# Risk Management Quick Reference

## Risk = Uncertainty × Impact

Something is a risk when it *might* happen and *would matter*.

## Identification Techniques

| Technique | Use When |
|-----------|----------|
| Brainstorming | Team kickoff, broad sweep |
| Pre-mortem | "Project failed—why?" |
| SWOT | Strategic context |
| Dependency mapping | Integration-heavy projects |

## Risk Matrix

| | Low Impact | Med Impact | High Impact |
|---|------------|------------|-------------|
| **High Prob** | Monitor | Mitigate | Avoid/Transfer |
| **Med Prob** | Accept | Mitigate | Mitigate |
| **Low Prob** | Accept | Accept | Monitor |

## Response Strategies

| Strategy | Meaning |
|----------|---------|
| **Avoid** | Change approach; eliminate risk |
| **Mitigate** | Reduce prob or impact |
| **Transfer** | Shift impact (insurance, contract) |
| **Accept** | Document; have buffer/plan B |

## Risk Register Template

```
| ID | Risk | Prob | Impact | Response | Owner |
|----|------|------|--------|----------|-------|
| R1 | [Description] | L/M/H | L/M/H | Strategy | [Name] |
```

## Technical Risk Categories

- **Integration** — APIs, vendors, versions
- **Performance** — Load, scale, latency
- **Security** — Vulnerabilities, compliance
- **Legacy** — Unknowns, no tests
- **Data** — Migration, corruption

## Communicating Risks

1. Lead with context
2. Pair risk + response
3. Use RAG (Red/Amber/Green)
4. No surprises—surface early
5. "We're on it" tone

## Dependency Map

```
[Our System] → [Dependency 1]
            → [Dependency 2]
            → [Dependency 3]
```

For each: What if it fails? Who owns it?

## Mermaid: Risk Flow

```mermaid
flowchart LR
  A[Identify] --> B[Assess]
  B --> C[Prioritize]
  C --> D[Plan]
  D --> E[Implement]
  E --> F[Monitor]
```

## Review Cadence

- **Weekly** — Team sync; any changes?
- **Milestones** — Re-assess top risks
- **Triggers** — "If X, re-evaluate"