add enterprise risk register v1 with 10-item baseline

First issue of the enterprise risk register at docs/compliance/risk/enterprise-risk-register-v1.md. Captures the 10 baseline commercial, operational, regulatory, strategic, security, and financial risks that the founder, CCO, CRO, and Risk & Audit lead carry on their dashboards. Distinct from docs/threat_model.md, which holds the technical attack catalogue (A-NN rows). Each enterprise risk references the threat-model rows it relates to so the two documents stay bidirectionally linked per the §6.5 operating principle.

Document deliverable A40-W1-Mon from docs/plan/bfsi-v1/agents/agent-40-risk-audit.md. Pairs with the compliance roadmap at docs/compliance/compliance-roadmap-v1.md whose §7 holds the thinner compliance-bearing subset; this register is the authoritative copy. References docs/threat_model.md throughout (A-02, A-07, A-09, A-10, A-13, A-17, A-21, A-22, A-28) and docs/cryptography/trusted-setup-ceremony.md (R-ENT-04, R-ENT-07) and docs/compliance/privacy/data-inventory-v1.md (R-ENT-03 scoping).

Risks classified by likelihood (1..5) x impact (1..5) with appetite bands accept <= 6, review 7-12, reject >= 13. At v1 all residuals sit in the auto-accept band after mitigation. Cadence is weekly walk by Agent #40, monthly review with Agent #1 + #36 + #42 on the 15th, quarterly board review in the last week of each Q, plus event-driven triggers per §6.3. Sign-offs in §7.

[no-test] markdown-only documentation deliverable. Next review 2026-06-01 per A40-W2-Mon ticket which updates the register with commit hashes for closed mitigations.

Author: Pulkit Pareek