Aiwg flow-risk-management-cycle
Orchestrate continuous risk identification, assessment, tracking, and retirement across SDLC phases
install
source · Clone the upstream repo
git clone https://github.com/jmagly/aiwg
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jmagly/aiwg "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.agents/skills/flow-risk-management-cycle" ~/.claude/skills/jmagly-aiwg-flow-risk-management-cycle && rm -rf "$T"
manifest:
.agents/skills/flow-risk-management-cycle/SKILL.mdsource content
Risk Management Cycle Orchestration Flow
You are the Core Orchestrator for continuous risk management throughout the SDLC.
Your Role
You orchestrate multi-agent workflows. You do NOT execute bash scripts.
When the user requests this flow (via natural language or explicit command):
- Interpret the request and confirm understanding
- Read this template as your orchestration guide
- Extract agent assignments and workflow steps
- Launch agents via Task tool in correct sequence
- Synthesize results and finalize artifacts
- Report completion with summary
Risk Management Overview
Purpose: Maintain continuous visibility into project risks, proactively retire technical and business risks before they become blockers, and ensure the team operates with acceptable risk tolerance throughout all SDLC phases.
Key Activities:
- Risk identification (business, technical, security)
- Risk assessment (probability × impact scoring)
- Risk mitigation planning (spikes, POCs)
- Risk tracking and monitoring
- Risk retirement validation
Expected Duration: 90-minute workshop + 2-5 days for spikes, 10-15 minutes orchestration
Natural Language Triggers
Users may say:
- "Update risks"
- "Review risks"
- "Manage risks"
- "Risk assessment"
- "Identify new risks"
- "Conduct risk workshop"
- "Retire risks"
You recognize these as requests for this orchestration flow.
Parameter Handling
--guidance Parameter
Purpose: User provides upfront direction to tailor risk management priorities
Examples:
--guidance "Focus on security risks, compliance audit in 3 months" --guidance "Performance risks are critical, need sub-100ms p95 validation" --guidance "Tight timeline, prioritize Show Stopper risks only" --guidance "Team lacks DevOps experience, infrastructure risks need extra attention"
How to Apply:
- Parse guidance for keywords: security, performance, compliance, timeline, team skills
- Adjust agent assignments (add security-architect, privacy-officer for compliance focus)
- Modify risk assessment depth (comprehensive vs. focused on specific categories)
- Influence spike/POC scope (minimal vs. comprehensive validation)
--interactive Parameter
Purpose: You ask 6 strategic questions to understand risk context
Questions to Ask (if --interactive):
I'll ask 6 strategic questions to tailor risk management to your project's needs: Q1: What are your top priorities for this risk cycle? (e.g., security validation, performance proof, compliance readiness) Q2: What are your biggest constraints? (e.g., tight timeline, limited budget, small team) Q3: What risks concern you most for this workflow? (e.g., technical unknowns, third-party dependencies, regulatory changes) Q4: What's your team's experience level with this type of activity? (Helps me gauge risk assessment calibration and spike scope) Q5: What's your target timeline? (Influences spike duration and mitigation planning depth) Q6: Are there compliance or regulatory requirements? (e.g., HIPAA, SOC2, PCI-DSS - affects security/privacy risk focus) Based on your answers, I'll adjust: - Agent assignments (add specialized risk assessors) - Risk category focus (security-first vs. performance-first) - Spike/POC scope (minimal vs. comprehensive) - Workshop agenda emphasis (technical vs. business vs. operational)
Synthesize Guidance: Combine answers into structured guidance string for execution
--iteration Parameter
Purpose: Track risk cycles per iteration (bi-weekly or per sprint)
Usage:
--iteration 3--iteration Construction-5Risk Management Philosophy
Proactive Risk Management:
- Risks are identified early, tracked continuously, and retired systematically
- High-risk assumptions are validated via spikes/POCs before committing resources
- Show Stopper risks are escalated immediately and require executive decision
- Risk retirement is a primary objective of Elaboration phase (70%+ retired by ABM)
Risk Categorization:
- Show Stopper (P0): Project cannot proceed without resolution (score 21-25)
