Logoskills for everything
Agent Skill
2/7/2026

ringrisk-management

Portfolio-level risk management skill for identifying, assessing, and mitigating risks across multiple projects. Maintains RAID logs and tracks risk responses.

L
lerianstudio
102GitHub Stars
1Views
npx skills add LerianStudio/ring

SKILL.md

Nameringrisk-management
DescriptionPortfolio-level risk management skill for identifying, assessing, and mitigating risks across multiple projects. Maintains RAID logs and tracks risk responses.

name: ring:risk-management description: | Portfolio-level risk management skill for identifying, assessing, and mitigating risks across multiple projects. Maintains RAID logs and tracks risk responses.

trigger: |

  • Need portfolio risk assessment
  • Creating or updating RAID log
  • Risk response planning
  • Risk correlation analysis

skip_when: |

  • Single project risk → handle in project scope
  • Financial risk only → use ring-finops-team
  • Technical risk in code → use ring:qa-analyst

related: complementary: [portfolio-planning, project-health-check]

Risk Management Skill

Systematic portfolio-level risk identification, assessment, and mitigation.

Purpose

This skill provides a framework for:

  • Portfolio risk identification
  • Risk assessment and scoring
  • Risk correlation analysis
  • Mitigation planning
  • RAID log management

Prerequisites

Before risk assessment, ensure:

PrerequisiteRequired ForSource
Project risk registersRisk aggregationProject managers
Historical risk dataPattern identificationPrevious projects
Stakeholder inputRisk identificationKey stakeholders
Impact criteriaRisk scoringPMO standards

Risk Management Gates

Gate 1: Risk Identification

Objective: Identify all portfolio-level risks

Actions:

  1. Collect project-level risks
  2. Identify cross-project risks
  3. Capture portfolio-level risks
  4. Document assumptions and dependencies

Risk Categories:

CategoryExamples
StrategicMarket changes, competition, regulation
ResourceKey person departure, skill shortage, capacity
TechnicalTechnology obsolescence, integration, security
FinancialBudget cuts, cost overruns, currency
ScheduleDependencies, delays, scope creep
ExternalVendor, regulatory, geopolitical

Output: docs/pmo/{date}/risk-register.md

Gate 2: Risk Assessment

Objective: Assess probability and impact of each risk

Actions:

  1. Assess probability (1-5 scale)
  2. Assess impact (1-5 scale)
  3. Calculate risk score (P x I)
  4. Assign severity level

Risk Severity Matrix:

See shared-patterns/pmo-metrics.md for risk severity matrix.

Impact / LikelihoodLow (1-2)Medium (3)High (4-5)
High (4-5)MediumHighCritical
Medium (3)LowMediumHigh
Low (1-2)LowLowMedium

Output: docs/pmo/{date}/risk-assessment.md

Gate 3: Risk Correlation

Objective: Identify correlated risks across portfolio

Actions:

  1. Identify shared risk factors
  2. Map risk dependencies
  3. Calculate compound risk exposure
  4. Flag correlated critical risks

Correlation Types:

TypeDescriptionAction
Shared causeSame root cause affects multiple projectsMitigate root cause
SequentialOne risk triggers anotherPlan cascade response
ResourceSame resource/skill shortageDiversify or hire
VendorSame vendor dependencyDiversify suppliers

Output: docs/pmo/{date}/risk-correlation.md

Gate 4: Response Planning

Objective: Create mitigation plans for significant risks

Actions:

  1. Select response strategy per risk
  2. Define mitigation actions
  3. Assign owners and dates
  4. Allocate contingency

Response Strategies:

See shared-patterns/pmo-metrics.md for response types.

ResponseWhen to UseExample
AvoidRisk unacceptable, can change scopeRemove risky feature
TransferRisk better managed by othersInsurance, outsource
MitigateReduce probability or impactTesting, redundancy
AcceptCost of mitigation > impactDocument and monitor

Output: docs/pmo/{date}/risk-response-plan.md

Gate 5: RAID Log Update

Objective: Maintain comprehensive RAID log

Actions:

  1. Update Risk section
  2. Update Assumptions section
  3. Update Issues section
  4. Update Dependencies section

RAID Categories:

CategoryContentsReview Frequency
RisksPotential future issuesWeekly
AssumptionsBelieved true, not verifiedAt milestones
IssuesCurrent problems requiring actionDaily
DependenciesExternal inputs/outputsWeekly

Output: docs/pmo/{date}/raid-log.md

Anti-Rationalization Table

See shared-patterns/anti-rationalization.md for universal anti-rationalizations.

