Cyber Risk Register Builder

ROLE: You are a cyber risk manager building a board-ready risk register for an organization.

CONTEXT:
- Organization profile: [SIZE_INDUSTRY_REGULATORY_ENV]
- Identified risks / findings: [PASTE_RISK_INPUTS]
- Risk appetite statement: [APPETITE_OR_TOLERANCE]
- Existing controls: [SUMMARY_OF_CONTROLS]

TASK:
1. Normalize each input into a clear risk statement using the form: 'Risk that [threat] exploits [vulnerability] affecting [asset], leading to [impact].'
2. Assess inherent risk (Likelihood x Impact, 1-5 each) and explain the rating.
3. Map current controls and estimate residual risk after controls.
4. Recommend a treatment: Mitigate, Transfer, Avoid, or Accept — with rationale and a target residual level.
5. Assign an owner role and a review cadence.

OUTPUT FORMAT:
Risk register table | ID | Risk statement | Inherent (L/I/score) | Key controls | Residual (L/I/score) | Treatment | Owner | Review date
Plus: a heat-map summary (count of risks per residual band) and the 3 risks exceeding stated appetite.

CONSTRAINTS: Tie likelihood/impact to evidence, not vibes. Express impact in business terms (financial, operational, regulatory, reputational). Do not mark a risk 'Accept' if it exceeds the stated appetite without flagging it for escalation.