Risk Analysis & Mitigation Skill

Overview

Generate Section 12 of the business plan: the risk analysis. Use this skill to surface the risks that actually matter, assess their implications honestly, and show that management has credible mitigation logic.

Use When

• Use when drafting or revising the risk analysis section for lenders, investors, grant funders, or internal review.
• Use when the business needs a transparent assessment of market, operational, financial, regulatory, or team risk.
• Use when mitigation and contingency planning are material to credibility.

Do Not Use When

• Do not use to produce a cosmetic risk table that avoids the real vulnerabilities.
• Do not bury severe risks behind vague language or optimistic tone.
• Do not present mitigation steps that the business cannot execute.

Required Inputs

• Core business model, funding logic, implementation plan, and operating assumptions
• Country, sector, and regulatory context shaping the main risk environment
• Known dependencies on people, suppliers, technology, licences, or external markets
• Adjacent plan sections whose claims create or mitigate material risks

Workflow

1. Identify the major risk categories from the actual business model and context.
2. Prioritise the highest-consequence and highest-likelihood risks.
3. State mitigation actions, contingencies, and ownership clearly.
4. Check that risk treatment aligns with implementation, operations, and funding capacity.
5. Reconcile the risk section with projections, compliance, and team realities.
6. Flag residual risks that should remain visible to the reader.

Quality Bar

• The section identifies the real threats to viability rather than generic business risks.
• Likelihood, impact, and mitigation logic are proportionate and believable.
• Risk language builds confidence through honesty, not through denial.
• Material residual risks remain explicit.

Anti-Patterns

• Risk registers full of low-signal generic items.
• Claiming strong mitigation where no budget, owner, or process exists.
• Hiding regulatory, concentration, or founder-dependence risk.
• Risk statements that contradict the financial model or implementation plan.

Outputs

• A finished or revised Section 12 risk analysis
• A prioritised risk register with mitigation and contingency logic
• Residual-risk notes and dependencies for funding or diligence review

Generate an honest risk assessment that builds investor confidence through transparency and preparedness.

What to Generate

Required Elements

1. Risk inventory Comprehensive list of risks by category
2. Probability/impact matrix Visual risk prioritisation
3. Mitigation strategies How each major risk is being addressed
4. Contingency plans What happens if a risk materialises
5. Insurance coverage Business insurance needs and plans
6. Regulatory risks Compliance obligations and penalties
7. Key person risk Dependency on specific individuals

Risk Categories

• Market risks Demand shifts, market saturation, timing
• Financial risks Cash flow, currency, interest rates, funding gaps
• Operational risks Supply chain, technology failure, quality issues
• Competitive risks New entrants, price wars, disruptive innovation
• Regulatory risks Law changes, licence requirements, compliance costs
• Team risks Key person departure, hiring difficulty, skill gaps
• Technology risks Obsolescence, security breaches, platform dependency
• External risks Economic downturn, pandemic, geopolitical instability

Risk Matrix Format

Risk	Probability	Impact	Risk Level	Mitigation
[Risk name]	Low/Med/High	Low/Med/High	Score	[Strategy]

Mitigation Strategy Types

• Avoid Eliminate the risk entirely by changing approach
• Reduce Lower probability or impact through preventive action
• Transfer Shift risk to third party (insurance, outsourcing)
• Accept Acknowledge and monitor (for low-impact risks)

Process Risk Identification

For operational risks, walk through each core process activity asking "What can go wrongSection " (Page, 2015). Document findings in an internal controls table before developing solutions identify all risks first, solve second.

Use root cause analysis to move beyond symptoms to underlying causes:

• Ishikawa (Fishbone) diagram Brainstorm causes across the 6 Ms: Man (people/skills), Method (process design), Machine (equipment/systems), Material (inputs/data), Measurement (metrics/feedback), Milieu (environment/culture) (Dumas et al., 2013)
• 5 Whys For each identified cause, ask "WhySection " repeatedly until reaching a root cause that, if eliminated, would prevent recurrence
• Pareto analysis Focus on the vital 20% of causes responsible for 80% of issues

Issue Register

For complex operational risks, maintain a structured issue register:

Field	Description
Issue ID	Unique identifier
Issue name	Short descriptive name
Impact dimension	Time / Cost / Quality / Flexibility affected
Quantitative impact	Estimated magnitude (e.g., "adds 3 days to cycle time")
Root causes	Underlying causes identified via Ishikawa/5 Whys
Suggested improvements	Potential solutions with trade-off assessment
Priority	High/Medium/Low based on impact and feasibility

Generation Process

1. Ask for: industry, business stage, key dependencies, known concerns
2. Brainstorm risks across all 8 categories
3. Assess probability and impact for each
4. Prioritise by risk level (probability x impact)
5. Develop mitigation strategy for all high and medium risks
6. Create contingency plans for top 5 risks
7. Identify insurance needs