- High (P1): Major impact to schedule, scope, or quality (score 16-20)
- Medium (P2): Moderate impact, workarounds available (score 11-15)
- Low (P3): Minor impact, can be deferred (score 1-10)
Artifacts to Generate
Primary Deliverables:
- Risk Identification Workshop Notes: New risks and status updates →
.aiwg/risks/risk-workshop-{date}.md - Risk Assessment Report: Prioritized risk list with scoring →
.aiwg/risks/risk-assessment-{date}.md - Updated Risk List: Current status of all risks →
.aiwg/risks/risk-list.md - Spike Results: POC findings for high-priority risks →
.aiwg/risks/spike-{risk-id}-results.md - Risk Retirement Report: Validation evidence and metrics →
.aiwg/risks/risk-retirement-report.md - Risk Escalation Briefs: Show Stopper risk decisions →
.aiwg/risks/risk-escalation-{risk-id}.md - Risk Status Report: Stakeholder summary →
.aiwg/risks/risk-status-report-{date}.md
Supporting Artifacts:
- Risk validation documents (analysis-based retirements)
- POC code and benchmarks (working directory)
- Complete audit trails (archived workflows)
Multi-Agent Orchestration Workflow
Step 1: Conduct Risk Identification Workshop
Purpose: Facilitate regular risk identification session with project team
Your Actions:
-
Check Workshop Frequency:
Read current project phase from .aiwg/intake/project-intake.md or .aiwg/planning/phase-plan-*.md Workshop frequency by phase: - Inception: Weekly (rapid discovery of unknowns) - Elaboration: Bi-weekly (validate architectural risks) - Construction: Bi-weekly per iteration (identify delivery risks) - Transition: Weekly (production readiness risks) -
Load Current Context:
Read: - .aiwg/risks/risk-list.md (current risk status) - .aiwg/intake/project-intake.md (project scope and constraints) - Recent changes (if accessible via git log or documentation) -
Launch Workshop Facilitation Agents (parallel):
# Agent 1: Project Manager (Workshop Facilitator) Task( subagent_type="project-manager", description="Facilitate risk identification workshop", prompt=""" Read current risk list: .aiwg/risks/risk-list.md Facilitate 90-minute risk identification workshop: Agenda: 1. Review Previous Risks (15 min) - Status update on existing risks - Validate risk retirements - Re-assess probabilities and impacts 2. Identify New Risks (30 min) - Technical risks (architecture, performance, scalability) - Business risks (requirements changes, resource availability) - Security risks (vulnerabilities, compliance) - Operational risks (deployment, monitoring, support) - External risks (third-party dependencies, vendor delays) 3. Prioritize Risks (20 min) - Score probability (1-5): 1=Rare, 5=Almost Certain - Score impact (1-5): 1=Negligible, 5=Catastrophic - Calculate risk score: Probability × Impact (1-25) - Categorize: Show Stopper (21-25), High (16-20), Medium (11-15), Low (1-10) 4. Plan Mitigation Actions (20 min) - Show Stopper: Immediate action plan, executive escalation - High: Spike/POC to validate assumptions (1-3 days) - Medium: Monitoring plan, deferred action - Low: Accept and monitor 5. Assign Ownership (5 min) - Each risk assigned to specific owner - Due dates for spikes and mitigation actions - Re-assessment date scheduled Risk Identification Prompts: - "What technical unknowns remain?" - "What assumptions are we making that could be wrong?" - "What external dependencies could fail?" - "What could prevent us from meeting our schedule?" - "What security vulnerabilities are most likely?" - "What operational challenges do we anticipate?" Document workshop results: - New risks identified (with ID, description, category) - Risk status updates (status changes with rationale) - Action items (owner, due date) Save to: .aiwg/risks/risk-workshop-{date}.md """ ) # Agent 2: Architecture Designer (Technical Risks) Task( subagent_type="architecture-designer", description="Identify architectural and technical risks", prompt=""" Read project architecture: .aiwg/architecture/software-architecture-doc.md (if exists) Read project intake: .aiwg/intake/project-intake.md Identify technical and architectural risks: Technical Risk Categories: - Architecture choices unproven (new framework, database) - Performance requirements unclear (scalability unknowns) - Integration complexity underestimated (third-party APIs) - Technology learning curve steep (team skill gaps) - Data migration complexity (schema evolution, volume) For each risk: - Risk description (clear, specific) - Why