Risk Management Pack

Stop Guessing Your Project's Exposure: Automated Risk Registers, PMBOK Alignment, and ISO 31000 Compliance

Why Manual Risk Registers Fail Before You Ship

We built the Risk Management Pack because we're tired of watching engineering teams treat risk management as a compliance checkbox rather than a control mechanism. You've seen it: a PMO sends out a template, someone fills in three rows of vague text, and that document sits in a drive until the project derails. By then, the risk register is fiction. The probabilities are guesses, the impact assessments are inflated to justify delays, and the mitigation strategies are aspirational rather than actionable.

When risk data is unstructured, it becomes useless for decision-making. You can't track trends if every team uses a different format. You can't automate escalation if the risk score is buried in a paragraph. You certainly can't validate that your high-risk items actually have owners assigned and contingency plans defined. The result is a false sense of security. Your roadmap looks green on paper, but you're flying blind on the actual exposure.

ISO 31000 provides the international baseline for this workflow, outlining principles and guidelines for identifying, analyzing, and treating risk ^[1]. Our pack operationalizes those principles into a machine-readable workflow. We enforce a standardized Risk Breakdown Structure (RBS) and require explicit fields for root causes, potential effects, and trigger conditions. This isn't about bureaucracy; it's about creating a data source that your tools and your team can actually query. If you're just kicking off a project, you should pair this with the Project Kickoff Pack to ensure your risk posture is defined from day one, not retrofitted after the architecture is frozen.

The Hidden Tax of Unvalidated Risk Data

The cost of a broken risk workflow compounds quickly. Every hour your team spends manually reconciling risk scores, chasing down missing mitigation owners, or updating stale registers is revenue lost. More critically, unvalidated risk data leads to downstream incidents. When a risk is marked "Medium" but the math shows a probability of 0.8 and an impact of 5, your team will under-invest in mitigation. That discrepancy doesn't exist in the YAML; it exists in the spreadsheet where someone manually typed the wrong number.

Without a structured process, organizations struggle to minimize losses through applied risk analysis ^[7]. We've seen teams burn through budget on mitigations for low-probability risks while ignoring a high-probability supply chain failure because the risk register lacked the granularity to surface it. The templates/assessment-matrix.yaml in this pack eliminates that ambiguity by defining quantitative scoring rules and escalation criteria grounded in established ISMS methodologies. It forces the math to be explicit: risk_score = probability impact. If the score doesn't match, the validator rejects the register.

This precision matters when you're operating in regulated environments. If your project touches compliance frameworks, the lack of standardized risk tracking can trigger audit failures. The Regulatory Compliance Pack helps bridge that gap, but you still need a robust risk foundation. When you ignore the structural integrity of your risk data, you're not just wasting time; you're accumulating technical debt in your project governance. Every unmitigated risk is a liability waiting to become a production incident.

A GenAI Project That Caught a Critical Gap via Automated Scoring

Imagine a team deploying a generative AI feature for a financial services client. The architecture involves a fine-tuned model, a retrieval-augmented generation pipeline, and a vendor-hosted inference endpoint. The team initializes the risk register using examples/enterprise-risk-register.yaml as a baseline. They populate the rbs_category fields, distinguishing between technical risks, vendor risks, and compliance risks.

During the first automated scan, scripts/analyze-risks.sh parses the register and flags a critical anomaly. A risk labeled "Model Hallucination" has a probability of 4 and an impact of 5, yielding a risk score of 20. However, the mitigation_strategy field contains only "Monitor outputs," and the contingency_plan is empty. The script also detects that the trigger_conditions are missing. The validator in validators/risk-register-schema.json rejects the update, preventing the team from committing incomplete risk data.

The team responds by linking this risk to the references/iso-42001-ai-rmf.md guidance, which details AI-specific risk treatment options. They define a concrete mitigation: implement a confidence threshold gate and a fallback to deterministic rules. They set the trigger condition to "confidence score < 0.85 on 3 consecutive queries." The risk score drops to 8 once the mitigation is recorded, reflecting the residual risk. This workflow mirrors the ISO 31000 framework structure, separating the guiding framework from the operational process to ensure consistent risk assessment ^[6].

Without this automation, the team might have missed the gap in the contingency plan. They might have shipped the feature, only to face a compliance review or a customer escalation when the model hallucinated on a high-value transaction. The pack caught the issue before code was written, saving weeks of rework. If your project involves security-critical components, you should also integrate the Threat Modeling Pack to cross-reference technical risks with attack vectors, ensuring your risk register reflects both operational and security exposures.

What Changes When Risk Data Becomes Machine-Readable

Once you install the Risk Management Pack, your risk workflow shifts from document-centric to data-centric. Every risk register you create is validated against validators/risk-register-schema.json before it's accepted. The schema enforces strict typing, required fields, and cross-field logic. For example, the validator ensures that risk_score equals probability impact. It checks that status is one of the allowed enums. It verifies that rbs_category matches the defined categories. This guarantees register integrity at the source.

