prorise-cool/risk-analysis

Risk Analysis

When to Use This Skill

Use this skill when:

• Risk Analysis tasks - Working on risk analysis using risk registers, probability/impact matrices, and mitigation planning. identifies, assesses, and manages project, business, and technical risks with structured response strategies
• Planning or design - Need guidance on Risk Analysis approaches
• Best practices - Want to follow established patterns and standards

Overview

Systematically identify, assess, and manage risks using risk registers, probability/impact matrices, and structured response planning. Supports project risks, business risks, technical risks, and opportunity management.

What is Risk Analysis?

Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on objectives. Risk analysis involves:

• Identification: What could happen?
• Assessment: How likely? How impactful?
• Response Planning: What will we do about it?
• Monitoring: Track and update risks

Risk vs Issue

| Concept | Definition | Action | |---------|------------|--------| | Risk | Potential future event (uncertain) | Plan response | | Issue | Current problem (certain) | Resolve now |

Threats vs Opportunities

| Type | Effect | Response Goal | |------|--------|---------------| | Threat | Negative impact | Minimize exposure | | Opportunity | Positive impact | Maximize benefit |

Risk Register

The central repository for all identified risks:

## Risk Register

| ID | Risk Description | Category | Probability | Impact | Score | Owner | Response | Status |
|----|-----------------|----------|-------------|--------|-------|-------|----------|--------|
| R-001 | [Description] | [Category] | H/M/L | H/M/L | [P×I] | [Name] | [Strategy] | Open |

Risk Register Fields

| Field | Description | |-------|-------------| | ID | Unique identifier | | Description | Clear risk statement | | Category | Type of risk | | Probability | Likelihood of occurrence | | Impact | Consequence if it occurs | | Score | Risk priority (P × I) | | Owner | Person responsible | | Response | Planned response strategy | | Status | Open, Mitigated, Closed, Occurred |

Risk Categories

| Category | Examples | |----------|----------| | Technical | Technology failure, integration issues | | Schedule | Delays, dependencies | | Cost | Budget overrun, resource costs | | Resource | Skill gaps, availability | | External | Vendor, regulatory, market | | Organizational | Change resistance, priorities | | Quality | Defects, performance | | Security | Data breach, unauthorized access |

Probability/Impact Matrix

Scoring Scales

Probability Scale:

| Level | Score | Description | Likelihood | |-------|-------|-------------|------------| | Very Low | 1 | Rare | < 10% | | Low | 2 | Unlikely | 10-30% | | Medium | 3 | Possible | 30-50% | | High | 4 | Likely | 50-70% | | Very High | 5 | Almost Certain | > 70% |

Impact Scale:

| Level | Score | Schedule | Cost | Quality | |-------|-------|----------|------|---------| | Very Low | 1 | < 1 week | < 5% | Minor | | Low | 2 | 1-2 weeks | 5-10% | Noticeable | | Medium | 3 | 2-4 weeks | 10-20% | Significant | | High | 4 | 1-3 months | 20-40% | Major | | Very High | 5 | > 3 months | > 40% | Critical |

Risk Score Calculation

Risk Score = Probability × Impact

Score Range: 1-25

Risk Priority Zones:

| Score | Priority | Action | |-------|----------|--------| | 1-4 | Low | Accept or monitor | | 5-9 | Medium | Active management | | 10-14 | High | Priority attention | | 15-25 | Critical | Immediate action |

Visual Matrix

quadrantChart
    title Risk Matrix
    x-axis Low Impact --> High Impact
    y-axis Low Probability --> High Probability
    quadrant-1 Critical
    quadrant-2 High Priority
    quadrant-3 Low Priority
    quadrant-4 Medium Priority

Risk Response Strategies

For Threats (Negative Risks)

| Strategy | Description | When to Use | |----------|-------------|-------------| | Avoid | Eliminate the threat | High probability and impact | | Transfer | Shift to third party | Financial/contractual risks | | Mitigate | Reduce probability or impact | Most common approach | | Accept | Acknowledge, no action | Low priority risks |

For Opportunities (Positive Risks)

| Strategy | Description | When to Use | |----------|-------------|-------------| | Exploit | Ensure opportunity occurs | High-value opportunities | | Share | Partner to increase capability | Need external help | | Enhance | Increase probability or impact | Moderate opportunities | | Accept | Take advantage if it occurs | Low-effort opportunities |

