Files
pm-claude-skills/plugins/pm-operations/skills/risk-register/SKILL.md
T
mohitagw15856 ae6ea4d53e feat: v12.0.0 — 150-skill milestone, 15 new skills across 10 bundles
Adds 15 new skills reaching the 150-skill milestone:

Data & Analytics (pm-data):
- cohort-analysis: retention curves, LTV projection, behavioural segmentation, SQL reference queries
- data-pipeline-spec: ETL/ELT design with SLAs, DQ rules, error handling, compliance

Customer Success (pm-cs):
- renewal-playbook: health snapshot, value story, commercial scenarios, objection responses, 16-week timeline
- customer-success-plan: joint success plan with milestones, mutual commitments, escalation path

People & Leadership (pm-people):
- 360-feedback-template: survey instrument + narrative report with strengths and development themes
- team-health-check: Spotify-model assessment across 7 dimensions with facilitation guide

Operations (pm-operations):
- risk-register: L×I scoring, RAG heat map, mitigation and contingency plans
- raci-matrix: role definitions, decision map, anti-pattern guide, communication template

Marketing & GTM (pm-gtm):
- social-media-strategy: audience profile, content pillars, KPIs, 4-week starter calendar
- product-positioning-doc: April Dunford-style positioning, messaging hierarchy, persona messaging

Discovery (pm-discovery):
- customer-journey-map: stage-by-stage journey with touchpoints, emotions, and prioritised opportunities

Delivery (pm-delivery):
- user-story-writer: Given/When/Then ACs, edge cases, definition of done, epic decomposition

Advanced (pm-advanced):
- ai-ethics-review: fairness, bias, transparency, privacy, safety, accountability, societal impact

Sales (pm-sales):
- partnership-proposal: mutual value, commercial model, joint GTM plan, governance

Design (pm-design):
- design-system-audit: component coverage, token consistency, WCAG, adoption, remediation roadmap

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-26 21:58:13 +01:00

9.0 KiB
Raw Blame History

name, description
name description
risk-register Build and maintain a project or product risk register. Use when asked to create a risk register, identify project risks, build a risk matrix, or document risks and mitigations for a programme. Produces a complete risk register with likelihood/impact scoring, RAG status, ownership, and prioritised mitigations.

Risk Register Skill

This skill produces a complete risk register for a project, programme, or product. Output follows standard risk management practice with likelihood × impact scoring, RAG status, a risk heat map, and specific mitigation and contingency plans. Ready to share with a project board, steering committee, or programme office.

Required Inputs

Ask the user for these if not provided:

  • Project or product name
  • Project stage (discovery / delivery / launch / live / programme-level)
  • Key objectives — what is the project trying to achieve?
  • Known risks — anything already on the team's radar (even informal concerns count)
  • Key dependencies — external vendors, teams, systems, or regulatory approvals
  • Deadline or milestone sensitivity — are there hard dates that cannot move?
  • Audience — who will read this? (internal team / executive steering / external board / regulator)

Output Structure


Risk Register: [Project / Product Name]

Project stage: [Discovery / Delivery / Launch / Live / Programme] Version: [1.0] Owner: [PM / Programme Manager / Risk Lead] Last reviewed: [Date] Next review: [Date — recommend weekly during delivery, monthly during discovery] Status: [Active / Archived]


1. Risk Scoring Framework

Likelihood (L)

Score Label Definition
5 Almost certain >80% probability of occurring
4 Likely 6080% probability
3 Possible 4060% probability
2 Unlikely 2040% probability
1 Rare <20% probability

Impact (I)

Score Label Definition
5 Critical Programme failure, regulatory breach, major financial loss, safety event
4 High Significant schedule delay (>4 weeks), scope reduction, reputational damage
3 Medium Moderate delay (14 weeks), cost overrun, reduced quality
2 Low Minor delay (<1 week), manageable cost increase
1 Negligible Minimal impact, easily absorbed

Risk Score = L × I

Score RAG Action
2025 🔴 Critical Immediate escalation; active management required
1219 🔴 High Owner-assigned mitigation; weekly review
811 🟡 Medium Mitigation planned; fortnightly review
47 🟡 Low Monitor; monthly review
13 🟢 Negligible Accept; review if context changes

2. Risk Register

ID Risk Category L I Score RAG Owner Status Mitigation Contingency Review date
R01 [Risk description — be specific: "Third-party API may not support required volume, causing X to fail"] [Schedule / Technical / Resource / Commercial / Compliance / External] [15] [15] [L×I] 🔴/🟡/🟢 [Name] [Open / Mitigating / Closed] [What are we doing to reduce likelihood or impact?] [What do we do if it happens?] [Date]
R02 [...] [...] [...] [...] [...] [...] [...] [...] [...] [...] [...]

