Skills
skills/melodic-software/claude-code-plugins/risk-analysis

risk-analysis

SKILL.md

Risk Analysis

When to Use This Skill

Use this skill when:

  • Risk Analysis tasks - Working on risk analysis using risk registers, probability/impact matrices, and mitigation planning. identifies, assesses, and manages project, business, and technical risks with structured response strategies
  • Planning or design - Need guidance on Risk Analysis approaches
  • Best practices - Want to follow established patterns and standards

Overview

Systematically identify, assess, and manage risks using risk registers, probability/impact matrices, and structured response planning. Supports project risks, business risks, technical risks, and opportunity management.

What is Risk Analysis?

Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on objectives. Risk analysis involves:

  • Identification: What could happen?
  • Assessment: How likely? How impactful?
  • Response Planning: What will we do about it?
  • Monitoring: Track and update risks

Risk vs Issue

Concept Definition Action
Risk Potential future event (uncertain) Plan response
Issue Current problem (certain) Resolve now

Threats vs Opportunities

Type Effect Response Goal
Threat Negative impact Minimize exposure
Opportunity Positive impact Maximize benefit

Risk Register

The central repository for all identified risks:

## Risk Register

| ID | Risk Description | Category | Probability | Impact | Score | Owner | Response | Status |
|----|-----------------|----------|-------------|--------|-------|-------|----------|--------|
| R-001 | [Description] | [Category] | H/M/L | H/M/L | [P×I] | [Name] | [Strategy] | Open |

Risk Register Fields

Field Description
ID Unique identifier
Description Clear risk statement
Category Type of risk
Probability Likelihood of occurrence
Impact Consequence if it occurs
Score Risk priority (P × I)
Owner Person responsible
Response Planned response strategy
Status Open, Mitigated, Closed, Occurred

Risk Categories

Category Examples
Technical Technology failure, integration issues
Schedule Delays, dependencies
Cost Budget overrun, resource costs
Resource Skill gaps, availability
External Vendor, regulatory, market
Organizational Change resistance, priorities
Quality Defects, performance
Security Data breach, unauthorized access

Probability/Impact Matrix

Scoring Scales

Probability Scale:

Level Score Description Likelihood
Very Low 1 Rare < 10%
Low 2 Unlikely 10-30%
Medium 3 Possible 30-50%
High 4 Likely 50-70%
Very High 5 Almost Certain > 70%

Impact Scale:

Level Score Schedule Cost Quality
Very Low 1 < 1 week < 5% Minor
Low 2 1-2 weeks 5-10% Noticeable
Medium 3 2-4 weeks 10-20% Significant
High 4 1-3 months 20-40% Major
Very High 5 > 3 months > 40% Critical

Risk Score Calculation

Risk Score = Probability × Impact

Score Range: 1-25

Risk Priority Zones:

Score Priority Action
1-4 Low Accept or monitor
5-9 Medium Active management
10-14 High Priority attention
15-25 Critical Immediate action

Visual Matrix

quadrantChart
    title Risk Matrix
    x-axis Low Impact --> High Impact
    y-axis Low Probability --> High Probability
    quadrant-1 Critical
    quadrant-2 High Priority
    quadrant-3 Low Priority
    quadrant-4 Medium Priority

Risk Response Strategies

For Threats (Negative Risks)

Strategy Description When to Use
Avoid Eliminate the threat High probability and impact
Transfer Shift to third party Financial/contractual risks
Mitigate Reduce probability or impact Most common approach
Accept Acknowledge, no action Low priority risks

For Opportunities (Positive Risks)

Strategy Description When to Use
Exploit Ensure opportunity occurs High-value opportunities
Share Partner to increase capability Need external help
Enhance Increase probability or impact Moderate opportunities
Accept Take advantage if it occurs Low-effort opportunities

Response Planning Template

## Risk Response Plan: R-001

**Risk:** [Description]
**Strategy:** [Avoid/Transfer/Mitigate/Accept]

### Prevention Actions
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| [Preventive measure] | [Name] | [Date] | [Status] |

