name: Risk Assessor
slug: risk-assessor
description: Identify, analyze, and mitigate project risks using systematic risk management frameworks
category: project
complexity: complex
version: "1.0.0"
author: "ID8Labs"
triggers:
- "assess risks"
- "identify risks"
- "risk analysis"
- "risk management"
- "what could go wrong"
tags:
- risk
- assessment
- mitigation
- planning
- management

Risk Assessor

The Risk Assessor skill helps teams proactively identify, analyze, prioritize, and mitigate project risks before they become problems. It uses systematic risk management frameworks to surface threats, evaluate their likelihood and impact, and create actionable mitigation strategies.

This skill excels at conducting pre-mortem exercises, creating risk registers, assessing probability and impact, developing contingency plans, and establishing early warning indicators to catch risks before they derail projects.

Risk Assessor follows the principle that the best time to handle a risk is before it becomes a crisis. Proactive risk management enables better decisions, realistic planning, and fewer surprises.

Core Workflows

Workflow 1: Conduct Risk Assessment

Steps:
1. Risk Identification
- Pre-mortem exercise: Imagine project failed; what caused it?
- Brainstorming: Team generates potential risks
- Category review: Check common risk categories
- Technical: Architecture, performance, security, scalability
- Schedule: Deadlines, dependencies, resource availability
- Resource: Team capacity, skill gaps, budget constraints
- External: Market changes, regulatory, vendor dependencies
- Quality: Bugs, tech debt, user experience
- Organizational: Stakeholder alignment, priority shifts
- Historical analysis: Review past project issues
- Expert input: Consult specialists (security, legal, etc.)

1. Risk Documentation

2. For each risk, document:

   • Description: What is the risk?
   • Category: What type of risk?
   • Trigger: What would cause this risk to occur?
   • Impact: What happens if risk occurs?
   • Owner: Who monitors and manages this risk?

3. Probability Assessment

4. Rate likelihood of occurrence:
   • Low (1): < 10% chance
   • Medium (2): 10-50% chance
   • High (3): > 50% chance
5. Base on data, experience, and expert judgment

6. Document assumptions behind probability

7. Impact Assessment

8. Rate severity if risk occurs:
   • Low (1): Minor delay or cost increase
   • Medium (2): Significant schedule or scope impact
   • High (3): Project failure or major business impact
9. Consider multiple dimensions: time, cost, quality, reputation

10. Use worst-case scenario thinking

11. Risk Prioritization

12. Calculate Risk Score = Probability × Impact
13. Prioritize by score (1-9 scale):
    • Critical (7-9): Address immediately
    • High (4-6): Develop mitigation plan
    • Medium (2-3): Monitor regularly
    • Low (1): Track but no active mitigation
14. Focus on top 5-10 highest-priority risks

Output: Risk register with identified, assessed, and prioritized risks.

Workflow 2: Develop Mitigation Strategies

For each high-priority risk:

1. Choose Strategy Type
2. Avoid: Eliminate the risk (change approach, remove feature)
3. Mitigate: Reduce probability or impact (add testing, hire expert)
4. Transfer: Shift risk to third party (insurance, vendor SLA)

5. Accept: Acknowledge risk, plan response if occurs

6. Create Mitigation Plan

7. Specific actions to reduce risk
8. Assign owners and due dates
9. Define success criteria
10. Estimate cost and effort

11. Identify dependencies

12. Develop Contingency Plan

13. "If risk occurs, we will..."
14. Fallback options and alternatives
15. Recovery time objectives
16. Communication plan for stakeholders

17. Resource requirements

18. Define Early Warning Indicators

19. Leading indicators that risk is materializing
20. Monitoring frequency and method
21. Threshold for triggering contingency
22. Who watches and who gets alerted

Output: Risk mitigation and contingency plans with clear ownership.

Workflow 3: Monitor and Update Risks

Weekly:
1. Review early warning indicators
2. Update probability/impact if conditions change
3. Check status of mitigation actions
4. Add newly identified risks
5. Close resolved or obsolete risks

Monthly:
1. Full risk register review
2. Assess effectiveness of mitigations
3. Report top risks to stakeholders
4. Adjust priorities based on new information
5. Update contingency plans

When triggered:
- If risk occurs, activate contingency plan
- Document what happened and lessons learned
- Update risk models for future projects

Workflow 4: Pre-Mortem Exercise

Facilitated team session (60 min):

1. Set the Stage (5 min)
2. "Imagine it's 6 months from now and this project failed spectacularly"
3. "We're conducting a post-mortem to understand what went wrong"

4. "What caused the failure?"

5. Individual Brainstorm (10 min)

6. Each person silently writes failure scenarios
7. Encourage creative and uncomfortable thinking

8. No censoring or filtering

9. Share Round-Robin (20 min)

10. Each person shares their scenarios
11. Capture all on shared board

12. No debate or defense, just listen

13. Group and Prioritize (15 min)

14. Cluster similar failure modes
15. Vote on most likely or most impactful

16. Identify top 5-10 failure scenarios

17. Convert to Risks (10 min)

18. Reframe failures as current risks
19. Add to risk register
20. Assign initial owners

Output: List of identified risks from team's collective wisdom.

