Project risk assessment toolkit. Identify technical, business, resource, and external risks, score likelihood and impact, define mitigation strategies and contingency plans for comprehensive risk management.
Identifies, scores, and creates mitigation plans for project risks across technical, business, resource, and external categories.
/plugin marketplace add flight505/claude-project-planner/plugin install claude-project-planner@claude-project-plannerThis skill is limited to using the following tools:
Risk assessment is a systematic process for identifying, analyzing, and planning responses to project risks. Evaluate technical, business, resource, and external risks, score by likelihood and impact, and define mitigation strategies and contingency plans to manage project uncertainty.
This skill should be used when:
When documenting risk assessments, include visualizations.
Use the project-diagrams skill to generate:
python .claude/skills/project-diagrams/scripts/generate_schematic.py "diagram description" -o diagrams/output.png
| Category | Description | Examples |
|---|---|---|
| Technical | Technology and implementation risks | Integration failures, scalability issues, technical debt |
| Security | Data and system security risks | Breaches, vulnerabilities, compliance failures |
| Resource | Team and capacity risks | Key person dependency, skill gaps, turnover |
| External | Third-party and environmental risks | API changes, vendor reliability, regulatory changes |
| Business | Market and financial risks | Competition, market changes, budget cuts |
| Timeline | Schedule and delivery risks | Scope creep, estimation errors, dependencies |
| Operational | Production and support risks | Downtime, incident response, maintenance |
Likelihood Scale:
| Score | Level | Description |
|---|---|---|
| 1 | Rare | < 10% probability, unlikely to occur |
| 2 | Unlikely | 10-30% probability, could occur |
| 3 | Possible | 30-50% probability, might occur |
| 4 | Likely | 50-80% probability, will probably occur |
| 5 | Almost Certain | > 80% probability, expected to occur |
Impact Scale:
| Score | Level | Description |
|---|---|---|
| 1 | Negligible | Minor inconvenience, easily absorbed |
| 2 | Minor | Some disruption, workaround available |
| 3 | Moderate | Significant impact, requires response |
| 4 | Major | Serious impact, threatens objectives |
| 5 | Critical | Catastrophic, project failure possible |
Risk Score Calculation:
Risk Score = Likelihood × Impact
1-4: Low risk (green)
5-9: Medium risk (yellow)
10-15: High risk (orange)
16-25: Critical risk (red)
Impact
1 2 3 4 5
┌────┬────┬────┬────┬────┐
5 │ 5 │ 10 │ 15 │ 20 │ 25 │
L ├────┼────┼────┼────┼────┤
i 4 │ 4 │ 8 │ 12 │ 16 │ 20 │
k ├────┼────┼────┼────┼────┤
e 3 │ 3 │ 6 │ 9 │ 12 │ 15 │
l ├────┼────┼────┼────┼────┤
i 2 │ 2 │ 4 │ 6 │ 8 │ 10 │
h ├────┼────┼────┼────┼────┤
o 1 │ 1 │ 2 │ 3 │ 4 │ 5 │
o └────┴────┴────┴────┴────┘
d
risk:
# Identity
id: "RISK-NNN"
title: "Short descriptive title"
# Classification
category: "technical | security | resource | external | business | timeline | operational"
# Description
description: |
What is the risk? What could go wrong?
cause: |
What could cause this risk to materialize?
effect: |
What would be the impact if this risk materializes?
# Scoring
likelihood: 1-5
likelihood_rationale: "Why this likelihood score"
impact: 1-5
impact_rationale: "Why this impact score"
risk_score: N # likelihood × impact
risk_level: "low | medium | high | critical"
# Response
response_strategy: "avoid | mitigate | transfer | accept"
mitigation:
actions:
- "Specific action to reduce likelihood or impact"
responsible: "Team or person"
deadline: "YYYY-MM-DD"
cost: "Estimated cost if applicable"
contingency:
trigger: "What indicates this risk has materialized"
actions:
- "Action to take if risk occurs"
responsible: "Team or person"
# Tracking
status: "identified | mitigating | monitoring | closed | materialized"
owner: "Person responsible for tracking"
# Metadata
identified_date: "YYYY-MM-DD"
last_reviewed: "YYYY-MM-DD"
related_risks: ["RISK-XXX"]
| Strategy | When to Use | Example |
|---|---|---|
| Avoid | Eliminate the risk entirely | Change technology, remove feature |
| Mitigate | Reduce likelihood or impact | Add redundancy, implement safeguards |
| Transfer | Shift risk to third party | Insurance, outsourcing, SLAs |
| Accept | Acknowledge and monitor | Low-impact risks, cost-effective |
risks:
- id: "RISK-T001"
title: "Integration Complexity"
category: "technical"
description: |
Third-party API integrations prove more complex than estimated,
requiring additional development time.
cause: |
- Poor API documentation
- Undocumented edge cases
- Version incompatibilities
effect: |
- Sprint delays
- Increased development cost
- Technical debt
likelihood: 3
impact: 3
risk_score: 9
risk_level: "medium"
response_strategy: "mitigate"
mitigation:
actions:
- "Prototype integrations in Sprint 1"
- "Create abstraction layer for external dependencies"
- "Document fallback approaches"
responsible: "Tech Lead"
deadline: "End of Sprint 1"
contingency:
trigger: "Integration spike takes >3 days"
actions:
- "Evaluate alternative providers"
- "Adjust timeline and communicate to stakeholders"
status: "identified"
- id: "RISK-T002"
title: "Scalability Issues"
category: "technical"
description: |
System architecture cannot handle projected user growth,
requiring significant rearchitecture.
