How do I track risks across a 50-project portfolio?

Why spreadsheets stop working at 50 projects

Risk spreadsheets scale to about five projects before they break. At 50, nobody maintains them, owners change silently, and severity scores go stale. bRRAIn centralizes risks as graph nodes in the POPE graph, each with required fields: severity, likelihood, owner, trigger, mitigation, and review date. The nodes live in their project's workspace but federate into a portfolio-level view through the Control Plane. One canonical record per risk, reachable from both project and portfolio directions, never out of sync with itself.

The Risk Registry pattern

The Risk Registry pattern is a Risk-Registry.md file in every workspace with a standard schema. Each row is a POPE-tagged node the Consolidator ingests into the federated master context. The Handler enforces the schema at ingest — a row without an owner or a review date gets flagged back to the PM instead of silently accepted. That discipline is why the registry stays usable at scale: every risk, in every project, has a human name on it and a date after which the agent will nudge for a review.

The exec view

For the exec running the portfolio, the risk view lives in the Ontology Viewer. A heatmap sorts risks by severity × likelihood, coloured by project. The exec filters to critical-and-likely across all 50 projects and sees exactly the rows that need attention this week. Drill-down hits the source row with full context — mitigation status, last review, dependent projects. The Security Policy Engine controls what the exec sees versus what stays scoped to the project team. The exec gets signal; the team keeps privacy.

Keeping the registry alive

A dead risk registry is worse than no registry because it misleads decisions. bRRAIn keeps every risk alive with scheduled review nudges. When a risk's review date passes, the Handler pings the owner through the workspace and, if unacknowledged, escalates through the Control Plane. The Consolidator watches commits, tickets, and incidents for events that should trigger severity changes — an incident in a module flagged as "if this breaks, severity jumps" auto-bumps the score and alerts the owner. Book a demo to see portfolio risk go live.

Relevant bRRAIn products and services

• Risk Registry pattern — Risk-Registry.md schema that every workspace inherits, enforcing owner and review-date discipline.
• Ontology Viewer — portfolio-level heatmap execs use to triage 50 projects of risk in one view.
• POPE Graph RAG — models each risk as a typed node with severity, likelihood, owner, and relationships.
• Consolidator — federates project registries into the portfolio view and triggers auto-escalations.
• Handler — enforces schema at ingest and nudges owners when review dates slip.
• Security Policy Engine — scopes risk detail per role so execs see status without leaking project-internal context.