Response Planning Template

## Risk Response Plan: R-001

**Risk:** [Description]
**Strategy:** [Avoid/Transfer/Mitigate/Accept]

### Prevention Actions
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| [Preventive measure] | [Name] | [Date] | [Status] |

### Contingency Plan
**Trigger:** [What indicates risk is occurring]
**Actions:**
1. [Contingency action 1]
2. [Contingency action 2]

### Residual Risk
**After mitigation:**
- Probability: [Reduced level]
- Impact: [Reduced level]
- New Score: [Residual score]

Workflow

Phase 1: Risk Identification

Step 1: Gather Inputs

Sources for risk identification:

• Project plans and schedules
• Stakeholder concerns
• Historical data from similar projects
• SWOT analysis (Threats)
• Technical assessments
• External environment analysis

Step 2: Brainstorm Risks

Techniques:

• Checklist review: Standard risk categories
• Expert interviews: Subject matter experts
• Assumption analysis: Test project assumptions
• Root cause analysis: Work backward from impacts
• SWOT: Threats and opportunities

Step 3: Document Risks

Risk statement format:

"There is a risk that [CONDITION/CAUSE] may result in [CONSEQUENCE/IMPACT]"

Example:
"There is a risk that key developer leaves may result in schedule delay and knowledge loss"

Phase 2: Risk Assessment

Step 1: Assess Probability

For each risk:

• What is the likelihood of occurrence?
• What evidence supports this assessment?
• Use defined scale (1-5)

Step 2: Assess Impact

For each risk:

• What would be the consequence?
• Consider multiple impact types (schedule, cost, quality)
• Use the highest impact dimension
• Use defined scale (1-5)

Step 3: Calculate and Prioritize

## Risk Assessment Summary

| ID | Risk | P | I | Score | Priority |
|----|------|---|---|-------|----------|
| R-001 | [Risk 1] | 4 | 5 | 20 | Critical |
| R-002 | [Risk 2] | 3 | 3 | 9 | Medium |
| R-003 | [Risk 3] | 2 | 2 | 4 | Low |

Phase 3: Response Planning

Step 1: Select Response Strategy

For each significant risk:

• Match strategy to risk characteristics
• Consider cost of response vs. risk exposure
• Assign risk owner

Step 2: Define Response Actions

• Specific, measurable actions
• Clear owners and due dates
• Contingency triggers defined

Step 3: Calculate Residual Risk

After planned mitigations:

• Re-assess probability and impact
• Calculate residual risk score
• Determine if acceptable

Phase 4: Monitoring

Step 1: Track Risk Status

Regular review cadence:

• Critical risks: Weekly
• High risks: Bi-weekly
• Medium risks: Monthly
• Low risks: Quarterly

Step 2: Update Register

• New risks identified
• Risk scores changed
• Responses executed
• Risks closed or occurred

Output Formats

Risk Register (Markdown Table)

## Risk Register: [Project/Initiative]

**Date:** [ISO Date]
**Owner:** [Name]
**Review Cycle:** [Weekly/Monthly]

| ID | Risk Description | Category | P | I | Score | Owner | Response | Actions | Status |
|----|-----------------|----------|---|---|-------|-------|----------|---------|--------|
| R-001 | Key developer may leave during critical phase | Resource | 4 | 5 | 20 | PM | Mitigate | Cross-train, document | Open |
| R-002 | Third-party API may have breaking changes | Technical | 3 | 4 | 12 | Tech Lead | Mitigate | Abstraction layer | Open |
| R-003 | Budget approval may be delayed | Cost | 2 | 4 | 8 | Sponsor | Accept | Monitor | Open |
| R-004 | New regulation may require features | External | 2 | 3 | 6 | BA | Accept | Watch | Open |

