| name | risk-cycle |
| description | Continuous risk identification, assessment, tracking, and retirement throughout SDLC. Use when relevant to the task. |
risk-cycle
Continuous risk identification, assessment, tracking, and retirement throughout SDLC.
Triggers
- "risk review"
- "update risks"
- "new risk"
- "risk status"
- "mitigate risk"
- "retire risk"
- "risk cycle"
Purpose
This skill manages continuous risk management by:
- Identifying new risks from project activities
- Assessing risk severity and probability
- Tracking mitigation progress
- Escalating overdue or critical risks
- Retiring completed risk mitigations
- Generating risk reports for stakeholders
Behavior
When triggered, this skill:
Reviews current state:
- Load risk register
- Check mitigation status
- Identify overdue items
Identifies new risks:
- Analyze recent changes
- Review technical decisions
- Check external factors
- Gather team input
Assesses risks:
- Score probability and impact
- Calculate risk score
- Prioritize by exposure
Plans mitigations:
- Assign owners
- Define mitigation actions
- Set target dates
Tracks progress:
- Update mitigation status
- Escalate overdue items
- Retire completed risks
Reports status:
- Generate risk dashboard
- Highlight top risks
- Show trend over time
Risk Categories
Technical Risks
technical_risks:
architecture:
examples:
- Scalability bottleneck
- Single point of failure
- Technology obsolescence
- Integration complexity
indicators:
- Performance degradation
- System failures
- Upgrade difficulties
development:
examples:
- Technical debt accumulation
- Code quality issues
- Testing gaps
- Dependency vulnerabilities
indicators:
- Increasing bug count
- Slower velocity
- Failed deployments
security:
examples:
- Data breach potential
- Authentication weaknesses
- Compliance gaps
- Third-party risks
indicators:
- Security scan findings
- Audit failures
- Incident reports
Project Risks
project_risks:
schedule:
examples:
- Scope creep
- Delayed dependencies
- Unrealistic estimates
- Resource constraints
indicators:
- Missed milestones
- Velocity decline
- Scope changes
resource:
examples:
- Key person dependency
- Skill gaps
- Team turnover
- Burnout risk
indicators:
- Unbalanced workload
- Low morale
- Resignation signals
stakeholder:
examples:
- Changing requirements
- Sponsor availability
- Organizational changes
- Competing priorities
indicators:
- Decision delays
- Priority conflicts
- Reduced engagement
External Risks
external_risks:
market:
examples:
- Competitor actions
- Market shift
- Economic factors
- Regulatory changes
indicators:
- Market news
- Competitor releases
- Industry reports
vendor:
examples:
- Vendor stability
- API changes
- Price increases
- Support quality
indicators:
- Vendor communications
- Service issues
- Contract terms
compliance:
examples:
- Regulatory requirements
- Industry standards
- Audit requirements
- Data regulations
indicators:
- Regulatory updates
- Audit findings
- Compliance gaps
Risk Assessment Matrix
Probability Scoring
probability:
certain:
score: 5
likelihood: ">90%"
description: "Almost certain to occur"
likely:
score: 4
likelihood: "60-90%"
description: "More likely than not"
possible:
score: 3
likelihood: "30-60%"
description: "Could occur"
unlikely:
score: 2
likelihood: "10-30%"
description: "Not expected but possible"
rare:
score: 1
likelihood: "<10%"
description: "Very unlikely"
Impact Scoring
impact:
catastrophic:
score: 5
schedule: ">3 months delay"
cost: ">50% budget"
quality: "Unusable product"
reputation: "Major damage"
major:
score: 4
schedule: "1-3 months delay"
cost: "25-50% budget"
quality: "Significant defects"
reputation: "Serious concern"
moderate:
score: 3
schedule: "2-4 weeks delay"
cost: "10-25% budget"
quality: "Noticeable issues"
reputation: "Some concern"
minor:
score: 2
schedule: "1-2 weeks delay"
cost: "5-10% budget"
quality: "Minor issues"
reputation: "Limited impact"
negligible:
score: 1
schedule: "<1 week delay"
cost: "<5% budget"
quality: "Trivial issues"
reputation: "No impact"
Risk Score Matrix
│ Impact
│ 1 2 3 4 5
───────────┼─────────────────────
Prob 5 │ 5 10 15 20 25 ←Critical
4 │ 4 8 12 16 20
3 │ 3 6 9 12 15 ←High
2 │ 2 4 6 8 10
1 │ 1 2 3 4 5 ←Medium
└─────────────────────
↑ ↑
Low Medium
risk_levels:
critical:
range: [20, 25]
response: "Immediate action required"
escalation: "Executive notification"
high:
range: [12, 19]
response: "Priority mitigation"
escalation: "Manager notification"
medium:
range: [6, 11]
response: "Planned mitigation"
escalation: "Team lead notification"
low:
range: [1, 5]
response: "Monitor and accept"
escalation: "None required"
Risk Register Format
# Risk Register
**Project**: [Name]
**Last Updated**: 2025-12-08
**Next Review**: 2025-12-15
## Summary Dashboard
| Risk Level | Count | Trend |
|------------|-------|-------|
| Critical | 1 | ↑ +1 |
| High | 3 | → 0 |
| Medium | 8 | ↓ -2 |
| Low | 12 | → 0 |
| **Total** | **24** | - |
### Risk Trend
Week 1: ████████████████████████ 24 risks Week 2: ██████████████████████ 22 risks Week 3: ████████████████████████ 24 risks (2 new) Week 4: ████████████████████████ 24 risks ↑ Stable with critical +1
## Active Risks
### RISK-001: Database Scalability [CRITICAL]
| Attribute | Value |
|-----------|-------|
| ID | RISK-001 |
| Title | Database Scalability Bottleneck |
| Category | Technical / Architecture |
| Probability | 4 (Likely) |
| Impact | 5 (Catastrophic) |
| Score | 20 (Critical) |
| Owner | Sarah Chen |
| Status | Mitigating |
**Description**:
Current PostgreSQL single-instance architecture cannot handle projected 10x traffic growth. Performance degradation expected within 6 months.