Quick Reference

Best Practices

• Make it safe: Encourage honest risk identification; reward raising concerns early
• Think like a pessimist: When identifying risks, assume Murphy's Law (what can go wrong, will)
• Quantify when possible: Use data and metrics, not just gut feel, for probability and impact
• Focus on top risks: Can't mitigate everything; focus on highest-priority risks
• Own every risk: Each risk needs a named owner who monitors and drives mitigation
• Plan before crisis: Contingency plans made in calm are better than in panic
• Review regularly: Risks evolve; weekly review keeps register current and actionable
• Learn from history: Past project failures are excellent teachers for future risk identification
• Update probability as you learn: As project progresses, adjust probabilities based on new information
• Don't ignore uncomfortable truths: The risks you avoid discussing are often the most dangerous
• Communicate transparently: Share top risks with stakeholders; surprises destroy trust
• Balance paranoia and progress: Risk management shouldn't paralyze; it should inform action

Risk Categories Checklist

Technical Risks

• [ ] Unproven or new technology
• [ ] Performance or scalability concerns
• [ ] Security vulnerabilities
• [ ] Integration complexity
• [ ] Technical debt burden
• [ ] Infrastructure reliability
• [ ] Data migration challenges

Schedule Risks

• [ ] Aggressive or unrealistic timeline
• [ ] Dependencies on other teams/projects
• [ ] Key milestones misaligned
• [ ] Underestimated complexity
• [ ] Holiday or vacation conflicts
• [ ] External deadline pressure

Resource Risks

• [ ] Insufficient team capacity
• [ ] Key person dependencies (bus factor)
• [ ] Skill gaps or training needs
• [ ] Budget constraints
• [ ] Competing priorities
• [ ] Attrition or turnover

External Risks

• [ ] Vendor reliability or changes
• [ ] Regulatory or compliance changes
• [ ] Market condition shifts
• [ ] Competitor actions
• [ ] Customer demand uncertainty
• [ ] Third-party API stability

Quality Risks

• [ ] Inadequate testing coverage
• [ ] Complex or unclear requirements
• [ ] Poor code quality or architecture
• [ ] User experience concerns
• [ ] Accessibility or compliance gaps
• [ ] Browser/device compatibility

Organizational Risks

• [ ] Stakeholder misalignment
• [ ] Unclear decision-making authority
• [ ] Changing priorities mid-project
• [ ] Political or organizational dynamics
• [ ] Communication breakdowns
• [ ] Cross-team coordination challenges

Risk Matrix

                    IMPACT
              Low (1)  Med (2)  High (3)
PROBABILITY
High (3)      3 (H)    6 (H)    9 (C)
Med (2)       2 (M)    4 (H)    6 (H)
Low (1)       1 (L)    2 (M)    3 (H)

C = Critical  (7-9): Immediate action required
H = High      (4-6): Develop mitigation plan
M = Medium    (2-3): Monitor regularly
L = Low       (1):   Track in register

Mitigation Strategy Decision Tree

Can we eliminate this risk entirely?
  YES → AVOID strategy (change approach)
  NO ↓

Can we significantly reduce probability or impact?
  YES → MITIGATE strategy (take action)
  NO ↓

Can someone else manage this better?
  YES → TRANSFER strategy (outsource, insure)
  NO ↓

ACCEPT strategy (plan contingency)

Risk Register Template

## Risk Register - [Project Name]

Last Updated: [Date]

### Critical Risks (Score 7-9)

#### R-001: [Risk Title]
- **Description**: [What is the risk?]
- **Category**: Technical | Schedule | Resource | External | Quality | Organizational
- **Probability**: High (3) | Medium (2) | Low (1)
- **Impact**: High (3) | Medium (2) | Low (1)
- **Risk Score**: [P × I]
- **Trigger**: [What causes this?]
- **Owner**: [Name]
- **Status**: Active | Monitoring | Closed
- **Mitigation Strategy**: Avoid | Mitigate | Transfer | Accept
- **Mitigation Actions**:
  - [ ] Action 1 - Owner - Due Date
  - [ ] Action 2 - Owner - Due Date
- **Contingency Plan**: If risk occurs, we will...
- **Early Warning Indicators**: [What to watch for]
- **Last Reviewed**: [Date]

### High Risks (Score 4-6)
[Same format as above]

### Medium Risks (Score 2-3)
[Same format as above]

Common Project Risks & Mitigations

Risk: Key Developer Leaves Mid-Project

• Mitigation: Pair programming, documentation, knowledge sharing
• Contingency: Contractor backup, timeline extension
• Indicator: Team member disengagement, job searching signals

Risk: Requirements Change Significantly

• Mitigation: Agile approach, frequent stakeholder check-ins, MVP focus
• Contingency: Scope negotiation, timeline adjustment
• Indicator: Stakeholder dissatisfaction, market feedback

Risk: Third-Party API Becomes Unreliable

• Mitigation: Implement caching, retry logic, circuit breakers
• Contingency: Alternative vendor, build in-house
• Indicator: Increased error rates, latency spikes

Risk: Performance Doesn't Meet Requirements

• Mitigation: Early performance testing, architecture review
• Contingency: Optimization sprint, infrastructure scaling
• Indicator: Load test failures, user complaints

Risk: Security Vulnerability Discovered

• Mitigation: Security reviews, penetration testing, dependency scanning
• Contingency: Incident response plan, rollback procedure
• Indicator: Security alerts, CVE notifications

Risk: Project Runs Over Budget

• Mitigation: Accurate estimation, buffer allocation, cost tracking
• Contingency: Scope reduction, additional funding request
• Indicator: Burn rate exceeds projections

Integration Points

• Project Planner: Identifies risks during planning phase
• Sprint Planner: Reviews risks at sprint planning
• Task Manager: Tracks mitigation action items
• Retrospective Facilitator: Captures risk learnings
• Stakeholder Communication: Reports risk status
• Incident Management: Triggers contingency plans