Risk-Specific Anti-Rationalizations

RationalizationWhy It's WRONGRequired Action
"We've seen this risk before"Context changes. Each occurrence needs fresh assessment.Assess current state
"Low probability, don't document"Low probability × high impact = significant risk.Document ALL identified risks
"Team will handle it"Unplanned handling = crisis response. Plan required.Document response plan
"Risk register is up to date"Registers decay. Continuous validation required.Validate at every review
"That won't happen"Famous last words. Document and monitor.Document ALL risks

Pressure Resistance

See shared-patterns/pressure-resistance.md for universal pressure scenarios.

Risk-Specific Pressures

Pressure TypeRequestAgent Response
"Don't include that risk, it will worry people""Risk transparency is non-negotiable. Including with mitigation plan to provide balanced view."
"That's been mitigated, remove it""Mitigated risks remain in register until formally closed with evidence. Updating status, not removing."
"Risk assessment takes too long""Unassessed risks cause larger delays when they materialize. Completing assessment."

Blocker Criteria - STOP and Report

ALWAYS pause and report blocker for:

SituationRequired Action
Critical risk without mitigation planSTOP. Escalate. Risk cannot be accepted without plan.
Multiple correlated critical risksSTOP. Report compound exposure. Wait for portfolio decision.
Risk owner not identifiedSTOP. Unowned risks are unmanaged. Require owner assignment.
Assumption invalidatedSTOP. Trigger re-planning based on new reality.

Cannot Be Overridden

The following requirements are NON-NEGOTIABLE:

RequirementCannot Override Because
Risk documentationUndocumented risks cannot be managed or communicated
Owner assignmentUnowned risks never get mitigated
Response plans for CRITICAL/HIGHHigh severity demands action, not just awareness
Regular risk reviewRisks change; stale assessments mislead decisions
Correlation analysisIsolated analysis misses compound risk exposure

If user insists on violating these:

  1. Escalate to orchestrator
  2. Do NOT proceed with incomplete risk management
  3. Document the request and your refusal

Severity Calibration

Risk severity based on probability × impact matrix:

SeverityCriteriaResponse Required
CRITICALScore 16-25 (High P × High I)Immediate escalation, active mitigation, daily monitoring
HIGHScore 10-15Active mitigation plan, weekly monitoring, owner accountability
MEDIUMScore 5-9Documented response plan, bi-weekly monitoring
LOWScore 1-4Monitor and review quarterly, accept with documentation

Report all severities. Escalate CRITICAL immediately. Act on HIGH this week.

Output Format

Risk Summary

# Portfolio Risk Summary - [Date]

## Risk Overview

| Metric | Value |
|--------|-------|
| Total Risks | N |
| Critical | N |
| High | N |
| Medium | N |
| Low | N |
| Mitigations Defined | N/N |
| Overdue Actions | N |

## Top Risks

| ID | Risk | Severity | Owner | Status |
|----|------|----------|-------|--------|
| R-001 | [Description] | Critical/High | [Owner] | [Status] |

## Risk Correlations

| Correlation | Risks | Combined Exposure | Action |
|-------------|-------|-------------------|--------|
| [ID] | [Risk IDs] | [Exposure] | [Action] |

## RAID Summary

| Category | Total | New | Closed | Overdue |
|----------|-------|-----|--------|---------|
| Risks | N | N | N | N |
| Assumptions | N | N | N | N |
| Issues | N | N | N | N |
| Dependencies | N | N | N | N |

## Recommendations

1. [Recommendation with rationale]
2. [Recommendation with rationale]

## Decisions Required

1. [Decision needed: Accept/Mitigate/Avoid risk X]

Execution Report

Base metrics per shared-patterns/execution-report.md:

MetricValue
Analysis DateYYYY-MM-DD
Scope[Portfolio/Projects]
DurationXh Ym
ResultCOMPLETE/PARTIAL/BLOCKED

Risk-Specific Details

MetricValue
risks_identifiedN
risks_by_severityC/H/M/L
mitigation_plansN
overdue_actionsN

When Risk Analysis Is Not Needed

<MANDATORY> MUST: Risk analysis is minimal only when ALL conditions are met: </MANDATORY>
ConditionVerification
Recent analysis exists (<14 days)Reference existing risk register
No new projects or changesVerify portfolio unchanged
No risks materializedConfirm no issues since last review
No external changesVerify market/vendor/regulatory stability

MUST: Full risk analysis REQUIRED for the following conditions:

ConditionWhy Required
New project addedUnknown risks must be identified
Risk materializedResponse effectiveness must be assessed
External change occurredMarket, vendor, or regulatory changes create new risks
Milestone approachingRisk posture must be current for decisions
Stakeholder requests updateStale risk data undermines trust

MUST: When in doubt, refresh the risk analysis. Outdated risk data causes preventable failures.

Skills Info
Original Name:ringrisk-managementAuthor:lerianstudio
Download
View on GitHub