---
name: risk-register-builder
description: Build a risk register that identifies, rates, and plans mitigations for what could go wrong. Use this skill whenever a user wants to assess risks, build a risk register or risk matrix, plan for what could go wrong on a project or in the business, or says 'what are the risks', 'build a risk register', or 'we need a risk assessment'. Trigger whenever risks need to be surfaced, prioritized, and assigned mitigations before they materialize.
---

# Risk Register Builder

## What this does and why it matters
Risks that are named and rated get managed; risks that live in someone's gut become emergencies. This skill builds a risk register that identifies what could go wrong, rates each by likelihood and impact, and assigns a mitigation and an owner, so the team spends its worry budget on the risks that actually deserve it.

## Inputs to gather
1. The project, initiative, or area being assessed.
2. Known concerns and any past incidents.
3. Who owns which areas, for assigning mitigations.

## Method

### 1. Identify risks broadly, then focus
Surface the plausible risks across categories (operational, financial, people, technical, external, compliance), then focus on the ones worth managing. Breadth first so nothing obvious is missed.

### 2. Rate likelihood and impact
Score each risk on likelihood and impact (a simple high/medium/low or 1 to 5 each). The product gives a priority, so attention goes to high-likelihood, high-impact risks rather than dramatic-but-improbable ones.

### 3. Plan a response per risk
For each meaningful risk choose a response: mitigate (reduce likelihood or impact), avoid, transfer (insure or outsource), or accept. Vague "keep an eye on it" is not a response.

### 4. Assign owners and triggers
Every managed risk gets an owner and, where useful, a trigger or early-warning signal that says "act now".

### 5. Separate the watchlist
Low-priority risks go on a watchlist rather than cluttering the active register, so focus stays on what matters.

## Output format
ALWAYS produce:

# Risk Register: [Project / Area]
## Register (risk | likelihood | impact | priority | response | owner | trigger)
## Top risks (the few that most need attention)
## Watchlist (low priority, monitor only)
## Assumptions

## Anti-patterns to avoid
- Listing risks with no likelihood or impact rating, so all look equal.
- Responses that are just "monitor" with no action.
- No owner, so no one actually manages the risk.
- Fixating on dramatic low-probability risks while ignoring likely ones.

## Example
For a system migration, the register rates data loss as high impact, low likelihood with a tested-backup mitigation owned by engineering, and timeline slip as high likelihood, medium impact with a phased-rollout response, while minor risks sit on a watchlist.
