arckit-risk - SKILL.md Agent Skill

name: arckit-risk description: "Create comprehensive risk register following HM Treasury Orange Book principles"

You are helping an enterprise architect create a comprehensive risk register following the UK Government Orange Book (2023) risk management framework.

About Orange Book Risk Management

The Orange Book is HM Treasury's guidance on risk management in government. The 2023 update provides:

Part I: 5 Risk Management Principles (Governance, Integration, Collaboration, Risk Processes, Continual Improvement)
Part II: Risk Control Framework (4-pillar "house" structure)
4Ts Risk Response Framework: Tolerate, Treat, Transfer, Terminate
Risk Assessment Methodology: Likelihood × Impact for Inherent and Residual risk
Risk Appetite: Amount of risk organization is prepared to accept/tolerate

User Input

$ARGUMENTS

Instructions

Note: Before generating, scan projects/ for existing project directories. For each project, list all ARC-*.md artifacts, check external/ for reference documents, and check 000-global/ for cross-project policies. If no external docs exist but they would improve output, ask the user.

This command creates a comprehensive risk register following HM Treasury Orange Book principles and integrates with ArcKit's stakeholder-driven workflow.

When to use this:

After: $arckit-stakeholders (MANDATORY - every risk needs an owner)
Before: $arckit-sobc (SOBC Management Case Part E uses risk register)
Purpose: Identify, assess, and manage project risks using Orange Book methodology

Read existing artifacts from the project context:

MANDATORY (warn if missing):
- STKE (Stakeholder Analysis) — Extract: risk owners from RACI matrix, affected stakeholders, conflict analysis (conflicts ARE risks), stakeholder drivers (drivers under threat = strategic risks)
  - If missing: STOP and warn user to run $arckit-stakeholders first — every risk MUST have an owner
RECOMMENDED (read if available, note if missing):
- PRIN (Architecture Principles, in 000-global) — Extract: technology standards, compliance requirements — non-compliance creates risks
- projects/000-global/risk-appetite.md — Extract: risk appetite thresholds for assessment calibration
- REQ (Requirements) — Extract: complex requirements that create risks, NFRs that mitigate risks
OPTIONAL (read if available, skip silently):
- SOBC (Business Case) — Extract: financial risks, ROI assumptions at risk
- DPIA (Data Protection Impact Assessment) — Extract: data protection risks, privacy risks
Understand the request: The user may be:
- Creating initial risk register (most common)
- Updating existing risk register with new risks
- Reassessing risks after changes
- Creating organizational risk appetite (advanced - if user asks for this specifically)
Read external documents and policies:
- Read any global policies listed in the project context (000-global/policies/) — extract risk appetite, risk tolerance thresholds, threat landscape, industry benchmarks
- Read any external documents listed in the project context (external/ files) — extract previous risk findings, mitigation effectiveness, residual risks, lessons learned
- Read any enterprise standards in projects/000-global/external/ — extract enterprise risk frameworks, threat intelligence reports
- If no external risk docs exist but they would improve the assessment, ask: "Do you have a risk appetite statement, previous risk assessments, or external threat reports? I can read PDFs directly. Place them in projects/000-global/policies/ and re-run, or skip."
- Citation traceability: When referencing content from external documents, follow the citation instructions in .arckit/references/citation-instructions.md. Place inline citation markers (e.g., [PP-C1]) next to findings informed by source documents and populate the "External References" section in the template.
Determine project context:
- If user mentions "UK Government", "public sector", "department", "ministry" → Include regulatory/parliamentary risks
- If user mentions specific industry → Include industry-specific risk categories
- Check stakeholder analysis for context on project scale, complexity, stakeholders
Read stakeholder analysis carefully:
- Extract risk owners from RACI matrix (Accountable = Risk Owner)
- Extract affected stakeholders (who cares about which risks?)
- Extract stakeholder concerns from conflict analysis (these ARE risks!)
- Extract stakeholder drivers (drivers under threat = strategic risks)
- Note: EVERY risk MUST have a risk owner from stakeholder analysis
Identify risks across Orange Book categories:

Use these risk categories aligned to Orange Book framework:

STRATEGIC Risks:
- Risks to strategic objectives and organizational goals
- Competitive position, market changes, policy changes
- Stakeholder drivers under threat
- Example: "Strategic direction changes mid-project"
OPERATIONAL Risks:
- Risks to operations, service delivery, business continuity
- Resource availability, skills gaps, dependencies
- Process failures, quality issues
- Example: "Insufficient cloud migration expertise in team"
FINANCIAL Risks:
- Budget overruns, funding shortfalls, ROI not achieved
- Cost escalation, currency fluctuations
- Economic downturn impact
- Example: "Cloud costs exceed budget by 40%"
COMPLIANCE/REGULATORY Risks:
- Non-compliance with laws, regulations, policies
- Audit findings, regulatory penalties
- Data protection (GDPR, DPA 2018), procurement rules
- Example: "GDPR non-compliance due to data transfer"
REPUTATIONAL Risks:
- Damage to reputation, stakeholder confidence, public perception
- Media scrutiny, parliamentary questions (UK Gov)
- Service failures visible to public
- Example: "High-profile service outage damages citizen trust"
TECHNOLOGY Risks:
- Technical failure, cyber security, legacy system issues
- Vendor lock-in, technology obsolescence
- Integration challenges, scalability limitations
- Example: "Legacy integration fails during peak load"
Supplier-concentration risk (if procurement evidence exists): If a TNDR (Procurement Market Intelligence) or CMPT (Competitor Landscape) artefact exists at projects/{P}/research/ARC-{P}-{TNDR,CMPT}-*.md, read its Concentration section. If concentration_flag is HIGH (a single supplier holds > 50% of awarded value, or the top 3 hold > 80%), record a single-supplier-dependency / supplier-concentration risk under the dependencies category (OPERATIONAL), citing the notice-backed figures and supplier name. Carry the caveat that awarded value is not actual spend — it evidences market structure, not committed cost. If no such artefact exists, skip silently.
For EACH risk identified, create comprehensive risk profile:

Read the template (with user override support):
- First, check if .arckit/templates-custom/risk-register-template.md exists in the project root
- If found: Read the user's customized template (user override takes precedence)
- If not found: Read .arckit/templates/risk-register-template.md (default)
Tip: Users can customize templates with $arckit-customize risk-register

Populate the template with:

Risk Identification:
- Risk ID: R-001, R-002, R-003, etc. (sequential)
- Category: STRATEGIC | OPERATIONAL | FINANCIAL | COMPLIANCE | REPUTATIONAL | TECHNOLOGY
- Risk Title: Short, clear description (5-10 words)
- Risk Description: Detailed description of the risk (2-3 sentences)
- Root Cause: What underlying issue creates this risk?
- Trigger Events: What events would cause this risk to materialize?
- Consequences if Realized: What happens if this risk occurs? (tangible impacts)
- Affected Stakeholders: Link to ARC-{PROJECT_ID}-STKE-v*.md (who is impacted?)
- Related Objectives: Link to stakeholder goals/business objectives that are threatened
Inherent Risk Assessment (BEFORE controls):

Inherent Likelihood (1-5 scale):
- 1 - Rare: < 5% probability, highly unlikely
- 2 - Unlikely: 5-25% probability, could happen but probably won't
- 3 - Possible: 25-50% probability, reasonable chance
- 4 - Likely: 50-75% probability, more likely to happen than not
- 5 - Almost Certain: > 75% probability, expected to occur
Inherent Impact (1-5 scale):
- 1 - Negligible: Minimal impact, easily absorbed, < 5% variance
- 2 - Minor: Minor impact, manageable within reserves, 5-10% variance
- 3 - Moderate: Significant impact, requires management effort, 10-20% variance
- 4 - Major: Severe impact, threatens objectives, 20-40% variance
- 5 - Catastrophic: Existential threat, project failure, > 40% variance
Inherent Risk Score: Likelihood × Impact (1-25)
- 1-5: Low (Green)
- 6-12: Medium (Yellow)
- 13-19: High (Orange)
- 20-25: Critical (Red)
Current Controls and Mitigations:
- Existing Controls: What controls are already in place?
- Control Effectiveness: Weak | Adequate | Strong
- Control Owners: Who maintains these controls?
- Evidence of Effectiveness: How do we know controls work?
Residual Risk Assessment (AFTER controls):

Residual Likelihood (1-5): Likelihood after controls applied Residual Impact (1-5): Impact after controls applied Residual Risk Score: Likelihood × Impact (after controls)

Risk Response (4Ts Framework):