**Impact if Realized**:
- Service degradation or outage
- Customer churn
- Revenue loss estimated at $500K/month
**Mitigation Plan**:
1. [x] Evaluate sharding options (complete)
2. [x] Design read replica architecture (complete)
3. [ ] Implement connection pooling (in progress, due Dec 15)
4. [ ] Deploy read replicas (planned, due Jan 15)
5. [ ] Implement sharding (planned, due Feb 15)
**Contingency**:
Emergency vertical scaling + temporary traffic limiting
**Progress**:
[████████████░░░░░░░░] 60%
---
### RISK-002: Key Person Dependency [HIGH]
| Attribute | Value |
|-----------|-------|
| ID | RISK-002 |
| Title | Key Person Dependency on Lead Architect |
| Category | Project / Resource |
| Probability | 3 (Possible) |
| Impact | 4 (Major) |
| Score | 12 (High) |
| Owner | David Kim |
| Status | Mitigating |
**Description**:
Lead architect holds critical system knowledge. No backup identified.
**Mitigation Plan**:
1. [ ] Document architecture decisions (in progress)
2. [ ] Schedule knowledge transfer sessions
3. [ ] Identify and train backup
---
## Recently Retired Risks
### RISK-012: Third-Party API Stability [RETIRED]
- **Retired**: 2025-12-01
- **Original Score**: 12 (High)
- **Mitigation**: Implemented circuit breaker and fallback
- **Outcome**: Risk eliminated through technical solution
---
## Risk Review Actions
### This Week
- [ ] Complete RISK-001 connection pooling
- [ ] Schedule RISK-002 knowledge transfer
- [ ] Review new vendor contract for RISK-008
### Overdue
- ⚠️ RISK-005: Security audit (2 days overdue)
- Owner: Elena Rodriguez
- Escalated to: Team Lead
Usage Examples
Risk Review
User: "Risk review"
Skill executes:
1. Load current risk register
2. Check mitigation status
3. Identify overdue items
4. Prompt for new risks
Output:
"Risk Review Summary
Current Status:
- Critical: 1 (RISK-001: DB Scalability) ← Action needed
- High: 3
- Medium: 8
- Low: 12
Mitigation Progress:
✅ RISK-001: 60% complete (on track)
✅ RISK-002: 40% complete (on track)
⚠️ RISK-005: Security audit 2 days overdue
Top Priority:
RISK-001 needs connection pooling by Dec 15
Questions:
1. Any new risks identified this week?
2. Update on RISK-005 delay?"
Add New Risk
User: "New risk: vendor pricing increase"
Skill guides:
1. Capture risk details
2. Assess probability/impact
3. Add to register
Output:
"Adding New Risk
Let me capture the details:
**Title**: Vendor Pricing Increase
**Category**: External / Vendor
Assessment Questions:
1. How likely is this? (1-5)
2. What's the potential impact? (1-5)
3. When might this occur?
4. Who should own mitigation?
Or say 'quick add' to use defaults."
Mitigate Risk
User: "Mitigate RISK-002"
Skill guides:
1. Review current mitigation plan
2. Update progress
3. Adjust actions if needed
Output:
"RISK-002: Key Person Dependency
Current Mitigation Plan:
1. [ ] Document architecture decisions (in progress)
2. [ ] Schedule knowledge transfer sessions
3. [ ] Identify and train backup
Current Progress: 40%
What would you like to update?
1. Mark task complete
2. Add new mitigation action
3. Adjust timeline
4. Escalate issue"
Retire Risk
User: "Retire RISK-012"
Skill processes:
1. Verify mitigation complete
2. Document outcome
3. Move to retired list
Output:
"Retiring RISK-012: Third-Party API Stability
Verification:
- Circuit breaker: ✅ Implemented
- Fallback mechanism: ✅ Tested
- Monitoring: ✅ Active
Outcome Documentation:
Risk eliminated through technical solution.
No incidents since mitigation deployed (30 days).
✅ RISK-012 moved to retired risks.
Risk count: 24 → 23"
Integration
This skill uses:
project-awareness: Current phase and activity contextartifact-metadata: Track risk artifact versionsdecision-support: Complex risk decisions
Agent Orchestration
agents:
risk_assessment:
agent: project-manager
focus: Project risk evaluation
technical_analysis:
agent: architecture-designer
focus: Technical risk assessment
condition: risk_category == "technical"
security_assessment:
agent: security-architect
focus: Security risk evaluation
condition: risk_category == "security"
Configuration
Review Schedule
review_schedule:
weekly:
day: "Monday"
time: "10:00"
scope: active_risks
monthly:
day: 1
scope: full_register
phase_gate:
trigger: gate_check
scope: blocking_risks
Escalation Rules
escalation:
overdue:
threshold: 2_days
notify: owner_manager
critical_new:
threshold: score >= 20
notify: [project_manager, sponsor]
trend_increase:
threshold: 3_consecutive_increases
notify: project_manager
Output Locations
- Risk register:
.aiwg/risks/risk-register.md - Risk reports:
.aiwg/risks/reports/ - Retired risks:
.aiwg/risks/retired/ - Risk trends:
.aiwg/risks/trends/
References
- Risk templates: templates/management/risk-*.md
- Risk matrix: docs/risk-assessment-matrix.md
- Escalation procedures: docs/risk-escalation.md