melodic-software/risk-analysis
plugins/business-analysis/skills/risk-analysis/SKILL.md
Risk analysis using risk registers, probability/impact matrices, and mitigation planning. Identifies, assesses, and manages project, business, and technical risks with structured response strategies.
$ install --global
skillsauthnpx skillsauth add melodic-software/claude-code-plugins risk-analysisInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 8:31 AM57.8s1 file scanned
SKILL.md
- name:
- risk-analysis
- description:
- Risk analysis using risk registers, probability/impact matrices, and mitigation planning. Identifies, assesses, and manages project, business, and technical risks with structured response strategies.
- allowed-tools:
- Read, Glob, Grep, Task, Skill
Risk Analysis
When to Use This Skill
Use this skill when:
- Risk Analysis tasks - Working on risk analysis using risk registers, probability/impact matrices, and mitigation planning. identifies, assesses, and manages project, business, and technical risks with structured response strategies
- Planning or design - Need guidance on Risk Analysis approaches
- Best practices - Want to follow established patterns and standards
Overview
Systematically identify, assess, and manage risks using risk registers, probability/impact matrices, and structured response planning. Supports project risks, business risks, technical risks, and opportunity management.
What is Risk Analysis?
Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on objectives. Risk analysis involves:
- Identification: What could happen?
- Assessment: How likely? How impactful?
- Response Planning: What will we do about it?
- Monitoring: Track and update risks
Risk vs Issue
| Concept | Definition | Action | |---------|------------|--------| | Risk | Potential future event (uncertain) | Plan response | | Issue | Current problem (certain) | Resolve now |
Threats vs Opportunities
| Type | Effect | Response Goal | |------|--------|---------------| | Threat | Negative impact | Minimize exposure | | Opportunity | Positive impact | Maximize benefit |
Risk Register
The central repository for all identified risks:
## Risk Register
| ID | Risk Description | Category | Probability | Impact | Score | Owner | Response | Status |
|----|-----------------|----------|-------------|--------|-------|-------|----------|--------|
| R-001 | [Description] | [Category] | H/M/L | H/M/L | [P×I] | [Name] | [Strategy] | Open |
Risk Register Fields
| Field | Description | |-------|-------------| | ID | Unique identifier | | Description | Clear risk statement | | Category | Type of risk | | Probability | Likelihood of occurrence | | Impact | Consequence if it occurs | | Score | Risk priority (P × I) | | Owner | Person responsible | | Response | Planned response strategy | | Status | Open, Mitigated, Closed, Occurred |
Risk Categories
| Category | Examples | |----------|----------| | Technical | Technology failure, integration issues | | Schedule | Delays, dependencies | | Cost | Budget overrun, resource costs | | Resource | Skill gaps, availability | | External | Vendor, regulatory, market | | Organizational | Change resistance, priorities | | Quality | Defects, performance | | Security | Data breach, unauthorized access |
Probability/Impact Matrix
Scoring Scales
Probability Scale:
| Level | Score | Description | Likelihood | |-------|-------|-------------|------------| | Very Low | 1 | Rare | < 10% | | Low | 2 | Unlikely | 10-30% | | Medium | 3 | Possible | 30-50% | | High | 4 | Likely | 50-70% | | Very High | 5 | Almost Certain | > 70% |
Impact Scale:
| Level | Score | Schedule | Cost | Quality | |-------|-------|----------|------|---------| | Very Low | 1 | < 1 week | < 5% | Minor | | Low | 2 | 1-2 weeks | 5-10% | Noticeable | | Medium | 3 | 2-4 weeks | 10-20% | Significant | | High | 4 | 1-3 months | 20-40% | Major | | Very High | 5 | > 3 months | > 40% | Critical |
Risk Score Calculation
Risk Score = Probability × Impact
Score Range: 1-25
Risk Priority Zones:
| Score | Priority | Action | |-------|----------|--------| | 1-4 | Low | Accept or monitor | | 5-9 | Medium | Active management | | 10-14 | High | Priority attention | | 15-25 | Critical | Immediate action |
Visual Matrix
quadrantChart
title Risk Matrix
x-axis Low Impact --> High Impact
y-axis Low Probability --> High Probability
quadrant-1 Critical
quadrant-2 High Priority
quadrant-3 Low Priority
quadrant-4 Medium Priority
Risk Response Strategies
For Threats (Negative Risks)