Select ONE primary response:
- TOLERATE: Accept the risk (within risk appetite, cost of mitigation exceeds benefit)
  - When to use: Low residual risk score (1-5), within appetite
  - Example: "Minor UI inconsistency - aesthetic only, no functional impact"
- TREAT: Mitigate or reduce the risk (implement additional controls)
  - When to use: Medium/High risk, can be reduced through actions
  - Example: "Implement automated testing to reduce defect risk"
- TRANSFER: Transfer risk to 3rd party (insurance, outsourcing, contracts)
  - When to use: Low likelihood/high impact, can be insured or contracted out
  - Example: "Purchase cyber insurance for breach liability"
- TERMINATE: Stop the activity creating the risk
  - When to use: High likelihood/high impact, exceeds appetite, cannot be mitigated
  - Example: "Cancel high-risk vendor contract, source alternative"
Risk Ownership:
- Risk Owner: From stakeholder RACI matrix (Accountable role = Risk Owner)
- Action Owner: Responsible for implementing mitigations
- Escalation Path: Who to escalate to if risk materializes?
Action Plan:
- Additional Mitigations Needed: What else should we do?
- Specific Actions: Concrete steps with owners
- Target Date: When will mitigations be in place?
- Target Residual Risk: What score are we aiming for after mitigations?
- Success Criteria: How will we know mitigations are effective?
Risk Status:
- Open: Newly identified, not yet addressed
- In Progress: Mitigations underway
- Monitoring: Mitigations in place, monitoring effectiveness
- Closed: Risk no longer applicable
- Accepted: Risk tolerated within appetite
Risk Appetite Assessment (if organizational appetite exists):
- Risk Appetite Threshold: What's the appetite for this category?
- Assessment: Within Appetite | Exceeds Appetite | Significantly Exceeds Appetite
- Justification: Why is this acceptable/not acceptable?
- Escalation Required: Yes/No (if exceeds appetite)

Generate comprehensive risk register with these sections:

A. Executive Summary:

Total risks identified (by category)
Risk profile distribution:
- Critical risks (score 20-25): X risks
- High risks (score 13-19): Y risks
- Medium risks (score 6-12): Z risks
- Low risks (score 1-5): W risks
Risks exceeding organizational appetite: N risks
Overall risk profile: Acceptable | Concerning | Unacceptable
Key risks requiring immediate attention (top 3-5)
Recommended actions and decisions needed

B. Risk Matrix Visualization (using ASCII 5×5 matrix):

Create TWO 5×5 matrices showing Likelihood (rows) × Impact (columns):

Inherent Risk Matrix (before controls):

                                    IMPACT
              1-Minimal   2-Minor    3-Moderate   4-Major    5-Severe
           ┌───────────┬───────────┬───────────┬───────────┬───────────┐
5-Almost   │           │           │   R-003   │   R-007   │   R-001   │
Certain    │    5      │    10     │    15     │    20     │    25     │
           ├───────────┼───────────┼───────────┼───────────┼───────────┤
4-Likely   │           │           │           │   R-009   │   R-004   │
           │    4      │    8      │    12     │    16     │    20     │
L          ├───────────┼───────────┼───────────┼───────────┼───────────┤
I 3-Possible│          │           │   R-002   │           │           │
K          │    3      │    6      │    9      │    12     │    15     │
...        └───────────┴───────────┴───────────┴───────────┴───────────┘

Legend: Critical (20-25)  High (13-19)  Medium (6-12)  Low (1-5)

Residual Risk Matrix (after controls): Same format showing new positions

Show movement: "R-001 moved from Critical (25) to Medium (6) after controls"

C. Top 10 Risks (by residual score):

Ranked table:

Rank	ID	Title	Category	Residual Score	Owner	Status	Response
1	R-001	...	STRATEGIC	20	CEO	In Progress	Treat

D. Risk Register (detailed table):

Full table with columns:

Risk ID
Category
Title
Description
Inherent L/I/Score
Controls
Residual L/I/Score
4Ts Response
Owner
Status
Actions
Target Date

E. Risk by Category Analysis:

For each category (STRATEGIC, OPERATIONAL, etc.):

Number of risks
Average inherent score
Average residual score
Effectiveness of controls (% reduction)
Key themes

F. Risk Ownership Matrix:

Show which stakeholder owns which risks (from RACI):

Stakeholder	Owned Risks	Critical/High Risks	Notes
CFO	R-003, R-007, R-012	1 Critical, 2 High	Heavy concentration of financial risks
CTO	R-001, R-004, R-009	2 Critical	Technology risk owner

G. 4Ts Response Summary:

Response	Count	%	Key Examples
Tolerate	5 risks	25%	R-006, R-010...
Treat	12 risks	60%	R-001, R-002...
Transfer	2 risks	10%	R-005 (insurance)
Terminate	1 risk	5%	R-008 (cancel activity)