### Contingency Plan
**Trigger:** [What indicates risk is occurring]
**Actions:**
1. [Contingency action 1]
2. [Contingency action 2]

### Residual Risk
**After mitigation:**
- Probability: [Reduced level]
- Impact: [Reduced level]
- New Score: [Residual score]

Workflow

Phase 1: Risk Identification

Step 1: Gather Inputs

Sources for risk identification:

  • Project plans and schedules
  • Stakeholder concerns
  • Historical data from similar projects
  • SWOT analysis (Threats)
  • Technical assessments
  • External environment analysis

Step 2: Brainstorm Risks

Techniques:

  • Checklist review: Standard risk categories
  • Expert interviews: Subject matter experts
  • Assumption analysis: Test project assumptions
  • Root cause analysis: Work backward from impacts
  • SWOT: Threats and opportunities

Step 3: Document Risks

Risk statement format:

"There is a risk that [CONDITION/CAUSE] may result in [CONSEQUENCE/IMPACT]"

Example:
"There is a risk that key developer leaves may result in schedule delay and knowledge loss"

Phase 2: Risk Assessment

Step 1: Assess Probability

For each risk:

  • What is the likelihood of occurrence?
  • What evidence supports this assessment?
  • Use defined scale (1-5)

Step 2: Assess Impact

For each risk:

  • What would be the consequence?
  • Consider multiple impact types (schedule, cost, quality)
  • Use the highest impact dimension
  • Use defined scale (1-5)

Step 3: Calculate and Prioritize

## Risk Assessment Summary

| ID | Risk | P | I | Score | Priority |
|----|------|---|---|-------|----------|
| R-001 | [Risk 1] | 4 | 5 | 20 | Critical |
| R-002 | [Risk 2] | 3 | 3 | 9 | Medium |
| R-003 | [Risk 3] | 2 | 2 | 4 | Low |

Phase 3: Response Planning

Step 1: Select Response Strategy

For each significant risk:

  • Match strategy to risk characteristics
  • Consider cost of response vs. risk exposure
  • Assign risk owner

Step 2: Define Response Actions

  • Specific, measurable actions
  • Clear owners and due dates
  • Contingency triggers defined

Step 3: Calculate Residual Risk

After planned mitigations:

  • Re-assess probability and impact
  • Calculate residual risk score
  • Determine if acceptable

Phase 4: Monitoring

Step 1: Track Risk Status

Regular review cadence:

  • Critical risks: Weekly
  • High risks: Bi-weekly
  • Medium risks: Monthly
  • Low risks: Quarterly

Step 2: Update Register

  • New risks identified
  • Risk scores changed
  • Responses executed
  • Risks closed or occurred

Output Formats

Risk Register (Markdown Table)

## Risk Register: [Project/Initiative]

**Date:** [ISO Date]
**Owner:** [Name]
**Review Cycle:** [Weekly/Monthly]

| ID | Risk Description | Category | P | I | Score | Owner | Response | Actions | Status |
|----|-----------------|----------|---|---|-------|-------|----------|---------|--------|
| R-001 | Key developer may leave during critical phase | Resource | 4 | 5 | 20 | PM | Mitigate | Cross-train, document | Open |
| R-002 | Third-party API may have breaking changes | Technical | 3 | 4 | 12 | Tech Lead | Mitigate | Abstraction layer | Open |
| R-003 | Budget approval may be delayed | Cost | 2 | 4 | 8 | Sponsor | Accept | Monitor | Open |
| R-004 | New regulation may require features | External | 2 | 3 | 6 | BA | Accept | Watch | Open |

### Summary
- **Total Risks:** 4
- **Critical (15+):** 1
- **High (10-14):** 1
- **Medium (5-9):** 1
- **Low (1-4):** 1

Risk Matrix Visualization

quadrantChart
    title Risk Assessment Matrix
    x-axis Low Impact --> High Impact
    y-axis Low Probability --> High Probability
    quadrant-1 Critical - Immediate Action
    quadrant-2 High - Active Management
    quadrant-3 Low - Monitor
    quadrant-4 Medium - Plan Response
    "R-001 Key Dev": [0.9, 0.8]
    "R-002 API Changes": [0.7, 0.6]
    "R-003 Budget": [0.7, 0.35]
    "R-004 Regulation": [0.5, 0.35]

