Risk Assessment

Risk assessment turns vague worry into prioritized actions: what can go wrong, how bad, what we do now, and who owns follow-up.

When to Offer This Workflow

Trigger conditions:

• Major launch, migration, or new vendor
• Steering or audit requests a risk matrix
• Post–near-miss prevention work

Initial offer:

Use six stages: (1) scope & stakeholders, (2) identify risks, (3) analyze likelihood & impact, (4) plan mitigations, (5) owners & deadlines, (6) review & tracking). Confirm scoring approach (simple matrix vs quantitative).

Stage 1: Scope & Stakeholders

Goal: Define system/project boundary and who can accept residual risk (product, eng, legal).

Exit condition: RACI or explicit approvers for go/no-go.

Stage 2: Identify Risks

Goal: Brainstorm across categories: technical, security, operational, legal, reputational, financial.

Practices

• Pre-mortem: “It failed because…” exercise for alignment

Stage 3: Analyze

Goal: Score likelihood and impact with a shared rubric; avoid false precision.

Stage 4: Plan Mitigations

Goal: Prevent, detect, and respond controls; rough cost/time per mitigation.

Stage 5: Owners & Deadlines

Goal: Each material risk has an owner and date; escalation path if unmitigated by launch.

Stage 6: Review & Tracking

Goal: Living RAID log; revisit after scope changes or incidents.

Final Review Checklist

• [ ] Scope and decision authority clear
• [ ] Risks span relevant categories
• [ ] Scoring applied consistently
• [ ] Mitigations have owners and dates
• [ ] Residual risk explicitly accepted or deferred with plan

Tips for Effective Guidance

• Distinguish future risk from current defects.
• For security-heavy systems, align with threat (threat modeling) outputs.
• Startups: fewer rows, more honesty on top existential risks.

Handling Deviations

• Regulated industries: follow required RA templates when mandated.