3. Risk Categories — Common Risks by Type

Use these to prompt risk identification. Add, remove, or customise for your project.

Schedule & Delivery

  • Key milestone depends on a dependency that has not confirmed availability
  • Team capacity reduced by planned or unplanned absence during critical period
  • Technical complexity is underestimated — story points consistently overrun
  • External approval (regulator, legal, procurement) takes longer than planned

Technical

  • Integration with a third-party system not yet prototyped or agreed
  • Existing technical debt makes the change harder or riskier than estimated
  • Security or compliance review required before launch has not been scoped
  • Performance under production load untested
  • Key technical knowledge held by one person (single point of failure)

Resource & People

  • Key SME or engineer leaving or unavailable during critical phase
  • Budget not confirmed for Phase 2 of the project
  • Stakeholder sponsor changes role or leaves the organisation
  • Team not yet at full capacity (hiring lag, access issues, onboarding time)

Commercial & Financial

  • Vendor or partner contract not yet signed
  • Cost estimate based on assumptions that have not been validated
  • Revenue or savings case depends on assumptions outside the team's control
  • Currency exposure or exchange rate risk for international projects

Compliance & Regulatory

  • Data privacy impact assessment (DPIA) not yet complete
  • Regulatory approval required and timeline is uncertain
  • GDPR, HIPAA, SOC 2, or sector-specific compliance requirement not yet mapped
  • Legal review of terms of service or contracts pending

Stakeholder & Adoption

  • Key user group has low awareness or motivation to adopt the change
  • Internal resistance from a team that will be affected by the change
  • Executive sponsor not consistently engaged — decisions are slow
  • Communications plan not yet agreed with change management team

External

  • Market or competitive change could undermine the business case
  • Macroeconomic conditions affect budget or priority
  • Supplier or infrastructure provider risk (e.g. cloud provider, hardware)
  • Geopolitical or regulatory environment change

4. Risk Heat Map

Plot risks by likelihood (Y axis) and impact (X axis):

         │  Low     Medium    High    Critical
         │  (1)      (2-3)    (4)      (5)
─────────┼────────────────────────────────────
Almost   │  🟡        🟡       🔴       🔴
certain  │
(5)      │
─────────┼────────────────────────────────────
Likely   │  🟡        🟡       🔴       🔴
(4)      │
─────────┼────────────────────────────────────
Possible │  🟢        🟡       🟡       🔴
(3)      │
─────────┼────────────────────────────────────
Unlikely │  🟢        🟢       🟡       🟡
(2)      │
─────────┼────────────────────────────────────
Rare     │  🟢        🟢       🟢       🟡
(1)      │

[Plot each risk ID on this grid — e.g. R01 lands at L4/I5 = 🔴 Critical]


5. Top Risks — Executive Summary

For steering committee or board-level reporting:

Rank Risk Score RAG Owner Mitigation status
1 [Most critical risk — plain English description] [X] 🔴 [Owner] [Active / Planned / Not started]
2 [...] [...] 🔴 [...] [...]
3 [...] [...] 🟡 [...] [...]
4 [...] [...] 🟡 [...] [...]
5 [...] [...] 🟡 [...] [...]

Decisions required from steering:

  • [Any risk that requires budget, scope, or timeline decision to mitigate]

6. Risk Changes Since Last Review

Risk ID Change Detail
[R03] Score increased [L moved from 2 → 4 — vendor confirmed delay in API availability]
[R07] Risk closed [Legal sign-off received on 12 May]
[NEW] New risk identified [R09 — budget freeze announcement affects Phase 2 funding]

7. Risk Closure Criteria

A risk is closed when:

  • The risk event can no longer occur (e.g. milestone passed, contract signed), OR
  • The residual risk score drops to Negligible (13) AND the team formally accepts it, OR
  • The risk has materialised and transitioned to an issue (tracked separately)

Issues log: [Link to issues log — risks that have materialised and are now active problems being managed]


Quality Checks

  • Every risk has a specific owner — not "the team" or "TBD"
  • Mitigations describe what is actively being done — not "monitor and review"
  • Contingency plans exist for all Critical and High risks
  • Risk descriptions are specific — "vendor may be late" is not specific enough; name the vendor and the dependency
  • Register has been reviewed in the last [X] days
  • Closed risks are archived, not deleted — they provide audit trail
  • Risks are distinguished from issues — a risk is something that might happen; an issue is something that has happened

Example Trigger Phrases

  • "Build a risk register for our product launch"
  • "Create a risk matrix for [project name]"
  • "What risks should I document for a data migration project?"
  • "Generate a risk register for our steering committee"
  • "Help me identify and score risks for our Q3 delivery plan"