Structured Data (YAML)

risk_register:
  name: "[Project/Initiative]"
  version: "1.0"
  date: "2025-01-15"
  owner: "Project Manager"
  review_cycle: "weekly"

  risk_appetite:
    overall: "moderate"
    schedule: "low"
    cost: "moderate"
    quality: "low"

  scales:
    probability:
      1: "Rare (<10%)"
      2: "Unlikely (10-30%)"
      3: "Possible (30-50%)"
      4: "Likely (50-70%)"
      5: "Almost Certain (>70%)"
    impact:
      1: "Very Low"
      2: "Low"
      3: "Medium"
      4: "High"
      5: "Very High"

  risks:
    - id: "R-001"
      description: "Key developer may leave during critical phase"
      category: "Resource"
      probability: 4
      impact: 5
      score: 20
      priority: "critical"
      owner: "Project Manager"
      response_strategy: "mitigate"
      response_actions:
        - action: "Cross-train team member"
          owner: "Tech Lead"
          due_date: "2025-02-01"
          status: "in_progress"
        - action: "Document critical knowledge"
          owner: "Developer"
          due_date: "2025-02-15"
          status: "not_started"
      contingency:
        trigger: "Developer gives notice"
        actions:
          - "Accelerate knowledge transfer"
          - "Engage contractor"
      residual_risk:
        probability: 3
        impact: 3
        score: 9
      status: "open"
      created_date: "2025-01-15"
      last_reviewed: "2025-01-15"

  summary:
    total: 4
    by_priority:
      critical: 1
      high: 1
      medium: 1
      low: 1
    by_status:
      open: 4
      mitigated: 0
      closed: 0
      occurred: 0

Narrative Summary

## Risk Assessment Summary

**Project:** [Name]
**Date:** [ISO Date]
**Assessed By:** risk-analyst

### Risk Profile

| Priority | Count | Top Risk |
|----------|-------|----------|
| Critical | 1 | Key developer leaving |
| High | 1 | Third-party API changes |
| Medium | 1 | Budget approval delay |
| Low | 1 | Regulatory changes |

### Critical Risks Requiring Action

#### R-001: Key Developer Departure
- **Score:** 20 (P:4 × I:5)
- **Response:** Mitigate through cross-training and documentation
- **Target Residual:** 9 (P:3 × I:3)
- **Actions:** 2 in progress, 0 completed

### Risk Trends

| Metric | This Period | Last Period | Trend |
|--------|-------------|-------------|-------|
| Total Risks | 4 | 3 ||
| Critical | 1 | 0 ||
| Closed | 0 | 1 ||

### Recommendations

1. **Immediate:** Accelerate R-001 mitigation actions
2. **This Week:** Complete API abstraction layer design
3. **Monitor:** Watch for regulatory announcements

Common Pitfalls

Pitfall Prevention
Vague risk descriptions Use "condition may cause consequence" format
Inconsistent scoring Define and use standard scales
No risk owners Assign owner at identification
Stale register Schedule regular reviews
Ignoring opportunities Include positive risks
Over-analysis Focus on high-priority risks
No contingency Plan for when risks occur

Integration

Upstream

  • swot-pestle-analysis - Threats from strategic analysis
  • stakeholder-analysis - Stakeholder concerns as risks
  • decision-analysis - Risks inform decisions

Downstream

  • Project planning - Risk-adjusted schedules
  • Budgeting - Contingency reserves
  • Monitoring - Risk tracking dashboards

Related Skills

  • swot-pestle-analysis - Strategic threats/opportunities
  • root-cause-analysis - When risks occur
  • decision-analysis - Risk-based decisions
  • prioritization - Risk prioritization

Version History

  • v1.0.0 (2025-12-26): Initial release
Weekly Installs
4
Repository
melodic-software/claude-code-plugins
Installed on
antigravity3
windsurf2
trae2
opencode2
codex2
claude-code2