# Antifragile Risk Register Template

> *"Traditional risk registers count vulnerabilities. Antifragile risk registers map the kill chain, preserve optionality, and engineer convexity."*

This template replaces conventional risk management with an antifragile approach. It is designed to identify not just what can go wrong, but **how the organization benefits from addressing it**—and what structural improvement emerges from each risk realization.

---

## The Antifragile Risk Dimensions

Traditional risk registers track Probability and Impact. We add five antifragile dimensions:

| Dimension | Traditional Equivalent | Antifragile Question |
|-----------|----------------------|---------------------|
| **Kill Chain Position** | Asset location | "If this risk materializes, what is the shortest path to organizational failure?" |
| **Optionality Impact** | N/A | "Does this risk, if unaddressed, remove our ability to change direction?" |
| **Convexity** | Risk score | "Is the payoff asymmetric—small investment to prevent, catastrophic cost if realized?" |
| **Stress-to-Signal** | Lessons learned | "If this risk materializes, what structural improvement must result?" |
| **T0 Classification** | Criticality | "Is this existential (T0), major (T1), significant (T2), or standard (T3)?" |

---

## Risk Register Template

### Metadata

```
Organization: ________________________________
Assessment Date: ________________________________
Assessor: ________________________________
Review Cadence: Monthly / Quarterly
Next Review Date: ________________________________
```

### Risk Entries

| Field | Description | Example |
|-------|-------------|---------|
| **Risk ID** | Unique identifier (e.g., AF-2024-001) | AF-2024-001 |
| **Risk Name** | Short, specific description | Domain Admin Account Compromise |
| **Description** | Detailed scenario | A standing Domain Admin account is compromised via phishing, allowing adversary to create persistent access and exfiltrate data |
| **T0 / T1 / T2 / T3** | Tier classification | T0 |
| **Kill Chain Position** | Shortest path to failure | Direct: compromised admin → full domain takeover → all systems compromised |
| **Probability** | Likelihood (1-5) | 4 (High: admin accounts are high-value phishing targets) |
| **Impact** | Consequence (1-5) | 5 (Existential: total organizational compromise) |
| **Traditional Risk Score** | P × I | 20 (Critical) |
| **Optionality Impact** | Does this remove strategic options? | High: if AD is compromised, migration to cloud-native identity becomes impossible until recovery |
| **Convexity** | Asymmetric payoff? | Extreme: MFA deployment costs €0 (E3); domain compromise costs €500K+ |
| **Current Control** | What exists today? | Password policy; no MFA on admin accounts; no PIM |
| **Antifragile Move** | What structural change is required? | 1. Remove standing Domain Admin assignments 2. Deploy PIM (or manual JIT process) 3. Enforce MFA with hardware tokens 4. Deploy PAWs for all admin activity |
| **Owner** | Who is accountable? | CISO |
| **Target Date** | When must this be addressed? | 14 days |
| **Status** | Open / In Progress / Closed / Accepted / Transferred | Open |
| **Stress-to-Signal Mandate** | If this risk materializes, what must change? | Post-incident: all admin activity permanently moved to PAWs; quarterly access reviews institutionalized; admin accounts reduced to minimum viable count |
| **Verification Method** | How do we prove the fix works? | Monthly PIM audit; quarterly red team targeting admin credentials; Secure Score admin control metric |

---

## Risk Categories (Antifragile Taxonomy)

### Category 1: Sovereignty Risks

Risks related to loss of control over data, intelligence, or infrastructure.

| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Proprietary data trains competitor AI models | Data → cloud AI → model improvement → competitive erosion | Yes | Deploy local or Azure OpenAI with data protection guarantees; classify AI data flows |
| Cloud vendor changes terms or pricing | Terms change → operational disruption → forced migration under duress | Yes | Document exit architecture; maintain data portability; dual-vendor readiness |
| Vendor discontinues critical service | Service ends → workflow collapse → emergency procurement | T1 | Maintain abstraction layers; escrow agreements; 90-day exit plans |

### Category 2: Identity Risks

Risks related to authentication, authorization, and account lifecycle.

| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Standing privileged account compromise | Phish → admin account → lateral movement → domain takeover | Yes | Eliminate standing privileges; deploy PIM or manual JIT; PAWs |
| Orphaned account resurrection | Former employee account not disabled → credential sale → unauthorized access | T1 | Automated orphan detection; quarterly access reviews; offboarding workflow tied to HR |
| MFA bypass via legacy authentication | Legacy protocol → password spray → account access without MFA | T1 | Block legacy auth tenant-wide; monitor for legacy auth attempts |

### Category 3: Resilience Risks

Risks related to the organization's ability to survive and recover from failure.

| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Backups unrecoverable | Ransomware → backup failure → data loss → business termination | Yes | Quarterly recovery drills; immutable backups; tested runbooks |
| Single point of failure in critical system | Component failure → cascade → service outage | T1 | Chaos engineering; redundancy; graceful degradation design |
| Untested disaster recovery plan | Incident → DR plan fails → extended outage → regulatory fine | T1 | Quarterly DR drills; documented and practiced runbooks; automated failover where possible |

### Category 4: Organizational Risks

Risks related to structure, culture, and process.

| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Security team as gatekeeper, not enabler | Security blocks releases → development bypasses controls → shadow IT proliferation | T1 | Embed security in teams; shared metrics; automated security gates in CI/CD |
| Knowledge concentrated in single individual | Key person departure → operational paralysis → recovery delay | T1 | Cross-training; runbook documentation; bus factor > 1 for all critical functions |
| Incident findings not converted to structure | Incident occurs → post-mortem written → no changes made → repeat incident | T1 | Blameless post-mortems with structural mandates; mean-time-to-structural-fix metric |

### Category 5: AI-Specific Risks

Risks introduced by artificial intelligence adoption.

| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Prompt injection on business-critical AI workflow | Malicious input → AI generates harmful output → business decision based on bad data | T1 | Input validation; output filtering; human-in-the-loop for critical decisions |
| AI model poisoning via training data | Adversarial training data → model behaviour change → security control failure | Yes | Data provenance tracking; training data validation; model integrity monitoring |
| Shadow AI usage leaks crown jewels | Employee uses public AI → proprietary data exfiltrated → competitive disadvantage | Yes | Sanctioned AI alternative (Azure OpenAI bridge); DLP monitoring; user education |

---

## The Kill Chain Risk Register

For the highest-priority risks, map the full kill chain:

```
RISK ID: ________________
RISK NAME: ________________

KILL CHAIN ANALYSIS:
Step 1 (Initial Access): ________________________________________________
Step 2 (Persistence): ________________________________________________
Step 3 (Privilege Escalation): ________________________________________________
Step 4 (Lateral Movement): ________________________________________________
Step 5 (Impact): ________________________________________________

SHORTEST PATH TO FAILURE: _____ steps
CRITICAL NODE (break the chain here): ___________________________________

ANTIFRAGILE MOVE AT CRITICAL NODE: _____________________________________
VERIFICATION: __________________________________________________________
```

---

## Scoring and Prioritization

### Traditional Score

```
Risk Score = Probability (1-5) × Impact (1-5)
```

| Score | Priority |
|-------|----------|
| 20-25 | P0 — Address within 14 days |
| 15-19 | P1 — Address within 30 days |
| 10-14 | P2 — Address within 90 days |
| 5-9 | P3 — Address within 180 days |
| 1-4 | P4 — Monitor and schedule |

### Antifragile Score (Supplemental)

```
Antifragile Priority = Traditional Score + Optionality Impact (0-5) + Convexity (0-5)
```

Risks that remove optionality or have extreme convexity receive elevated priority even if traditional probability is moderate.

| Antifragile Score | Interpretation |
|-------------------|----------------|
| 30+ | Existential + optionality-destroying. Address immediately. |
| 25-29 | High risk with structural implications. Address within 30 days. |
| 20-24 | Significant risk. Address within standard timeline. |
| < 20 | Manage through existing controls. |

---

## Review and Governance

### Monthly Tactical Review

- Open risks: status, blockers, escalation needs
- Closed risks: verification that controls are working
- New risks: emerging from incidents, changes, or threat intelligence

### Quarterly Strategic Review

- Risk trend: Are we reducing existential risks faster than new ones emerge?
- Kill chain coverage: Are there unprotected paths we have not mapped?
- Optionality audit: Have any changes reduced our strategic flexibility?
- Stress-to-signal conversion: How many incidents produced structural improvements?

### Annual Board Review

- Risk register summary: T0 risks, open vs. closed, trend
- Kill chain assurance: Independent validation of critical node protection
- Antifragile maturity: Mean time to structural fix, chaos experiment results, recovery drill outcomes

---

## Integration With Other Documents

| Document | Integration |
|----------|-------------|
| [T0 Asset Framework](../core/t0-asset-framework.md) | T0 classification determines which risks are existential |
| [Rapid Modernisation Plan](../playbooks/rapid-modernisation-plan.md) | Phase priorities map directly to P0/P1/P2 risk closure |
| [C-Suite Conversation Guide](../core/c-suite-conversation-guide.md) | Risk register produces the "cost of inaction" narrative |
| [Business Case Template](../playbooks/business-case-template.md) | Risk scores convert to expected financial loss |

---

*For the M365-specific risk register, see [M365 Project Risk Register](m365-project-risk-register.md).*