> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Risk Register

> Browse and assess organizational risks — category/rating/status filters, tabbed detail for assessments and mitigations, and a wizard.

The Risk Register page lists all risks in the organization with search, category, rating, and status filters, plus quick-stats cards. It is located at route `/gr/risks`.

## Overview

The page is rendered by `RiskList` and fetches risks via `useRiskList` with search and filter parameters. Quick-stats (total, critical, active, mitigated) are loaded from `useRiskStats`. A **New Risk** button opens `RiskFormDialog`. If an in-progress risk assessment wizard draft exists (`hasRiskAssessmentDraft`), a banner prompts the user to continue. No permission gate is declared on this route in `gr.tsx`.

Categories: `operational`, `financial`, `clinical`, `safety`, `compliance`, `reputational`.

Ratings: `critical`, `high`, `medium`, `low`.

Statuses: `active`, `mitigated`, `resolved`, `closed`.

## Who it's for

Access follows your organization's role and module configuration.

* No special permission is required to view the risk register.
* Creating risks via wizard requires `gr.risks.admin`.

## Finding a risk

1. Go to **Governance & Compliance → Risks** at `/gr/risks`.
2. Review quick-stats at the top of the page.
3. Use the search bar to find a risk by keyword.
4. Apply Category, Rating, and Status filters to narrow the list.
5. Select a risk card to open the Risk Details page.
6. Select **New Risk** to open the risk creation form.
7. For a guided wizard, navigate to `/gr/risks/wizard` (requires `gr.risks.admin`).

| Concept           | Description                                                                          |
| ----------------- | ------------------------------------------------------------------------------------ |
| Rating            | Composite of likelihood and impact: `low`, `medium`, `high`, `critical`              |
| Status            | Lifecycle state: `active`, `mitigated`, `resolved`, `closed`                         |
| In-progress draft | A local wizard draft detected by `hasRiskAssessmentDraft` — shown as a banner prompt |

## Viewing a risk

The Risk Details page (`/gr/risks/:id`) shows a single risk record with full lifecycle management.

The page is rendered by `RiskDetail` and loads data via `useRiskDetail`. Four URL-synced tabs are available: `overview`, `assessments`, `mitigations`, `links`. Status transitions — **Mitigate**, **Resolve**, **Close** — are performed via `useRiskMutation`. Mitigation items are managed via `useRiskMitigationMutation`. Linked items (requirements, audits, etc.) are managed via `RiskLinkManager`. Users with edit access see an **Edit** button; the route itself has no permission gate in `gr.tsx`.

Displayed fields include: title, category, rating badge, status badge, owner, site, dates, and description.

Before you start: navigate from the Risk Register at `/gr/risks`. A risk record must exist for the given ID.

1. Go to **Governance & Compliance → Risks** and select a risk.
2. Review the **Overview** tab for category, rating, status, owner, and description.
3. Open the **Assessments** tab to view or add risk assessments.
4. Open the **Mitigations** tab to view or add mitigation actions and mark them complete.
5. Open the **Links** tab to view linked requirements, audits, or other items.
6. Use the **Mitigate**, **Resolve**, or **Close** buttons to transition risk status.
7. Select **Edit** to update risk details.

| Concept          | Description                                                              |
| ---------------- | ------------------------------------------------------------------------ |
| Rating           | `low`, `medium`, `high`, `critical` — composite of likelihood and impact |
| Status lifecycle | `active` → `mitigated` → `resolved` → `closed`                           |
| Mitigation       | An action item planned or completed to reduce the risk                   |
| Risk assessment  | A recorded evaluation of likelihood and impact at a point in time        |
| Links            | Connections to requirements, audits, or other GR records                 |

## Creating a risk

Risk creation is performed via the Risk Assessment wizard at `/gr/risks/wizard` (or `/gr/risks/wizard/:riskId` to edit an existing risk). The `/gr/risks/new` route does not exist in the shipped application. Both wizard routes require `gr.risks.admin`.

The Risk Assessment wizard (`RiskAssessmentWizardPage`) has 6 steps:

1. **Identification** — Describe the risk
2. **Analysis** — Likelihood × impact scoring
3. **Owner** — Accountability assignment
4. **Current controls** — Existing safeguards
5. **Mitigation plan** — Strategy and actions
6. **Review** — Confirm and submit

On submission, `createRisk` → `createAssessment` → `createMitigation × N` are called in blocking order; PF-29 task creation follows as a best-effort operation.

Before you start: navigate to `/gr/risks/wizard` (not `/gr/risks/new`). Have risk description, likelihood/impact scores, owner, existing controls, and mitigation strategy ready.

1. Navigate to `/gr/risks/wizard`. The 6-step `WizardShell` loads.
2. **Identification** — enter a title and description for the risk.
3. **Analysis** — select likelihood and impact values to compute the risk score.
4. **Owner** — select the risk owner from available users.
5. **Current controls** — list controls already in place that address this risk.
6. **Mitigation plan** — choose a mitigation strategy and add specific mitigation actions.
7. **Review and submit** — confirm all entries and submit. Records are created in order: risk → assessment → mitigations. Task creation follows.

**WizardShell** — horizontal-layout wizard platform component.

**useRiskAssessmentWizard** — hook managing form state and submission for the risk wizard.

**gr.risks.admin** — the permission required to access either risk wizard route.

## Related

<Columns cols={2}>
  <Card title="Governance & Compliance" icon="scale-balanced" href="/gr/overview">
    Governance & Compliance core overview.
  </Card>

  <Card title="Governance & parity" icon="clipboard-check" href="/governance/index" />
</Columns>

<Note>
  This page documents shipped product behavior. It is not medical, legal, or
  billing advice. Verify against your organization's policies and applicable
  regulations before using it for clinical, compliance, or billing decisions.
  Protected health information (PHI) shown in the product is governed by your
  tenant's access controls and is never exposed in this documentation.
</Note>

<Accordion title="Documentation sources">
  * src/routes/gr.tsx
  * src/cores/gr/pages/RiskList.tsx
  * src/cores/gr/pages/RiskDetail.tsx
  * src/cores/gr/hooks/useRiskList.ts
  * src/cores/gr/hooks/useRiskStats.ts
  * src/cores/gr/hooks/useRiskDetail.ts
  * src/cores/gr/hooks/useRiskMutation.ts
  * src/cores/gr/wizards/risk-assessment/RiskAssessmentWizardPage.tsx
  * src/platform/permissions/constants.ts
</Accordion>