### Summary
- **Total Risks:** 4
- **Critical (15+):** 1
- **High (10-14):** 1
- **Medium (5-9):** 1
- **Low (1-4):** 1

Risk Matrix Visualization

quadrantChart
    title Risk Assessment Matrix
    x-axis Low Impact --> High Impact
    y-axis Low Probability --> High Probability
    quadrant-1 Critical - Immediate Action
    quadrant-2 High - Active Management
    quadrant-3 Low - Monitor
    quadrant-4 Medium - Plan Response
    "R-001 Key Dev": [0.9, 0.8]
    "R-002 API Changes": [0.7, 0.6]
    "R-003 Budget": [0.7, 0.35]
    "R-004 Regulation": [0.5, 0.35]

Structured Data (YAML)

risk_register:
  name: "[Project/Initiative]"
  version: "1.0"
  date: "2025-01-15"
  owner: "Project Manager"
  review_cycle: "weekly"

  risk_appetite:
    overall: "moderate"
    schedule: "low"
    cost: "moderate"
    quality: "low"

  scales:
    probability:
      1: "Rare (<10%)"
      2: "Unlikely (10-30%)"
      3: "Possible (30-50%)"
      4: "Likely (50-70%)"
      5: "Almost Certain (>70%)"
    impact:
      1: "Very Low"
      2: "Low"
      3: "Medium"
      4: "High"
      5: "Very High"

  risks:
    - id: "R-001"
      description: "Key developer may leave during critical phase"
      category: "Resource"
      probability: 4
      impact: 5
      score: 20
      priority: "critical"
      owner: "Project Manager"
      response_strategy: "mitigate"
      response_actions:
        - action: "Cross-train team member"
          owner: "Tech Lead"
          due_date: "2025-02-01"
          status: "in_progress"
        - action: "Document critical knowledge"
          owner: "Developer"
          due_date: "2025-02-15"
          status: "not_started"
      contingency:
        trigger: "Developer gives notice"
        actions:
          - "Accelerate knowledge transfer"
          - "Engage contractor"
      residual_risk:
        probability: 3
        impact: 3
        score: 9
      status: "open"
      created_date: "2025-01-15"
      last_reviewed: "2025-01-15"

  summary:
    total: 4
    by_priority:
      critical: 1
      high: 1
      medium: 1
      low: 1
    by_status:
      open: 4
      mitigated: 0
      closed: 0
      occurred: 0

Narrative Summary

## Risk Assessment Summary

**Project:** [Name]
**Date:** [ISO Date]
**Assessed By:** risk-analyst

### Risk Profile

| Priority | Count | Top Risk |
|----------|-------|----------|
| Critical | 1 | Key developer leaving |
| High | 1 | Third-party API changes |
| Medium | 1 | Budget approval delay |
| Low | 1 | Regulatory changes |

### Critical Risks Requiring Action

#### R-001: Key Developer Departure
- **Score:** 20 (P:4 × I:5)
- **Response:** Mitigate through cross-training and documentation
- **Target Residual:** 9 (P:3 × I:3)
- **Actions:** 2 in progress, 0 completed

### Risk Trends

| Metric | This Period | Last Period | Trend |
|--------|-------------|-------------|-------|
| Total Risks | 4 | 3 | ↑ |
| Critical | 1 | 0 | ↑ |
| Closed | 0 | 1 | ↓ |

### Recommendations

1. **Immediate:** Accelerate R-001 mitigation actions
2. **This Week:** Complete API abstraction layer design
3. **Monitor:** Watch for regulatory announcements

Common Pitfalls

| Pitfall | Prevention | |---------|------------| | Vague risk descriptions | Use "condition may cause consequence" format | | Inconsistent scoring | Define and use standard scales | | No risk owners | Assign owner at identification | | Stale register | Schedule regular reviews | | Ignoring opportunities | Include positive risks | | Over-analysis | Focus on high-priority risks | | No contingency | Plan for when risks occur |

Integration

Upstream

• swot-pestle-analysis - Threats from strategic analysis
• stakeholder-analysis - Stakeholder concerns as risks
• decision-analysis - Risks inform decisions

Downstream

• Project planning - Risk-adjusted schedules
• Budgeting - Contingency reserves
• Monitoring - Risk tracking dashboards

Related Skills

• swot-pestle-analysis - Strategic threats/opportunities
• root-cause-analysis - When risks occur
• decision-analysis - Risk-based decisions
• prioritization - Risk prioritization

Version History

• v1.0.0 (2025-12-26): Initial release