it's a risk (impact if materializes) - Initial probability estimate (1-5) - Initial impact estimate (1-5) - Suggested mitigation (spike, POC, architecture change) Save technical risks to: .aiwg/working/risks/technical-risks-draft.md """ ) # Agent 3: Security Architect (Security Risks) Task( subagent_type="security-architect", description="Identify security and compliance risks", prompt=""" Read project intake: .aiwg/intake/project-intake.md Read data classification: .aiwg/security/data-classification.md (if exists) Identify security and compliance risks: Security Risk Categories: - Compliance requirements unclear (GDPR, HIPAA, SOC2) - Vulnerability exposure (third-party dependencies, CVEs) - Authentication/authorization complex (multi-tenant, SSO) - Data breach potential (PII, financial data, encryption gaps) - Audit logging insufficient (compliance requirements) For each risk: - Risk description - Compliance impact (regulatory penalties, audit failures) - Initial probability estimate (1-5) - Initial impact estimate (1-5) - Suggested mitigation (security review, penetration test, compliance audit) Save security risks to: .aiwg/working/risks/security-risks-draft.md """ ) # Agent 4: Business Analyst (Business Risks) Task( subagent_type="business-analyst", description="Identify business and organizational risks", prompt=""" Read project intake: .aiwg/intake/project-intake.md Read business case: .aiwg/planning/business-case-*.md (if exists) Identify business and organizational risks: Business Risk Categories: - Requirements changing frequently (scope creep) - Stakeholder availability limited (approval delays) - Funding uncertain (budget cuts possible) - Competitive pressure (market timing critical) - Team attrition (key personnel leaving) For each risk: - Risk description - Business impact (revenue, market share, reputation) - Initial probability estimate (1-5) - Initial impact estimate (1-5) - Suggested mitigation (stakeholder alignment, scope freeze, contingency plans) Save business risks to: .aiwg/working/risks/business-risks-draft.md """ ) -
Synthesize Workshop Results:
Task( subagent_type="risk-manager", description="Synthesize risk identification workshop results", prompt=""" Read all risk identification inputs: - .aiwg/risks/risk-workshop-{date}.md (workshop notes) - .aiwg/working/risks/technical-risks-draft.md - .aiwg/working/risks/security-risks-draft.md - .aiwg/working/risks/business-risks-draft.md Synthesize comprehensive risk identification report: Structure: 1. Workshop Summary - Date, attendees, iteration number - New risks identified (count by category) - Risk status updates (count by status change) 2. New Risks Identified - For each risk: ID, description, category, probability, impact, score, priority, owner, mitigation 3. Risk Status Updates - For each updated risk: ID, previous status, current status, rationale 4. Action Items - Prioritized list with owner and due date Use template: $AIWG_ROOT/agentic/code/frameworks/sdlc-complete/templates/management/risk-list-template.md Save to: .aiwg/risks/risk-workshop-{date}.md (final) """ )
Communicate Progress:
✓ Initialized risk identification workshop ⏳ Facilitating risk workshop (90 minutes)... ✓ Project Manager: Workshop facilitation complete ✓ Architecture Designer: {count} technical risks identified ✓ Security Architect: {count} security risks identified ✓ Business Analyst: {count} business risks identified ✓ Risk Identification Workshop complete: .aiwg/risks/risk-workshop-{date}.md - New risks: {count} - Updated risks: {count} - Action items: {count}
Step 2: Assess and Score Risks
Purpose: Apply consistent risk assessment methodology to prioritize risks
Your Actions:
- Launch Risk Assessment Agent:
Task( subagent_type="risk-manager", description="Assess and score identified risks", prompt=""" Read workshop results: .aiwg/risks/risk-workshop-{date}.md Read current risk list: .aiwg/risks/risk-list.md Apply risk assessment matrix: Probability Scoring: | Probability | Definition | Score | |-------------|------------|-------| | Rare | <10% chance | 1 | | Unlikely | 10-30% chance | 2 | | Possible | 30-50% chance | 3 | | Likely | 50-70% chance | 4 | | Almost Certain | >70% chance | 5 | Impact Scoring: | Impact | Definition | Score | |--------|------------|-------| | Negligible | <1 day delay, no scope impact | 1 | | Minor | 1-3 days delay, minor scope reduction | 2 | | Moderate | 1-2 weeks delay, moderate scope impact | 3 | | Major | >2 weeks delay, major scope reduction | 4 | | Catastrophic | Project failure or cancellation | 5 | Risk Score Calculation: - Score = Probability × Impact (range: 1-25) - Show Stopper (P0): Score 21-25 (immediate action required) - High (P1): Score 16-20 (spike/POC within 1 week) - Medium (P2): Score 11-15 (monitor, plan mitigation) - Low (P3): Score 1-10 (accept, periodic review) For each risk: - Validate probability and impact scores (calibrate with team consensus) - Calculate risk score - Assign priority category - Document assessment rationale Generate Risk Assessment Report: 1. Risk Summary by Priority (count of P0, P1, P2, P3) 2. Top 5 Risks (by score) 3. Risk Trends (new vs. retired, score trend) 4. Escalations Required (Show Stopper risks) Save to: .aiwg/risks/risk-assessment-{date}.md """ )
Communicate Progress:
✓ Workshop synthesis complete ⏳ Assessing and scoring risks... ✓ Risk Assessment complete: .aiwg/risks/risk-assessment-{date}.md - Show Stopper (P0): {count} - High (P1): {count} - Medium (P2): {count} - Low (P3): {count} - Top risk: {risk-id} (score: {score})
Step 3: Update Risk List and Tracking
Purpose: Maintain comprehensive risk list with current status
Your Actions:
- Launch Risk List Update Agent:
Task( subagent_type="risk-manager", description="Update master risk list with assessment results", prompt=""" Read current risk list: .aiwg/risks/risk-list.md Read risk assessment: .aiwg/risks/risk-assessment-{date}.md Read workshop results: .aiwg/risks/risk-workshop-{date}.md Update comprehensive risk list: Structure (use template): - Project metadata (name, last updated, risk owner) - Active Risks (by priority: P0 → P1 → P2 → P3) - Retired Risks (archive section) - Risk Metrics (retirement rate, average score, time to retirement) For each risk: - Risk ID (unique identifier) - Risk Title (concise) - Description (detailed) - Category (Technical | Business | Security | Operational | External) - Assessment (probability, impact, score, priority) - Status (IDENTIFIED | MITIGATED | RETIRED | ACCEPTED) - Owner (name or role) - Mitigation Plan (specific actions) - Contingency Plan (actions if risk materializes) - Target Date (for risk retirement) - Last Updated (timestamp) - Notes (status updates, spike results, decisions) Add traceability links: - Risk-ID → Spike-ID (if spike conducted) - Risk-ID → ADR-ID (if architectural decision) - Risk-ID → UC-ID (if requirement-related) Track risk aging: - Time since identification - Escalate stale risks (no progress in >2 weeks) Template: $AIWG_ROOT/agentic/code/frameworks/sdlc-complete/templates/management/risk-list-template.md Save updated risk list to: .aiwg/risks/risk-list.md """ )
Communicate Progress:
✓ Risk assessment complete ⏳ Updating master risk list... ✓ Risk List updated: .aiwg/risks/risk-list.md - Total active risks: {count} - Risks added this cycle: {count} - Risks retired this cycle: {count} - Risk retirement rate: {percentage}%
Step 4: Execute Spikes and POCs for High-Priority Risks
Purpose: Conduct time-boxed experiments to validate high-risk assumptions
Your Actions:
-
Identify High-Priority Risks Requiring Validation:
Read .aiwg/risks/risk-list.md Filter for: - Priority: P0 (Show Stopper) or P1 (High) - Status: IDENTIFIED (not yet mitigated or retired) - Mitigation: Spike or POC recommended -
For Each High-Risk, Launch Spike/POC Agent:
# Determine spike approach based on risk category # Option A: Technical/Performance Spike (architecture-designer + software-implementer) Task( subagent_type="architecture-designer", description="Conduct technical spike for Risk #{risk-id}", prompt=""" Risk to validate: {risk-description} Risk ID: {risk-id} Timebox: 1-3 days (strict) Spike Planning: - Define hypothesis (what assumption are we testing?) - Define success criteria (what validates the hypothesis?) - Define approach (how will we test it?) Spike Execution: - Build minimal prototype (not production code) - Test hypothesis with real data/tools - Document findings (code, screenshots, metrics) - Formulate recommendation Spike Review: - Present findings - Go/No-Go decision on risk - Update risk status (RETIRED | MITIGATED | ESCALATE) - Create ADR if architecture change needed Spike Card Template: $AIWG_ROOT/.../templates/analysis-design/spike-card-template.md Document: - Hypothesis and success criteria - Approach and findings - Result (SUCCESS | FAILURE | PARTIAL) - Recommendation (risk status, follow-up actions) - Traceability (Risk-ID, ADR-ID if applicable) Save spike results to: .aiwg/risks/spike-{risk-id}-results.md """ ) # Option B: Security Spike (security-architect) Task( subagent_type="security-architect", description="Conduct security validation for Risk #{risk-id}", prompt=""" Risk to validate: {risk-description} Risk ID: {risk-id} Security Validation Approach: - Threat modeling (STRIDE analysis) - Vulnerability assessment (dependency scan, OWASP Top 10) - Compliance validation (GDPR, HIPAA, SOC2 requirements) - Penetration testing (if feasible in timebox) Document findings: - Vulnerabilities identified (severity, CVSS score) - Compliance gaps (regulation, requirement, current state) - Mitigation recommendations (controls, architecture changes) - Residual risk (after mitigation) Decision: - Risk status: RETIRED | MITIGATED | ACCEPTED | ESCALATE - Evidence: scan results, test reports, compliance checklist Save to: .aiwg/risks/spike-{risk-id}-results.md """ ) # Option C: POC for Feasibility (software-implementer) Task( subagent_type="software-implementer", description="Build POC for Risk #{risk-id}", prompt=""" Risk to validate: {risk-description} Risk ID: {risk-id} Timebox: 1-3 days Use /build-poc command: /build-poc "{risk-description}" --scope {minimal|standard|comprehensive} POC Objectives: - Demonstrate technical feasibility - Validate performance requirements (if applicable) - Test integration with third-party systems (if applicable) - Prove architecture pattern works (if applicable) Acceptance criteria: {what proves risk is retired} Document POC results: - Approach (what was built, how was it tested) - Results (metrics, observations, screenshots) - Decision: GO (risk retired) | NO-GO (risk remains) | PIVOT (change approach) - Code artifacts (link to POC code, if saved) Save to: .aiwg/risks/poc-{risk-id}-results.md """ ) -
Synthesize Spike Execution Summary:
Task( subagent_type="risk-manager", description="Synthesize spike/POC results", prompt=""" Read all spike/POC results: - .aiwg/risks/spike-*-results.md - .aiwg/risks/poc-*-results.md Generate Spike Execution Summary: 1. Spikes Completed - For each: Spike-ID, Risk-ID, owner, duration, result, risk status, ADR created 2. Risk Retirement Impact - Risks retired via spikes (list) - Risks requiring further action (list) 3. Lessons Learned - What worked well (positive outcomes) - What could improve (process improvements) Calculate metrics: - Spikes completed: {count} - Risks retired: {count} - Average spike duration: {days} - Spike success rate: {percentage}% Save to: .aiwg/risks/spike-execution-summary-{date}.md """ )
Communicate Progress:
✓ Risk list updated ⏳ Executing spikes/POCs for high-priority risks... ✓ Spike #{risk-id-1}: {title} - SUCCESS → RETIRED ✓ Spike #{risk-id-2}: {title} - PARTIAL → MITIGATED ✓ POC #{risk-id-3}: {title} - SUCCESS → RETIRED ⚠️ Spike #{risk-id-4}: {title} - FAILURE → ESCALATE ✓ Spike Execution complete: .aiwg/risks/spike-execution-summary-{date}.md - Spikes completed: {count} - Risks retired: {count} - Risks escalated: {count}
Step 5: Validate Risk Retirement
Purpose: Ensure retired risks are genuinely resolved with evidence
Your Actions:
- Launch Risk Retirement Validation Agent:
Task( subagent_type="risk-manager", description="Validate risk retirements with evidence", prompt=""" Read updated risk list: .aiwg/risks/risk-list.md Read spike results: .aiwg/risks/spike-*-results.md Read POC results: .aiwg/risks/poc-*-results.md Validate Risk Retirement Checklist: - [ ] Spike/POC completed with successful result - [ ] Evidence documented (code, tests, metrics) - [ ] ADR created if architectural change - [ ] Risk owner confirms retirement - [ ] No residual concerns from team Risk Retirement Evidence Types: 1. Technical Validation - Spike code demonstrates feasibility - Performance tests meet requirements - Integration with third-party working - Prototype operational 2. Architecture Validation - ADR documents decision - Peer review confirms approach - Security Architect approves security design - Test strategy covers risk area 3. Business Validation - Stakeholder confirms requirement clarified - Product Owner accepts scope change - Funding secured for phase - Resource availability confirmed Premature Retirement Warning Signs: - No evidence artifact (spike card, ADR) - Spike marked SUCCESS but no prototype - Risk owner changed without transfer - Status changed without team review - Assumptions not validated Generate Risk Retirement Report: 1. Newly Retired Risks - For each: Risk-ID, title, priority, retirement date, validation method, evidence, owner, confirmed by 2. Risk Retirement Statistics - Phase progress (risks retired per phase) - Retirement rate by category 3. ABM Risk Criteria (if Elaboration phase) - Show Stopper Risks: 100% retired/mitigated - High Risks: 100% retired/mitigated - All Risks: ≥70% retired/mitigated - Top 3 Inception Risks: 100% resolved - ABM Risk Gate Status: PASS | FAIL 4. Active Risks Remaining - Show Stopper: {count} - High: {count} - Medium: {count} - Low: {count} Save to: .aiwg/risks/risk-retirement-report.md """ )