| Strategy | Description | When to Use | |----------|-------------|-------------| | Avoid | Eliminate the threat | High probability and impact | | Transfer | Shift to third party | Financial/contractual risks | | Mitigate | Reduce probability or impact | Most common approach | | Accept | Acknowledge, no action | Low priority risks |
For Opportunities (Positive Risks)
| Strategy | Description | When to Use | |----------|-------------|-------------| | Exploit | Ensure opportunity occurs | High-value opportunities | | Share | Partner to increase capability | Need external help | | Enhance | Increase probability or impact | Moderate opportunities | | Accept | Take advantage if it occurs | Low-effort opportunities |
Response Planning Template
## Risk Response Plan: R-001
**Risk:** [Description]
**Strategy:** [Avoid/Transfer/Mitigate/Accept]
### Prevention Actions
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| [Preventive measure] | [Name] | [Date] | [Status] |
### Contingency Plan
**Trigger:** [What indicates risk is occurring]
**Actions:**
1. [Contingency action 1]
2. [Contingency action 2]
### Residual Risk
**After mitigation:**
- Probability: [Reduced level]
- Impact: [Reduced level]
- New Score: [Residual score]
Workflow
Phase 1: Risk Identification
Step 1: Gather Inputs
Sources for risk identification:
- Project plans and schedules
- Stakeholder concerns
- Historical data from similar projects
- SWOT analysis (Threats)
- Technical assessments
- External environment analysis
Step 2: Brainstorm Risks
Techniques:
- Checklist review: Standard risk categories
- Expert interviews: Subject matter experts
- Assumption analysis: Test project assumptions
- Root cause analysis: Work backward from impacts
- SWOT: Threats and opportunities
Step 3: Document Risks
Risk statement format:
"There is a risk that [CONDITION/CAUSE] may result in [CONSEQUENCE/IMPACT]"
Example:
"There is a risk that key developer leaves may result in schedule delay and knowledge loss"
Phase 2: Risk Assessment
Step 1: Assess Probability
For each risk:
- What is the likelihood of occurrence?
- What evidence supports this assessment?
- Use defined scale (1-5)
Step 2: Assess Impact
For each risk:
- What would be the consequence?
- Consider multiple impact types (schedule, cost, quality)
- Use the highest impact dimension
- Use defined scale (1-5)
Step 3: Calculate and Prioritize
## Risk Assessment Summary
| ID | Risk | P | I | Score | Priority |
|----|------|---|---|-------|----------|
| R-001 | [Risk 1] | 4 | 5 | 20 | Critical |
| R-002 | [Risk 2] | 3 | 3 | 9 | Medium |
| R-003 | [Risk 3] | 2 | 2 | 4 | Low |
Phase 3: Response Planning
Step 1: Select Response Strategy
For each significant risk:
- Match strategy to risk characteristics
- Consider cost of response vs. risk exposure
- Assign risk owner
Step 2: Define Response Actions
- Specific, measurable actions
- Clear owners and due dates
- Contingency triggers defined
Step 3: Calculate Residual Risk
After planned mitigations:
- Re-assess probability and impact
- Calculate residual risk score
- Determine if acceptable
Phase 4: Monitoring
Step 1: Track Risk Status
Regular review cadence:
- Critical risks: Weekly
- High risks: Bi-weekly
- Medium risks: Monthly
- Low risks: Quarterly
Step 2: Update Register
- New risks identified
- Risk scores changed
- Responses executed
- Risks closed or occurred
Output Formats
Risk Register (Markdown Table)
## Risk Register: [Project/Initiative]
**Date:** [ISO Date]
**Owner:** [Name]
**Review Cycle:** [Weekly/Monthly]
| ID | Risk Description | Category | P | I | Score | Owner | Response | Actions | Status |
|----|-----------------|----------|---|---|-------|-------|----------|---------|--------|
| R-001 | Key developer may leave during critical phase | Resource | 4 | 5 | 20 | PM | Mitigate | Cross-train, document | Open |
| R-002 | Third-party API may have breaking changes | Technical | 3 | 4 | 12 | Tech Lead | Mitigate | Abstraction layer | Open |
| R-003 | Budget approval may be delayed | Cost | 2 | 4 | 8 | Sponsor | Accept | Monitor | Open |
| R-004 | New regulation may require features | External | 2 | 3 | 6 | BA | Accept | Watch | Open |
### Summary
- **Total Risks:** 4
- **Critical (15+):** 1
- **High (10-14):** 1
- **Medium (5-9):** 1
- **Low (1-4):** 1
Risk Matrix Visualization
quadrantChart
title Risk Assessment Matrix
x-axis Low Impact --> High Impact
y-axis Low Probability --> High Probability
quadrant-1 Critical - Immediate Action