cause: |
- Underestimated traffic growth
- Inefficient database queries
- Synchronous processing bottlenecks
effect: |
- Performance degradation
- User experience impact
- Costly emergency fixes
likelihood: 2
impact: 4
risk_score: 8
risk_level: "medium"
response_strategy: "mitigate"
mitigation:
actions:
- "Design for 10x expected load"
- "Implement caching layer from start"
- "Plan load testing in Sprint 3"
contingency:
trigger: "Response times exceed 2 seconds at 50% projected load"
actions:
- "Emergency scale-up infrastructure"
- "Activate CDN for static assets"
- "Implement request queuing"
status: "identified"
risks:
- id: "RISK-S001"
title: "Data Breach"
category: "security"
description: |
Unauthorized access to user data due to security vulnerability.
cause: |
- Unpatched vulnerabilities
- Weak authentication
- SQL injection or XSS
effect: |
- Regulatory fines (GDPR)
- Reputation damage
- Legal liability
likelihood: 2
impact: 5
risk_score: 10
risk_level: "high"
response_strategy: "mitigate"
mitigation:
actions:
- "Security audit before launch"
- "Implement WAF and rate limiting"
- "Enable encryption at rest and in transit"
- "Conduct penetration testing"
responsible: "Security Team"
cost: "$5,000-10,000"
contingency:
trigger: "Detection of unauthorized access"
actions:
- "Activate incident response plan"
- "Isolate affected systems"
- "Notify affected users within 72 hours"
- "Engage forensic investigation"
status: "identified"
risks:
- id: "RISK-R001"
title: "Key Person Dependency"
category: "resource"
description: |
Critical project knowledge concentrated in one team member,
creating single point of failure.
cause: |
- Complex domain expertise
- Specialized technical skills
- Insufficient documentation
effect: |
- Project delays if person unavailable
- Knowledge loss if person leaves
- Bottleneck in decision making
likelihood: 3
impact: 4
risk_score: 12
risk_level: "high"
response_strategy: "mitigate"
mitigation:
actions:
- "Document all architectural decisions (ADRs)"
- "Pair programming on critical components"
- "Cross-train at least 2 team members"
responsible: "Engineering Manager"
contingency:
trigger: "Key person unavailable > 1 week"
actions:
- "Activate backup assignee"
- "Prioritize documentation catch-up"
- "Consider contractor for specialized skills"
status: "identified"
risks:
- id: "RISK-E001"
title: "Third-Party API Deprecation"
category: "external"
description: |
Critical third-party API announces deprecation or breaking changes
during project timeline.
cause: |
- Vendor business changes
- Technology evolution
- Acquisition or shutdown
effect: |
- Forced migration effort
- Timeline delays
- Potential feature loss
likelihood: 2
impact: 3
risk_score: 6
risk_level: "medium"
response_strategy: "mitigate"
mitigation:
actions:
- "Abstract all external dependencies"
- "Identify alternative providers"
- "Monitor vendor announcements"
responsible: "Tech Lead"
contingency:
trigger: "Deprecation announcement or breaking change"
actions:
- "Assess migration timeline"
- "Evaluate alternative providers"
- "Adjust project timeline if needed"
status: "identified"
risks:
- id: "RISK-TL001"
title: "Scope Creep"
category: "timeline"
description: |
Requirements expand beyond original scope, consuming budget
and extending timeline.
cause: |
- Unclear initial requirements
- Stakeholder additions
- "Just one more feature" syndrome
effect: |
- Budget overrun
- Timeline extension
- Team burnout
likelihood: 4
impact: 3
risk_score: 12
risk_level: "high"
response_strategy: "mitigate"
mitigation:
actions:
- "Document scope in detail before starting"
- "Implement change request process"
- "Regular scope reviews in sprint planning"
- "Prioritize MVP features ruthlessly"
responsible: "Product Owner"
contingency:
trigger: "Scope increases by >20% from baseline"
actions:
- "Formal change request required"
- "Adjust timeline or budget"
- "Deprioritize lower-value features"
status: "identified"
risk_register:
project: "[Project Name]"
last_updated: "YYYY-MM-DD"
summary:
total_risks: N
critical: N
high: N
medium: N
low: N
risks:
- id: "RISK-001"
title: "..."
category: "..."
# ... full specification
# ... more risks
review_schedule:
frequency: "Every sprint"
next_review: "YYYY-MM-DD"
reviewer: "Project Manager"
# Risk Assessment Report: [Project Name]
## Executive Summary
- Total risks identified: N
- Critical/High risks: N (requiring immediate attention)
- Primary risk areas: [Categories]
- Overall risk level: [Low/Medium/High]
## Risk Heat Map
[Visual representation of risks by likelihood/impact]
## Critical and High Risks
### RISK-001: [Title]
**Score:** [N] (Critical/High)
**Category:** [Category]
**Description:** [What could go wrong]
**Mitigation:**
- [Action 1]
- [Action 2]
**Contingency:** [If risk materializes]
**Owner:** [Person responsible]
---
[Repeat for each critical/high risk]
## Medium and Low Risks
| ID | Title | Category | Score | Status |
|----|-------|----------|-------|--------|
| RISK-X | Title | Category | N | Status |
## Risk Monitoring Plan
| Risk ID | Metric to Monitor | Review Frequency | Trigger |
|---------|-------------------|------------------|---------|
| | | | |
## Recommendations
1. [Key action to reduce overall risk]
2. [Key action to reduce overall risk]
3. [Key action to reduce overall risk]
## Appendix: Full Risk Register
[Complete risk specifications]
Techniques:
Questions to Ask:
For each identified risk:
For high and critical risks:
Ongoing activities:
Before completing risk assessment:
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.