Communicate Progress:
✓ Spike execution complete ⏳ Validating risk retirements... ✓ Risk Retirement Report: .aiwg/risks/risk-retirement-report.md - Risks retired this cycle: {count} - Total retirement rate: {percentage}% - ABM criteria: {PASS | FAIL | N/A} ⚠️ Premature retirements flagged: {count}
Step 6: Escalate Show Stopper Risks
Purpose: For P0 risks that cannot be retired by the team, escalate to executive leadership
Your Actions:
-
Identify Show Stopper Risks Requiring Escalation:
Read .aiwg/risks/risk-list.md Filter for: - Priority: Show Stopper (P0) - Status: IDENTIFIED or ESCALATE - Age: >1 iteration without resolution -
For Each Show Stopper Risk, Create Escalation Brief:
Task( subagent_type="project-manager", description="Create escalation brief for Risk #{risk-id}", prompt=""" Risk to escalate: {risk-description} Risk ID: {risk-id} Priority: Show Stopper (P0) Risk Score: {score} Escalation Triggers: - Show Stopper risk identified (score ≥21) - High risk not mitigated within 1 iteration - Risk requires budget increase (>10% over baseline) - Risk requires scope reduction (major feature cut) - Risk requires timeline extension (>2 weeks) - Risk requires external vendor decision Prepare Escalation Brief: 1. Risk Description (1-2 sentences, clear, non-technical for executive audience) 2. Impact if Not Addressed - Schedule Impact: {delay in weeks} - Budget Impact: {cost increase} - Scope Impact: {features at risk} - Quality Impact: {technical debt, defects} 3. Options for Resolution (3-5 options with pros/cons) - Option A: {approach, pros, cons, cost, timeline} - Option B: {approach, pros, cons, cost, timeline} - Option C: {approach, pros, cons, cost, timeline} 4. Recommendation - Recommended Option: {option-number} - Rationale: {why this option is best} - Dependencies: {what must happen for this option to succeed} 5. Decision Required By: {date} Template structure: - Executive summary (3-5 sentences) - Options table (comparison) - Recommendation (1 paragraph) - Decision section (to be filled by Executive Sponsor) Save to: .aiwg/risks/risk-escalation-{risk-id}.md """ ) -
Generate Escalation Log:
Task( subagent_type="project-manager", description="Maintain risk escalation log", prompt=""" Read all escalation briefs: .aiwg/risks/risk-escalation-*.md Generate Risk Escalation Log: 1. Active Escalations - For each: Risk-ID, title, escalation date, decision required by, status (PENDING | RESOLVED), decision maker 2. Resolved Escalations - For each: Risk-ID, title, escalation date, resolution date, decision, outcome 3. Escalation Metrics - Total escalations: {count} - Resolved escalations: {count} - Average resolution time: {days} - Escalations this phase: {count} Save to: .aiwg/risks/risk-escalation-log.md """ )
Communicate Progress:
✓ Risk retirement validation complete ⏳ Escalating Show Stopper risks... ⚠️ Risk #{risk-id-1}: {title} - ESCALATED (decision required by {date}) ⚠️ Risk #{risk-id-2}: {title} - ESCALATED (budget decision needed) ✓ Escalation Briefs created: .aiwg/risks/risk-escalation-*.md - Show Stopper risks escalated: {count} - Awaiting executive decision: {count}
Step 7: Generate Risk Status Report for Stakeholders
Purpose: Create comprehensive risk report for stakeholders
Your Actions:
- Launch Risk Status Report Agent:
Task( subagent_type="project-manager", description="Generate stakeholder risk status report", prompt=""" Read all risk artifacts: - .aiwg/risks/risk-list.md - .aiwg/risks/risk-assessment-{date}.md - .aiwg/risks/risk-retirement-report.md - .aiwg/risks/spike-execution-summary-{date}.md - .aiwg/risks/risk-escalation-log.md Generate Risk Status Report: Report Audience: - Executive Sponsor: High-level summary, escalations, decisions needed - Product Owner: Business risks, scope impact, priority changes - Project Manager: All risks, action items, owner assignments - Development Team: Technical risks, spikes, mitigation actions Structure: 1. Executive Summary - Overall Risk Posture: LOW | MODERATE | HIGH | CRITICAL - Key Highlights (active risks, retired, new, escalations) - Top 3 Concerns (brief description of highest-priority risks) 2. Risk Summary by Priority - Show Stopper (P0): {count} - list each with impact, mitigation, owner, status - High (P1): {count} - list each with impact, mitigation, owner, status - Medium (P2): {count} - summary only - Low (P3): {count} - summary only 3. Risk Trends - Risk Velocity (new vs. retired, net change) - Risk Score Trend (average score, trend direction) - Risk Retirement Progress (percentage, target for phase) 4. Action Items - Immediate Actions Required (next 1 week) - Spikes Planned (next 2 weeks) - Escalations Required (Show Stopper risks) 5. Gate Readiness (if applicable) - Next Gate: {LOM | ABM | OCM | PRM} - Risk Criteria Status (checklist) - Gate Risk Status: ON TRACK | AT RISK | BLOCKED 6. Appendix: Detailed Risk List (all details) Save to: .aiwg/risks/risk-status-report-{date}.md """ )
Communicate Progress:
✓ Escalations processed ⏳ Generating risk status report... ✓ Risk Status Report complete: .aiwg/risks/risk-status-report-{date}.md - Overall risk posture: {LOW | MODERATE | HIGH | CRITICAL} - Top concern: {risk-id} ({priority}) - Action items: {count}
Quality Gates
Before marking workflow complete, verify:
- Risk identification workshop conducted with team participation
- All risks assessed with probability × impact scoring
- Risk list updated with current status and traceability
- Spikes/POCs executed for high-priority risks (1-3 days timebox each)
- Risk retirements validated with evidence artifacts
- Show Stopper risks escalated with decision briefs
- Risk status report generated for stakeholders
- Working drafts archived (workshop notes, spike results)
User Communication
At start: Confirm understanding and list activities
Understood. I'll orchestrate the Risk Management Cycle. This will conduct: - Risk Identification Workshop (90 minutes) - Risk Assessment and Scoring - Risk List Update - Spike/POC Execution for high-priority risks - Risk Retirement Validation - Show Stopper Risk Escalation - Stakeholder Risk Status Report I'll coordinate multiple agents for comprehensive risk coverage. Expected duration: 10-15 minutes orchestration + 2-5 days for spikes. Starting orchestration...
During: Update progress with clear indicators
✓ = Complete ⏳ = In progress ❌ = Error/blocked ⚠️ = Warning/attention needed
At end: Summary report with artifact locations and status
───────────────────────────────────────────── Risk Management Cycle Complete ───────────────────────────────────────────── **Overall Risk Posture**: {LOW | MODERATE | HIGH | CRITICAL} **Risk Summary**: - Active Risks: {count} (P0: {count}, P1: {count}, P2: {count}, P3: {count}) - New Risks This Cycle: {count} - Retired Risks This Cycle: {count} - Escalations Required: {count} **Top 3 Risks**: 1. {Risk-ID}: {description} - {priority} (score: {score}) 2. {Risk-ID}: {description} - {priority} (score: {score}) 3. {Risk-ID}: {description} - {priority} (score: {score}) **Artifacts Generated**: - Risk Workshop Notes: .aiwg/risks/risk-workshop-{date}.md - Risk Assessment Report: .aiwg/risks/risk-assessment-{date}.md - Updated Risk List: .aiwg/risks/risk-list.md - Spike Results: .aiwg/risks/spike-*-results.md ({count} spikes) - Risk Retirement Report: .aiwg/risks/risk-retirement-report.md - Escalation Briefs: .aiwg/risks/risk-escalation-*.md ({count} escalations) - Risk Status Report: .aiwg/risks/risk-status-report-{date}.md **Next Steps**: - Review all generated artifacts - Schedule executive decision meetings for escalated risks - Assign spike/POC owners for high-priority risks - Next risk cycle: {date} (bi-weekly) - If Elaboration ABM: Risk retirement target ≥70% ({current-percentage}%) ─────────────────────────────────────────────
Error Handling
If No Risks Identified:
⚠️ Risk identification workshop produced no new risks This may indicate: - Insufficient analysis or team participation - Risk saturation (all risks already identified) - Workshop facilitation issues Recommendation: - Re-run workshop with broader team participation - Review risk identification prompts for comprehensiveness - Consider external risk assessment (third-party review) Action: Continue with existing risk tracking and monitoring.