Quality Criteria

• Risks are specific to this business, not generic lists
• High-impact risks have detailed mitigation plans
• Contingency plans include trigger conditions ("if X happens, we do Y")
• Analysis is honest investors distrust plans with no acknowledged risks
• Key person risk is addressed with succession or knowledge-sharing plans

Startup-Specific Risk Factors

For new ventures, actively check for the 9 Deadly Sins (Blank & Dorf, 2012) the most common startup failure modes:

1. Assuming "I know what the customer wants" without validation
2. Building features without customer feedback
3. Fixating on launch date over learning
4. Executing an untested plan
5. Static plans in dynamic markets
6. Hiring senior executives before finding a business model
7. Marketing to a plan without testing
8. Premature scaling the #1 startup failure mode (hiring/spending before validation)
9. Management by crisis instead of systematic discovery

Use the Assumptions Tracking Template to quantify risk: classify each assumption as Minor/Major/Critical, calculate Risk Score = (Minor1) + (Major5) + (Critical25), target below 100 (Alam). See references/startup-risk-frameworks.md.

Uganda-Specific Regulatory Risks (Standard Inclusions)

Every Uganda business plan risk analysis must include the following regulatory risks as standard items they affect most businesses and carry significant financial penalties:

Risk	Description	Impact if Materialised	Mitigation
EFRIS non-compliance	Failure to issue electronic fiscal receipts via URA's EFRIS system	UGX 8,000,000/month fine for not using EFRIS; UGX 6,000,000/month for not issuing e-receipts	Register for EFRIS before trading; train all sales staff; integrate EFRIS into POS system
NIN/BRN licensing gate	From 2025, individual NIN (for individuals) and BRN (for companies) are required before any licence can be issued	Inability to obtain trading licence, bank account, or government contracts	Ensure all directors have valid National IDs from NIRA; obtain BRN from URSB before applying for any licence
Import cost escalation	2025 Finance Act introduced 1.5% Import Declaration Fee + 1.0% Railway Development Levy on CIF value of all imports	2.5% additional cost on all imported inputs, equipment, raw materials	Prioritise local sourcing; factor import levies into COGS calculations; investigate EAC origin preferences
VAT anti-fragmentation	URA now treats artificially split transactions as single supplies for VAT threshold purposes	Unexpectedly crossing UGX 150M VAT threshold; back-taxes + penalties	Do not artificially split invoices; seek tax advice before approaching threshold
Late EFRIS filing	Late submission of EFRIS reports	UGX 200,000 or 2% of tax liability per month, whichever is higher	Calendar automated EFRIS submissions; use URA-integrated accounting software
EUDR compliance (coffee, cocoa, timber exporters)	EU Deforestation Regulation effective December 31, 2025	Loss of EU market access (67% of Uganda's coffee market)	Register farm GPS coordinates; obtain GlobalG.A.P. certification; implement supply chain traceability
NSSF default	Failure to remit employee social security contributions (5% employee + 10% employer)	Fine up to UGX 10M + up to 6 months imprisonment	Set up automatic NSSF payment schedule; treat NSSF as a fixed cost

For import-dependent businesses, also model the exchange rate depreciation scenario (see meta-financial-stress-test/references/stress-test-methodology.md) UGX 4,200/$ pessimistic, UGX 4,800/$ extreme scenario.