quadrant-2 High - Active Management
quadrant-3 Low - Monitor
quadrant-4 Medium - Plan Response
"R-001 Key Dev": [0.9, 0.8]
"R-002 API Changes": [0.7, 0.6]
"R-003 Budget": [0.7, 0.35]
"R-004 Regulation": [0.5, 0.35]
Structured Data (YAML)
risk_register:
name: "[Project/Initiative]"
version: "1.0"
date: "2025-01-15"
owner: "Project Manager"
review_cycle: "weekly"
risk_appetite:
overall: "moderate"
schedule: "low"
cost: "moderate"
quality: "low"
scales:
probability:
1: "Rare (<10%)"
2: "Unlikely (10-30%)"
3: "Possible (30-50%)"
4: "Likely (50-70%)"
5: "Almost Certain (>70%)"
impact:
1: "Very Low"
2: "Low"
3: "Medium"
4: "High"
5: "Very High"
risks:
- id: "R-001"
description: "Key developer may leave during critical phase"
category: "Resource"
probability: 4
impact: 5
score: 20
priority: "critical"
owner: "Project Manager"
response_strategy: "mitigate"
response_actions:
- action: "Cross-train team member"
owner: "Tech Lead"
due_date: "2025-02-01"
status: "in_progress"
- action: "Document critical knowledge"
owner: "Developer"
due_date: "2025-02-15"
status: "not_started"
contingency:
trigger: "Developer gives notice"
actions:
- "Accelerate knowledge transfer"
- "Engage contractor"
residual_risk:
probability: 3
impact: 3
score: 9
status: "open"
created_date: "2025-01-15"
last_reviewed: "2025-01-15"
summary:
total: 4
by_priority:
critical: 1
high: 1
medium: 1
low: 1
by_status:
open: 4
mitigated: 0
closed: 0
occurred: 0
Narrative Summary
## Risk Assessment Summary
**Project:** [Name]
**Date:** [ISO Date]
**Assessed By:** risk-analyst
### Risk Profile
| Priority | Count | Top Risk |
|----------|-------|----------|
| Critical | 1 | Key developer leaving |
| High | 1 | Third-party API changes |
| Medium | 1 | Budget approval delay |
| Low | 1 | Regulatory changes |
### Critical Risks Requiring Action
#### R-001: Key Developer Departure
- **Score:** 20 (P:4 × I:5)
- **Response:** Mitigate through cross-training and documentation
- **Target Residual:** 9 (P:3 × I:3)
- **Actions:** 2 in progress, 0 completed
### Risk Trends
| Metric | This Period | Last Period | Trend |
|--------|-------------|-------------|-------|
| Total Risks | 4 | 3 | ↑ |
| Critical | 1 | 0 | ↑ |
| Closed | 0 | 1 | ↓ |
### Recommendations
1. **Immediate:** Accelerate R-001 mitigation actions
2. **This Week:** Complete API abstraction layer design
3. **Monitor:** Watch for regulatory announcements
Common Pitfalls
| Pitfall | Prevention | |---------|------------| | Vague risk descriptions | Use "condition may cause consequence" format | | Inconsistent scoring | Define and use standard scales | | No risk owners | Assign owner at identification | | Stale register | Schedule regular reviews | | Ignoring opportunities | Include positive risks | | Over-analysis | Focus on high-priority risks | | No contingency | Plan for when risks occur |
Integration
Upstream
- swot-pestle-analysis - Threats from strategic analysis
- stakeholder-analysis - Stakeholder concerns as risks
- decision-analysis - Risks inform decisions
Downstream
- Project planning - Risk-adjusted schedules
- Budgeting - Contingency reserves
- Monitoring - Risk tracking dashboards
Related Skills
swot-pestle-analysis- Strategic threats/opportunitiesroot-cause-analysis- When risks occurdecision-analysis- Risk-based decisionsprioritization- Risk prioritization
Version History
- v1.0.0 (2025-12-26): Initial release
Related Skills
melodic-software/milan-jovanovic-blog
development
VerifiedTrustedCommunity
Search Milan Jovanovic's .NET blog for Clean Architecture, DDD, CQRS, EF Core, and ASP.NET Core patterns. Use for finding applicable patterns, code examples, and architecture guidance. Invoke when working with .NET projects that could benefit from proven architectural patterns.
47SKILL.mdUpdated Apr 7, 2026
melodic-software/setup-dab
tools
VerifiedTrustedCommunity
Install and configure Data API Builder (DAB) for production SQL Server MCP access with RBAC
47SKILL.mdUpdated Apr 7, 2026
melodic-software/mssql
tools
VerifiedTrustedCommunity
Manage MssqlMcp servers - status, rebuild, and upstream updates
47SKILL.mdUpdated Apr 7, 2026
melodic-software/onboarding
tools
VerifiedTrustedCommunity
Developer environment setup guides for Windows, macOS, Linux, and WSL. Use when setting up development machines, installing tools, configuring environments, or following platform-specific setup guides. Covers package management, shell/terminal, code editors, AI tooling, containerization, databases, and more.
47SKILL.mdUpdated Apr 7, 2026