AI for Risk Registers
Most risk registers fail as writing before they fail as risk management: entries like ‘resourcing’ or ‘IT risk’ that name a topic instead of describing what might happen, why, and what it would cost. AI is remarkably good at fixing exactly that — turning vague worry into structured cause-event-impact statements, suggesting mitigations you can assess, and keeping fifty entries consistent. What it cannot do is know how worried you should be. Scoring is judgement; judgement is yours.
Why this task matters
Registers exist so organisations worry deliberately instead of reactively — but the tool only works if entries are specific enough to act on and current enough to trust. In practice registers rot: written once for the audit, scored by gut feel that varies by author, reviewed annually with mounting embarrassment. The frustration is that maintaining good risk writing across dozens of entries is exactly the kind of consistency work humans do worst and resent most.
The traditional workflow
- Workshop or hallway conversation surfaces worries
- Someone translates worries into register entries, tersely
- Scores assigned by feel; mitigations written as intentions (‘monitor closely’)
- The register sleeps between review meetings
- Reviews re-litigate wording instead of discussing risk
How AI can help
Draft
- Cause-event-impact rewrites: ‘Because [cause], [event] may occur, resulting in [impact]’ — from your rough entries
- Candidate mitigations for each risk, split into preventive and reactive, for your assessment
- The plain-English risk summary for audiences who won’t read the register
Summarise
- A long register into the top movements for the executive summary
- Incident reports and project lessons into candidate risks for consideration
Analyse
- Consistency sweeps: duplicate risks worded differently, impacts described at different scales
- Completeness against categories: ‘this register has nothing on key-person or information risks — prompts for the workshop, not auto-additions’
- Change analysis between reviews: what moved, what’s stale, which mitigations have no owner
What must stay human
How likely and how severe are judgements about your organisation’s reality — its controls, its history, its people — and AI has none of that context; every score is human. Risk appetite is a leadership decision. Which suggested mitigations are feasible, funded and genuinely owned is management, not text generation. And accountability is structural: a risk without a human owner isn’t managed, whatever the register says.
Traffic light assessment
Rewriting descriptions into cause-event-impact structure; consistency sweeps. Pure writing quality over content you provide; every improvement is visible and checkable.
Suggesting mitigations and candidate risks. Useful prompts for human assessment — but adopting a mitigation is a resourcing decision, and adding a risk is a judgement that it’s real here, not just plausible somewhere.
Scoring likelihood and consequence; setting appetite; risks naming individuals or sensitive matters. Scores drive decisions and audits — they encode organisational judgement AI doesn’t possess. Sensitive entries (fraud concerns, individual performance) follow confidentiality red lines absolutely.
Example prompt
For the register-quality overhaul — the highest-value single use:
Rewrite the risk entries below into consistent cause-event-impact form: ‘Because [cause], [event] may occur, resulting in [impact].’ Rules: preserve my meaning exactly — sharpen wording, never add causes or impacts I haven’t stated; where an entry is too vague to restructure (like ‘IT risk’), don’t guess — return it with the two or three questions I’d need to answer to make it specific. Then flag any entries that appear to be duplicates of each other. Do not score anything. [paste register entries]
The risks
The seductive failure here is outsourced worry: a register full of fluent AI-suggested risks and mitigations that nobody actually assessed, owned or funded — compliance theatre with better grammar. Every suggestion is a prompt for judgement, not a judgement. Never let AI score; scores vary with organisational context it doesn’t have, and auditors ask who scored this and why. Registers frequently reference sensitive matters — approved tools only, and entries about individuals stay out entirely.
A better workflow
The current way
- Vague entries scored by mood, reviewed annually
- Wording debates consume the review meeting
- Mitigations as intentions; ownership as a column left blank
The AI-assisted way
- AI restructures all entries into cause-event-impact and sweeps for duplicates before the review
- Reviews receive a change analysis: moved, stale, unowned
- Humans spend the meeting on scores, appetite, mitigation funding and owners — the actual risk management
What improves
- Register language becomes consistent and actionable across every entry
- Reviews discuss risk instead of grammar
- Stale and orphaned entries surface automatically
- The register starts earning its keep between audits, which was always the idea
Key takeaways
- AI fixes risk writing — cause, event, impact — and keeps registers consistent
- Every score is human: likelihood and consequence encode context AI doesn’t have
- Suggested mitigations are prompts for assessment, never adopted decisions
- A risk without a human owner isn’t managed
- Sensitive risks follow the confidentiality red lines without exception