Risk Management Skill
Systematic portfolio-level risk identification, assessment, and mitigation.
Purpose
This skill provides a framework for:
- •Portfolio risk identification
- •Risk assessment and scoring
- •Risk correlation analysis
- •Mitigation planning
- •RAID log management
Prerequisites
Before risk assessment, ensure:
| Prerequisite | Required For | Source |
|---|---|---|
| Project risk registers | Risk aggregation | Project managers |
| Historical risk data | Pattern identification | Previous projects |
| Stakeholder input | Risk identification | Key stakeholders |
| Impact criteria | Risk scoring | PMO standards |
Risk Management Gates
Gate 1: Risk Identification
Objective: Identify all portfolio-level risks
Actions:
- •Collect project-level risks
- •Identify cross-project risks
- •Capture portfolio-level risks
- •Document assumptions and dependencies
Risk Categories:
| Category | Examples |
|---|---|
| Strategic | Market changes, competition, regulation |
| Resource | Key person departure, skill shortage, capacity |
| Technical | Technology obsolescence, integration, security |
| Financial | Budget cuts, cost overruns, currency |
| Schedule | Dependencies, delays, scope creep |
| External | Vendor, regulatory, geopolitical |
Output: docs/pmo/{date}/risk-register.md
Gate 2: Risk Assessment
Objective: Assess probability and impact of each risk
Actions:
- •Assess probability (1-5 scale)
- •Assess impact (1-5 scale)
- •Calculate risk score (P x I)
- •Assign severity level
Risk Severity Matrix:
See shared-patterns/pmo-metrics.md for risk severity matrix.
| Impact / Likelihood | Low (1-2) | Medium (3) | High (4-5) |
|---|---|---|---|
| High (4-5) | Medium | High | Critical |
| Medium (3) | Low | Medium | High |
| Low (1-2) | Low | Low | Medium |
Output: docs/pmo/{date}/risk-assessment.md
Gate 3: Risk Correlation
Objective: Identify correlated risks across portfolio
Actions:
- •Identify shared risk factors
- •Map risk dependencies
- •Calculate compound risk exposure
- •Flag correlated critical risks
Correlation Types:
| Type | Description | Action |
|---|---|---|
| Shared cause | Same root cause affects multiple projects | Mitigate root cause |
| Sequential | One risk triggers another | Plan cascade response |
| Resource | Same resource/skill shortage | Diversify or hire |
| Vendor | Same vendor dependency | Diversify suppliers |
Output: docs/pmo/{date}/risk-correlation.md
Gate 4: Response Planning
Objective: Create mitigation plans for significant risks
Actions:
- •Select response strategy per risk
- •Define mitigation actions
- •Assign owners and dates
- •Allocate contingency
Response Strategies:
See shared-patterns/pmo-metrics.md for response types.
| Response | When to Use | Example |
|---|---|---|
| Avoid | Risk unacceptable, can change scope | Remove risky feature |
| Transfer | Risk better managed by others | Insurance, outsource |
| Mitigate | Reduce probability or impact | Testing, redundancy |
| Accept | Cost of mitigation > impact | Document and monitor |
Output: docs/pmo/{date}/risk-response-plan.md
Gate 5: RAID Log Update
Objective: Maintain comprehensive RAID log
Actions:
- •Update Risk section
- •Update Assumptions section
- •Update Issues section
- •Update Dependencies section
RAID Categories:
| Category | Contents | Review Frequency |
|---|---|---|
| Risks | Potential future issues | Weekly |
| Assumptions | Believed true, not verified | At milestones |
| Issues | Current problems requiring action | Daily |
| Dependencies | External inputs/outputs | Weekly |
Output: docs/pmo/{date}/raid-log.md
Anti-Rationalization Table
See shared-patterns/anti-rationalization.md for universal anti-rationalizations.
Risk-Specific Anti-Rationalizations
| Rationalization | Why It's WRONG | Required Action |
|---|---|---|
| "We've seen this risk before" | Context changes. Each occurrence needs fresh assessment. | Assess current state |
| "Low probability, don't document" | Low probability × high impact = significant risk. | Document ALL identified risks |
| "Team will handle it" | Unplanned handling = crisis response. Plan required. | Document response plan |
| "Risk register is up to date" | Registers decay. Continuous validation required. | Validate at every review |
| "That won't happen" | Famous last words. Document and monitor. | Document ALL risks |
Pressure Resistance
See shared-patterns/pressure-resistance.md for universal pressure scenarios.
Risk-Specific Pressures
| Pressure Type | Request | Agent Response |
|---|---|---|
| "Don't include that risk, it will worry people" | "Risk transparency is non-negotiable. Including with mitigation plan to provide balanced view." | |
| "That's been mitigated, remove it" | "Mitigated risks remain in register until formally closed with evidence. Updating status, not removing." | |
| "Risk assessment takes too long" | "Unassessed risks cause larger delays when they materialize. Completing assessment." |
Blocker Criteria - STOP and Report
ALWAYS pause and report blocker for:
| Situation | Required Action |
|---|---|
| Critical risk without mitigation plan | STOP. Escalate. Risk cannot be accepted without plan. |
| Multiple correlated critical risks | STOP. Report compound exposure. Wait for portfolio decision. |
| Risk owner not identified | STOP. Unowned risks are unmanaged. Require owner assignment. |
| Assumption invalidated | STOP. Trigger re-planning based on new reality. |
Output Format
Risk Summary
# Portfolio Risk Summary - [Date] ## Risk Overview | Metric | Value | |--------|-------| | Total Risks | N | | Critical | N | | High | N | | Medium | N | | Low | N | | Mitigations Defined | N/N | | Overdue Actions | N | ## Top Risks | ID | Risk | Severity | Owner | Status | |----|------|----------|-------|--------| | R-001 | [Description] | Critical/High | [Owner] | [Status] | ## Risk Correlations | Correlation | Risks | Combined Exposure | Action | |-------------|-------|-------------------|--------| | [ID] | [Risk IDs] | [Exposure] | [Action] | ## RAID Summary | Category | Total | New | Closed | Overdue | |----------|-------|-----|--------|---------| | Risks | N | N | N | N | | Assumptions | N | N | N | N | | Issues | N | N | N | N | | Dependencies | N | N | N | N | ## Recommendations 1. [Recommendation with rationale] 2. [Recommendation with rationale] ## Decisions Required 1. [Decision needed: Accept/Mitigate/Avoid risk X]
Execution Report
Base metrics per shared-patterns/execution-report.md:
| Metric | Value |
|---|---|
| Analysis Date | YYYY-MM-DD |
| Scope | [Portfolio/Projects] |
| Duration | Xh Ym |
| Result | COMPLETE/PARTIAL/BLOCKED |
Risk-Specific Details
| Metric | Value |
|---|---|
| risks_identified | N |
| risks_by_severity | C/H/M/L |
| mitigation_plans | N |
| overdue_actions | N |