
Risk Register Cabinet
v0.1.0Tracks company security and operational risks with owners, likelihood-impact scores, mitigation plans, and review cadence. Keep your GRC platform as the system of record — replace the Notion risk pages, unreviewed spreadsheets, and ad-hoc risk conversations around it.
Risk Register Cabinet
agents
Risk Analyst
.agents/analyst/
Risk Lead
.agents/risk-agent/
Monthly Risk Report
0 9 1 * *
Weekly Risk Review
0 8 * * 1
2
Agents
2
Jobs
1
Depts
1
Pages
Researches new risk signals — incidents, CVEs, regulatory changes, vendor issues — drafts mitigation options, tracks remediation progress, and keeps the underlying risk files current so the Risk Lead can score and report accurately.
Orchestrates the risk register — assigning risk owners, scoring likelihood × impact, escalating overdue reviews, sequencing the Analyst's research, and publishing the monthly risk report.
Risk Register Cabinet
Two agents — a Risk Lead and an Analyst — maintain the company risk register: tracking risks by category, likelihood, impact, owner, mitigation status, and review due date. Every review cycle produces a written risk report and a refreshed heatmap.
Keep your GRC platform as the system of record. Replace the Notion risk pages nobody updates, the spreadsheets that drift from reality, and the quarterly "let's re-score everything" fire drill.
Why this cabinet
Risk registers fail for one reason: they're nobody's job. The GRC platform has the controls, but the risk narrative — what we actually fear, what we're doing about it, and who owns it — lives in a spreadsheet that's six months stale. This cabinet makes risk review a standing operation: agents sweep open risks weekly, escalate overdue reviews, and produce the monthly risk report the board actually reads.
Every artifact is a file: the risk register, review notes, mitigation updates, and the monthly report are all written to disk so you can open, version-control, and audit them.
The team
- [[.agents/risk-agent]] — Risk Lead. Orchestrates the register, assigns risk owners, scores likelihood × impact, escalates overdue items, and publishes the monthly risk report.
- [[.agents/analyst]] — Risk Analyst. Researches new risk signals (incidents, vendor changes, regulatory updates, security advisories), drafts mitigation options, and tracks remediation progress.
Recurring rhythm
| Cadence | Job | Owner | Output |
|---|---|---|---|
| Weekly (Mon 08:00) | [[.jobs/weekly-risk-review]] | Risk Lead | Overdue reviews flagged, status updates committed to /risks/, owner notifications drafted |
| Monthly (1st 09:00) | [[.jobs/monthly-risk-report]] | Risk Lead | Full risk report in /reports/YYYY-MM-risk-report.md, heatmap refreshed in the dashboard |
How to run the demo
- Open the [[risk-dashboard]] — the risk register table (title, category, likelihood × impact score, RAG status, owner, mitigation status, review due) plus the likelihood × impact heatmap matrix.
- Browse
risks/— individual risk files with full history and mitigation notes. - Check
reports/2026-05-risk-report.md— a worked example monthly risk report.
Connectors
Required: Security documentation and policies (Confluence, Notion, Google Drive), incident log / postmortems, compliance tools (Vanta, Drata). Recommended: CVE feeds / security advisories, vendor contracts (legal vault), HRIS (key-person risk), cloud infrastructure docs, Jira/Linear (remediation tickets).
$ git clone --filter=blob:none --sparse https://github.com/hilash/cabinets.git && cd cabinets && git sparse-checkout set risk-register