If Risk Scoring Inconsistent:
⚠️ Risk scores vary widely across team members Examples: - Risk #{risk-id}: Probability estimates range 1-5 - Risk #{risk-id}: Impact estimates range 2-5 Recommendation: - Calibrate scoring criteria using risk matrix examples - Project Manager facilitates consensus scoring - Use planning poker technique for score alignment - Document scoring rationale for future consistency Action: Escalating to Project Manager for score calibration.
If Spike Overrunning Timebox:
❌ Spike {Spike-ID} exceeding {timebox} days Risk: {risk-description} Planned duration: {timebox} days Actual duration: {actual} days (ongoing) Impact: - Spike time overruns indicate risk underestimated - Resource allocation affected - Risk retirement delayed Action: - Stop spike immediately - Document findings to date - Re-assess risk score (likely higher than initially estimated) - Consider alternative mitigation approach or escalation Escalating to user for decision...
If Risk Retirement Without Evidence:
❌ Risk {Risk-ID} marked RETIRED without evidence artifact Risk: {risk-description} Status: RETIRED Evidence: MISSING (no spike card, ADR, or validation document) Impact: - Cannot validate risk retirement for gate criteria - Risk may re-emerge later in project - Audit trail incomplete Action: - Request evidence artifact from risk owner - If no evidence, revert status to IDENTIFIED or MITIGATED - Schedule spike/POC to properly validate risk retirement Cannot proceed with gate validation until evidence provided.
If Show Stopper Risk Not Escalated:
❌ Risk {Risk-ID} is Show Stopper (P0) but not escalated Risk: {risk-description} Priority: Show Stopper (P0) Score: {score} (≥21) Status: IDENTIFIED Age: {days} days Impact: - Project cannot proceed without resolution - Critical path blocked - Executive decision required Action: - Prepare escalation brief immediately - Contact Executive Sponsor within 24 hours - Provide 3-5 resolution options with pros/cons - Schedule emergency escalation meeting Escalating to user for immediate action...
If Risk Retirement Insufficient for Gate:
⚠️ Risk retirement {percentage}% (target: ≥70% for ABM) Outstanding risks: - Show Stopper: {count} (must be 0) - High: {count} (must be 0) - Medium: {count} - Low: {count} Gap analysis: - Need to retire {count} more risks to meet ABM criteria - Estimated time: {weeks} weeks of additional spikes/POCs Recommendation: - Conduct additional spikes/POCs to retire critical risks - Focus on P0 and P1 risks first (gate blockers) - Consider risk acceptance for low-impact Medium risks (with sponsor approval) Impact: - ABM may result in CONDITIONAL GO or NO-GO if risk retirement remains insufficient - Construction phase delayed until risk criteria met Action: Review risk list with Executive Sponsor for prioritization decision.
Success Criteria
This orchestration succeeds when:
- Risk identification workshop conducted with team participation
- All risks assessed with probability × impact scoring
- Risk list template updated with current status and traceability
- Spikes/POCs executed for high-priority risks (within timebox)
- Risk retirements validated with evidence artifacts
- Show Stopper risks escalated to executive leadership with decision briefs
- Risk status report generated for stakeholders
- Complete audit trails archived (workshop notes, spike results, escalation briefs)
- Risk retirement metrics tracked (rate, velocity, time to retirement)
Metrics to Track
During orchestration, track:
- Risk retirement rate: {percentage}% per phase
- Risk velocity: New risks vs retired risks per iteration
- Average risk score: Trend over time (target: decreasing)
- Time to retirement: Days from identification to retirement
- Spike success rate: {percentage}% of spikes retire risks
- Escalation rate: {count} escalations per phase
Target Metrics by Phase:
- Inception: 5-10 risks identified, 0% retired (baseline)
- Elaboration: 10-20 risks identified, 70%+ retired by ABM
- Construction: 5-10 new risks per iteration, 90%+ retired by OCM
- Transition: 3-5 operational risks, 95%+ retired by PRM
References
Templates (via $AIWG_ROOT):
- Risk List:
templates/management/risk-list-template.md - Spike Card:
templates/analysis-design/spike-card-template.md - Architecture Decision Record:
templates/analysis-design/architecture-decision-record-template.md
Gate Criteria:
(risk criteria per phase)flows/gate-criteria-by-phase.md
Multi-Agent Pattern:
docs/multi-agent-documentation-pattern.md
Orchestrator Architecture:
docs/orchestrator-architecture.md