References

• Global trade risks 2025: See references/global-trade-risks-2025.md for 2025 US tariff policy and AGOA uncertainty, Suez Canal/Red Sea shipping disruptions (+23 weeks transit, +1525% freight cost), EU Deforestation Regulation (EUDR) compliance requirements, DRC instability and western Uganda trade corridor disruptions, global commodity price risks (coffee, gold, petroleum), and East African inflation context by country
• Strategic risk and scenario planning: See references/strategic-risk-scenarios.md for Suns & Clouds risk chart, risk containment strategies (avoid/transfer/reduce/accept), scenario planning methodology, hypothesis testing for strategy, risk-reward evaluation, risk mitigation plan template, and sensitivity analysis from Evans, Harris & Lenox, and Fahey & Randall
• Process risk and root cause analysis: See references/process-risk-root-cause.md for Ishikawa (fishbone) diagram methodology, 5 Whys technique, Pareto analysis (80/20 rule), internal controls framework ("what can go wrongSection " walkthrough), issue register template, and process-related risk categories mapped to Devil's Quadrangle from Dumas et al. (Springer, 2013) and Page (AMACOM, 2015)
• Startup risk frameworks: See references/startup-risk-frameworks.md for 9 Deadly Sins of New Product Introduction, premature scaling risk assessment, Assumptions Tracking Template with Risk Score formula, reversible vs. irreversible decisions framework, and technology vs. market risk distinction from Blank & Dorf (2012) and Alam
• Uganda-specific risk context (202526): See references/uganda-risk-context.md for current Uganda macroeconomic risk data (inflation by category, exchange rate, interest rates), structural risks (informal economy competition, credit access), poverty/demand constraints by region, sector-specific risks (agriculture, manufacturing, services), regulatory compliance risks (URA, UNBS, NEMA, KCCA), political/security context, infrastructure risks, climate risks, a Uganda risk register template, and validated African business risk patterns from 25 years of pan-African operations (currency remittance delays, government payment risk, import competition, over-expansion, delegation/barony risk) from UBOS (CPI Feb 2026, UNHS 2023/24, NLFS 2021, KEI Q1 2025/26), World Bank (2023), and Sardanis (2007). Read this file for every Uganda business plan risk analysis.
• Enterprise Risk Management (ERM) frameworks: See references/enterprise-risk-management.md for the COSO ERM framework (mission risks appetite likelihood impact mitigation residual), five enterprise risk categories with identification checklists (strategic/operations/legal/credit/market), risk appetite and tolerance definitions with business-stage guidance, Balanced Scorecard risk KPIs, natural disaster risk framework (Mitroff's three crisis categories), ERM in projects, and risk maturity levels (15) from Olson & Wu (Springer, 2017) and Murray-Webster & Pullan
• Due diligence risk integration: meta-due-diligence/SKILL.md any DD finding (Mode A or C) that cannot be resolved before submission must be added to this risk register with a named owner, mitigation action, target resolution date, and residual risk rating. Unaddressed DD findings will be flagged by investors as evidence management has not thought through its vulnerabilities.
• ESMP DFI-standard reference: meta-due-diligence/references/esmp-template.md comprehensive reference covering: AfDB 14 Material Actions with KPIs/deadlines; standard 14-section ESMP structure; impact/mitigation matrix with representative rows (dust, noise, waste, OHS, community safety); 5-step GRM procedure; stakeholder engagement timeline; environmental monitoring plan; ESMP budget structure; Uganda NEMA/KCCA/DOSH regulatory table. Sources: AfDB, FAO/WB, UNDP, World Bank ESMPs (2025). Read when the business has construction, land use, or natural-resource impacts and is seeking DFI/AfDB/UDB/IFC financing exceeding UGX 500M. Every environmental risk in the risk register should map to a mitigation measure in the ESMP.
• Risk identification, assessment & response methods: See references/risk-identification-assessment.md for Raydugin's three-part uncertainty naming convention (Cause Event Impact) with worked examples, Risk Breakdown Structure (RBS) template, Bowtie diagram methodology (prevention vs mitigation controls), 55 probability-impact matrix with scoring and colour-band guidance, five addressing strategies (Avoid/Reduce/Transfer/Accept/Exploit) with worked examples and selection guidance, Murray-Webster's triple strand of behavioural biases (conscious/subconscious/affective) and key heuristics (availability, optimism, proximity, anchoring), complete risk register column design, supercritical risk management protocol, contingency reserve guidelines, and risk communication structure for investors from Raydugin (Wiley, 2013) and Murray-Webster & Pullan (Routledge)
• Competitive threat assessment methods war gaming, I&W, country risk, linchpin analysis: See ../06-competitive-analysis/references/competitive-analysis-methods-fleisher.md for War Gaming (6-step simulation of competitor responses to major strategic decisions), Indications and Warning Analysis (early warning indicator system with threshold levels and response protocols feeds directly into monitoring dashboards), Country Risk Analysis (six risk dimensions: economic, transfer, exchange, location, sovereign, political), Analysis of Competing Hypotheses (structured hypothesis testing for high-stakes ambiguous situations), and Linchpin Analysis (identifying the single critical assumption that, if wrong, invalidates the plan) Source: Fleisher & Bensoussan (FT Press, 2007). Read when building a competitive risk register, designing an early warning dashboard, assessing country-level risk for regional expansion, or stress-testing the plan's critical assumptions.
• Climate and environmental risk in Uganda: See references/climate-environment-risk-uganda.md
• Leadership under crisis The Struggle and wartime management: See ../09-management-team/references/hard-things-horowitz.md Horowitz's frameworks for crisis leadership: The Struggle (psychological and operational survival toolkit), CEO transparency as risk culture (bad news travels fast in healthy cultures), layoffs done right, Peacetime vs Wartime CEO (when to switch leadership mode), and the Accountability vs Creativity Paradox. Read when the risk section must address key-man risk, management resilience, or leadership continuity in a business plan for a growth-stage venture seeking equity or DFI funding. for Uganda climate trends (IPCC AR6/NEMA data), 8-row environmental regulatory compliance table (NEMA Act, Water Act, Land Act, Employment Act), climate risk classification by 9 Uganda business types with financial exposure estimates, ready-to-use 10-row environmental risk matrix template, NEMA Category A/B/C quick reference, climate adaptation vs mitigation distinction (Uganda contributes <0.1% of global GHG emissions; adaptation is the priority frame), and circular economy environmental opportunity data Sources: Dietz (Cambridge, 2023); IFC/World Bank CPSD Uganda (2022); NEMA Act Cap 153. Read for every Uganda business plan risk analysis. Environmental and social risks must appear in the risk matrix.