Risk Register
Projects don't fail because of unknowable surprises — they fail because of foreseeable risks that nobody wrote down or assigned to anyone. The Risk Register turns 'we should have seen that coming' into a scored, owned, monitored log of what could go wrong and who's watching.
What this skill does
Risk registers fail in one of two ways: they don't exist, or they exist as a stale spreadsheet that nobody updates, full of generic worries with no owners. The first failure is obvious. The second is worse — a stale register creates false confidence, because the team thinks "we have a risk log" without anyone checking whether the risks are still real or the mitigations are still happening. This skill builds a register that's small enough to maintain and structured enough to use.
The SPECTRUM scan forces you to look in every category — Scope, People, External, Communication, Technical, Resources, Unknown unknowns, Money — instead of just listing the risks you're already worried about. The risks you haven't named are the ones that bite. Scoring is mechanical: likelihood (1-5) times impact (1-5) gives a 1-25 score with explicit thresholds. Below 5: monitor only. 5-9: mitigate. 10-15: active management. 16+: critical, escalate. The thresholds are calibrated by risk appetite, declared at the top of the register — risk-averse projects (regulated, client-facing) treat anything 5+ as active; risk-tolerant projects (internal experiments, startups) raise the bar to 10+. This stops you from over-engineering risk management on a two-week internal project, and from under-investing on a regulated rollout.
Every risk that crosses the threshold gets the same fields: a 4T response strategy (Terminate, Transfer, Treat, Tolerate), a specific mitigation, a contingency for if it materialises anyway, an early warning trigger so you act before it fully lands, and a single owner. "The team" can't watch for a risk. One person, named. The trigger is the part most registers skip and it's the most useful — by the time the risk has fully materialised you're already in damage control; by the time the trigger fires you still have options.
The skill also looks for cascade risks (if A materialises, does it make B more likely?), correlated risks (several risks sharing one root cause that single mitigation would address), and concentration risks (one person owning five risks is itself a single point of failure). And the standing rule: don't conflate risks with issues. A risk might happen. An issue has happened. When a risk materialises, mark it CLOSED — MATERIALISED and move it to an issue tracker. Mixing the two is how registers quietly become fiction.
When this triggers
- ·You're scoping a project and want to surface what could go wrong before kickoff, not in week 6
- ·You have a vague feeling something's risky but you can't articulate it to stakeholders
- ·You inherited a project with a stale or nonexistent risk log and need to revive it
- ·You need a defensible risk view for governance, audit, or a board pack
- ·You want to distinguish what's a risk (might happen) from what's already an issue (has happened) — and stop conflating them
Example
Trigger
User says: 'Six-month CRM migration. Three vendors involved. I need a real risk register before next week's steering committee.'
Output
Risk Appetite: MODERATE — active mitigation for risks scoring 10+. Risk Summary: 2 Critical · 4 High · 7 Moderate · 5 Low Top 3 to watch: R1 (Score 20, CRITICAL): Vendor A's data export format incompatible with target schema. Owner: [name]. Trigger: any test export failing the schema validator. Mitigation: schema spike in week 2. Contingency: parallel migration script via [tool] (10 day build). R2 (Score 16, CRITICAL): Single migration engineer with full context. Owner: [name]. Trigger: capacity below 80% for 2 wks OR sick days >3. Mitigation: pair-programming + written runbook. Contingency: pre-vetted contractor on retainer. R3 (Score 12, HIGH): Stakeholder approval bottleneck — only the CTO can sign off mapping decisions and he's travelling weeks 4-7. Mitigation: front-load approvals · delegate to deputy in writing. Plus 15 more rows (Moderate/Low) — sorted by score. Cascade flagged: R1 materialising raises R2 likelihood (engineer has to absorb scope of a parallel approach). Plan for the chain.
Get this skill + 15 more
Included in the The Agency Owner Stack — scale delivery without scaling headcount. Save $130+ vs buying individually.
Get The Agency Owner Stack — $149What you get
- 193-line SKILL.md, ready to drop into ~/.claude/skills/
- Tested through 3 Karpathy-loop iterations (versions v1.0.0 → v1.3.0)
- Triggers automatically when relevant — no command to remember
- Lifetime updates as the skill is refined further
More from Project Management
Doesn't write teleprompter scripts — it writes structured talking outlines that make the speaker sound prepared, not robotic
Doesn't write internal status reports — it writes client-facing documents that manage expectations and build the relationship
Doesn't just format text — it filters for signal, highlight blockers early, and write updates that make managers confident without requiring follow-up questions
Doesn't just tell people to block time — it analyzes their role, energy patterns, and meeting load to engineer a schedule where deep work is structurally guaranteed, not aspirational
Doesn't give vague advice like "check email twice a day" — it builds the specific rules, filters, templates, and workflows that make inbox zero sustainable
Doesn't just tell people to have fewer meetings — it classifies each specific meeting with a verdict and replacement strategy
Browse the full library
297 skills across 31 categories. One purchase, lifetime updates.
See all bundles