The templates/risk-register.yaml enforces PMI standards, requiring fields like id, root_causes, potential_effects, owner, status, mitigation_strategy, contingency_plan, trigger_conditions, and review_date. You can't skip the hard questions. The templates/mitigation-playbook.md guides your team through executing mitigations, triggering contingencies, and managing risk approval gates. It aligns with PMBOK risk monitoring processes, ensuring you have a step-by-step operational playbook for every high-score risk.

Stakeholders get visibility without digging into YAML. scripts/analyze-risks.sh parses the register and outputs a formatted markdown dashboard. It calculates aggregate metrics: high/medium/low counts, exposure index, and top risks by score. This dashboard is CI/CD-friendly. The tests/validate-register.sh test harness runs the schema validator against your register samples, asserts non-zero exit codes on failure, and reports results to your pipelines. You can block merges if the risk register is invalid.

The pack also brings ISO 42001 AI risk management into your workflow. The references/iso-42001-ai-rmf.md file contains embedded knowledge on AI-specific risk treatment options, gap assessment checklists, and risk register categorization for generative AI systems. This is essential for projects dealing with model drift, data leakage, or hallucination risks. The pack aligns with ISO 31000's emphasis on continuous improvement and decision-making, ensuring your risk process evolves with the project ^[3].

For broader governance, this skill integrates seamlessly with other workflows. If you need to manage third-party exposures, the Vendor Risk Management Program Pack provides a structured approach to vendor assessment that feeds directly into your risk register. If you're designing recovery strategies, the Business Continuity Planning Pack complements your contingency plans with phase-specific recovery workflows. And if you need to automate evidence collection for audits, the Internal Audit Automation Pack can ingest your risk register to track remediation status over time.

What's in the Risk Management Pack

We've engineered this pack to be production-ready. Every file is tested, validated, and aligned with industry standards. Here is the complete manifest:

• skill.md — Orchestrator guide detailing the end-to-end risk management workflow, explicitly referencing templates/risk-register.yaml, templates/assessment-matrix.yaml, templates/mitigation-playbook.md, references/pmbok-risk-framework.md, references/iso-42001-ai-rmf.md, scripts/analyze-risks.sh, validators/risk-register-schema.json, tests/validate-register.sh, and examples/enterprise-risk-register.yaml.
• templates/risk-register.yaml — Production-grade YAML master risk register enforcing fields aligned with PMI standards: id, rbs_category, description, root_causes, potential_effects, probability, impact, risk_score, owner, status, mitigation_strategy, contingency_plan, trigger_conditions, and review_date.
• templates/assessment-matrix.yaml — Quantitative/qualitative scoring framework defining 1-5 probability and impact scales, risk appetite thresholds, automated risk score calculation rules, and escalation criteria grounded in Hack23/ISMS-PUBLIC methodology.
• templates/mitigation-playbook.md — Step-by-step operational playbook for executing mitigations, triggering contingencies, managing risk approval gates, and tracking residual risk, aligned with PMBOK risk monitoring processes.
• references/pmbok-risk-framework.md — Canonical excerpts from PMBOK 7th Edition and PMI Practice Standard covering risk identification techniques, qualitative/quantitative analysis, risk register maintenance, monitoring risks, and managing overall project risk.
• references/iso-42001-ai-rmf.md — Embedded knowledge from ISO/IEC 42001:2023 AI Management Systems detailing AI-specific risk treatment options, gap assessment checklists, compliance tracking, and risk register categorization for generative AI systems.
• scripts/analyze-risks.sh — Executable bash script that parses a risk register YAML, validates structure, calculates aggregate metrics (high/medium/low counts, exposure index, top risks by score), and outputs a formatted markdown dashboard for stakeholder review.
• validators/risk-register-schema.json — JSON Schema v7 validator enforcing strict typing, required fields, enum constraints for status/score, and cross-field logic (e.g., risk_score must equal probability * impact) to guarantee register integrity.
• tests/validate-register.sh — Test harness that runs the schema validator against valid and invalid register samples, asserts non-zero exit codes on failure, and reports validation results to CI/CD pipelines.
• examples/enterprise-risk-register.yaml — Worked example of a populated risk register for a complex enterprise project, demonstrating realistic RBS categorization, scoring, mitigation strategies, and contingency triggers based on real-world project profiles.

Install the Pack and Lock Down Your Project Exposure

Stop guessing your project's exposure. Start managing risk with data that's validated, standardized, and actionable. The Risk Management Pack gives you the tools to catch gaps before they become incidents, automate your risk analysis, and align with PMBOK and ISO standards without the manual overhead.

Upgrade to Pro to install the skill and integrate it into your workflow today. Your roadmap will be more accurate, your audits will be smoother, and your team will spend less time maintaining spreadsheets and more time shipping.