**: 3 (Moderate) - **Risk level**: 12 - **Treatment**: Modify - **Treatment action**: Adopt container-based workloads (EKS) where feasible; use Terraform for IaC; document exit strategy with cost estimates - **Implementation deadline**: 2026-07-01 - **Residual risk level**: 6 - **Risk owner**: CTO - **Review date**: 2026-09-30 --- ## Built-in Validation Tools The skill includes an extension tool that checks risk register documents for structural completeness, arithmetic consistency, and ISO 31000 compliance. ### What the tool checks | Check | `check_risk_register` | |-------|:---------------------:| | **Context / scope section** | Detects context, scope, mandate, or stakeholder keywords | | **Risk criteria / appetite** | Detects risk criteria, risk appetite, acceptance criteria, tolerance, or threshold keywords | | **Entry detection** | Parses Risk ID patterns (e.g. R-001, PROJ-042) and extracts each entry block | | **Mandatory fields (ERROR)** | Risk ID, description, likelihood, impact, risk level, risk owner -- missing = ERROR | | **Mandatory fields (WARNING)** | Cause, consequence, existing controls, treatment, review date -- missing = WARNING | | **Scale validation** | Likelihood and impact values must match expected scales (1-5 or qualitative labels) -- invalid = ERROR | | **L x I consistency** | Risk level must equal likelihood x impact numerically -- mismatch = ERROR | | **Treatment option** | Must be one of: avoid, modify, share (transfer), retain (accept) -- unrecognised = WARNING | | **Treatment action** | Required for all treatments except retain/accept -- missing = ERROR | | **Residual risk level** | Recommended for non-retain treatments -- missing = WARNING | | **Implementation deadline** | Recommended for non-retain treatments -- missing = WARNING | | **High risk band (10-14)** | Warns if treatment action is not documented | | **Critical risk band (15-25)** | Errors if treatment is retain/accept without board approval | | **Duplicate IDs** | Flags any Risk ID that appears more than once -- duplicate = ERROR | ### Example validation output ``` ====================================================================== RISK REGISTER COMPLETENESS REPORT ISO 31000:2018 ====================================================================== Document: docs/risk-register.md Risk entries found: 5 --- FINDINGS --- [WARNING] R-002: "residual risk level" recommended to demonstrate risk reduction after treatment (ISO 31000 clause 6.5.3). [WARNING] R-005: missing or empty field "existing controls". [ERROR] R-005: "treatment action" is required for treatment option "modify" (omit only when treatment is retain/accept). --- SUMMARY --- Entries: 5 Errors: 1 Warnings: 2 Info: 0 ====================================================================== ``` Run the tool on your risk register document after drafting or updating; address errors before management review. --- Back to [Skill Library](https://rakenne.app/skills/index.md)