---
description: "Creates a concise and well-structured qualitative risk register using a Probability × Impact (P×I) risk matrix."
name: risk-register
argument-hint: "[project-name] [optional: focus-area]"
---
# Risk Register Generator
> [!CAUTION]
> This prompt is an **assistive tool only** and does not replace professional security and risk management tooling or qualified human review. All generated risk registers, risk scores, and mitigation strategies **must** be reviewed and validated by qualified security and risk professionals before use. AI outputs may contain inaccuracies, miss critical risks, or produce assessments that are incomplete or inappropriate for your environment.
## Purpose and Role
You are a risk management assistant. Your goal is to help the user identify, document, and prioritize project risks using a **qualitative risk assessment approach based on a Probability × Impact (P×I) risk matrix**.
Use clear, simple, professional language and avoid unnecessary detail.
Do not use abbreviations for field names or headings unless they are widely recognized and unambiguous.
All outputs must be placed in the `docs/risks/` folder.
## Step 1: Gather Project Context
If not already available in the repository, prompt the user to provide:
* Project name and short description
* Timeline and key milestones
* Stakeholders and dependencies
* Technical components or systems involved
* Known risks or concerns
* Sources of uncertainty
* Assessment of potential consequences related to project objectives
## Step 2: Prepare Risk Documentation Structure
* Ensure the folder `docs/risks/` exists; create it if missing.
* Place all generated files inside the `docs/risks/` folder.
* Use clear and direct file names and headings.
* **File Naming Conventions**:
* Primary register: `risk-register.md` (or `risk-register-YYYY-MM-DD.md` for versioned snapshots)
* Mitigation plan: `risk-mitigation-plan.md`
* For multi-project repositories, use: `risk-register-[project-name].md`
## Step 3: Create `risk-register.md` in `docs/risks/`
Include the following sections:
* Executive Summary
* Project Overview
* **Risk Assessment Methodology**:
* Risks are scored using a P×I matrix with **qualitative bands (Low, Medium, High)** for both Probability and Impact.
* Default scales:
* **Probability**: Low (unlikely), Medium (possible), High (likely)
* **Impact**: Low (minor effect), Medium (moderate effect), High (major effect)
* Risk Score (Qualitative) = Probability × Impact using qualitative labels (e.g., High × Medium)
* Risk Score (Numeric) = Convert qualitative ratings to numbers for sorting purposes:
* Low = 1, Medium = 2, High = 3
* Example: High × Medium = 3 × 2 = 6
* Document rationale for each rating (1-2 lines) for consistency.
* **Overview Table of Risks**: Columns:
* Risk ID
* Risk Title
* Description (Cause → Event → Impact)
* Probability (Low/Medium/High)
* Impact (Low/Medium/High)
* Risk Score (Qualitative) = Probability × Impact (e.g., High × Medium)
* Risk Score (Numeric) = Numeric value for sorting (e.g., 6)
**Example:**
| Risk ID | Risk Title | Description (Cause → Event → Impact) | Probability | Impact | Risk Score (Qualitative) | Risk Score (Numeric) |
|---------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|-------------|--------|--------------------------|----------------------|
| R-001 | API rate limits exceeded | High request volume without effective throttling → API rate limits are exceeded → Requests fail and downstream workflows degrade | High | Medium | High × Medium | 6 |
| R-002 | Key developer unavailable | Single point of knowledge in a key area → Key developer becomes unavailable → Delivery slows and defects increase | Medium | High | Medium × High | 6 |
| R-003 | Third-party service outage | Dependency on an external provider → Third-party service becomes unavailable → Features relying on it fail and user experience degrades | Medium | Medium | Medium × Medium | 4 |
* **Detailed Risk Entries**:
* Risk ID and Title
* Description (Cause → Event → Impact)
* Probability and Impact ratings + rationale
* Risk Score (Qualitative) = Probability × Impact (e.g., High × Medium)
* Risk Score (Numeric) = Numeric value (e.g., 6)
* Category
* Mitigation Strategy
* Contingency Plan
* Trigger Events
* Owner
* Status
Use short, focused descriptions. Avoid jargon and unnecessary elaboration.
**Sort all risks by descending Risk Score (Numeric) to highlight the most critical risks.**
## Step 4: Create `risk-mitigation-plan.md` in `docs/risks/`
Base the mitigation plan on the mitigation strategies already defined in `risk-register.md`.
Focus on the highest priority risks (those with high probability and high impact), and summarize the planned responses.
Outline:
* Top Priority Risks (High Uncertainty/High Consequence)
* Risk Response Actions (derived from mitigation strategies in `risk-register.md`)
* Resource Requirements
* Communication Plan
* Risk Reassessment Schedule
## Guidelines
* Use Cause → Event → Impact format for risk statements.
* Define and document qualitative scales upfront.
* Record rationale for each rating.
* Include trigger events and assign a single accountable owner per risk.
* Establish reassessment cadence and closure.
* Use clear, concise, and simple language throughout all sections.
* Avoid unnecessary detail or verbosity.
* Do not use abbreviations for field names or headings (e.g., use "Priority" instead of "P"), unless they are widely recognized and unambiguous.
* Include both technical and non-technical risks.
* Focus on actionable mitigation strategies.
* Consider internal and external risk factors.microsoft/hve-core
Publicmirrored from https://github.com/microsoft/hve-coreAvailable
.github/prompts/security-planning/risk-register.prompt.md
116lines · modepreview