H. Risk Appetite Compliance (if organizational appetite exists):

Category	Appetite Threshold	Risks Within	Risks Exceeding	Action Required
STRATEGIC	Medium (12)	3	2	Escalate to Board
FINANCIAL	Low (6)	5	1	CFO approval needed

I. Action Plan:

Prioritized list of risk mitigation actions:

Priority	Action	Risk(s) Addressed	Owner	Due Date	Status
1	Implement automated backups	R-001 (Critical)	CTO	2025-11-15	In Progress
2	Obtain cyber insurance	R-005 (High)	CFO	2025-12-01	Not Started

J. Monitoring and Review Framework:

Review Frequency: Monthly for Critical/High risks, Quarterly for Medium/Low
Escalation Criteria: Any risk increasing by 5+ points, any new Critical risk
Reporting Requirements:
- Weekly: Critical risks to Steering Committee
- Monthly: All risks to Project Board
- Quarterly: Risk appetite compliance to Audit Committee
Next Review Date: [Date]
Risk Register Owner: [Name from stakeholder RACI]

K. Integration with SOBC:

Note which sections of SOBC use this risk register:

Strategic Case: Strategic risks inform "Why Now?" and urgency
Economic Case: Risk-adjusted costs use financial risks + optimism bias
Management Case Part E: Full risk register feeds into risk management section
Recommendation: High risks may influence option selection

Ensure complete traceability to stakeholders:

Every risk must link back to stakeholder analysis:

Stakeholder: CFO (from ARC-{PROJECT_ID}-STKE-v*.md)
  → Concern: Budget overrun risk (from conflict analysis)
    → Risk R-003: Cloud costs exceed budget 40% (FINANCIAL, High)
      → Risk Owner: CFO (from RACI matrix - Accountable)
        → Action: Implement FinOps controls, monthly cost reviews
          → Success Criterion: Costs within 5% of budget monthly

Flag risks that need escalation:

Identify risks that require immediate action:

Critical risks (score 20-25): Escalate to steering committee immediately
Risks exceeding appetite: Escalate to risk owner + approval authority
Increasing risk trends: Risks getting worse over time
Unmitigated high risks: High risks with no treatment plan

Write the output:

Before writing the file, read .arckit/references/quality-checklist.md and verify all Common Checks plus the RISK per-type checks pass. Fix any failures before proceeding.
- Create or update projects/NNN-project-name/ARC-{PROJECT_ID}-RISK-v1.0.md
- Use project directory structure (create if doesn't exist)
- File name pattern: ARC-{PROJECT_ID}-RISK-v{VERSION}.md
- Update date and version in header

IMPORTANT - Auto-Populate Document Information Fields:

Before completing the document, populate document information fields:

Auto-populated fields

[PROJECT_ID] → Extract from project path (e.g., "001")
[VERSION] → Start with "1.0" for new documents
[DATE] / [YYYY-MM-DD] → Current date in YYYY-MM-DD format
[DOCUMENT_TYPE_NAME] → Document purpose
ARC-[PROJECT_ID]-RISK-v[VERSION] → Generated document ID
[STATUS] → "DRAFT" for new documents
[CLASSIFICATION] → Default to ${user_config.default_classification}; if unavailable, use "OFFICIAL" (UK Gov) or "PUBLIC"

User-provided fields

[PROJECT_NAME] → Full project name
[OWNER_NAME_AND_ROLE] → Document owner

Revision History

| 1.0 | {DATE} | ArcKit AI | Initial creation from `$arckit-risk` command |

Generation Metadata Footer

**Generated by**: ArcKit `$arckit-risk` command
**Generated on**: {DATE}
**ArcKit Version**: {ARCKIT_VERSION}
**Project**: {PROJECT_NAME} (Project {PROJECT_ID})
**AI Model**: [Actual model name]

Output Format

Provide:

Location: projects/NNN-project-name/ARC-{PROJECT_ID}-RISK-v1.0.md
Summary:
- "Created comprehensive risk register following HM Treasury Orange Book"
- "Identified [X] risks across 6 categories"
- "Risk profile: [X] Critical, [Y] High, [Z] Medium, [W] Low"
- "Overall residual risk score: [X]/500 ([Y]% reduction from inherent)"
- "All [X] risks have owners from stakeholder RACI matrix"
- "[N] risks require immediate escalation (exceed appetite or critical)"
Top 3 Risks:
- "1. R-001 (STRATEGIC, Critical 20): [Title] - Owner: [Name]"
- "2. R-002 (TECHNOLOGY, High 16): [Title] - Owner: [Name]"
- "3. R-003 (FINANCIAL, High 15): [Title] - Owner: [Name]"
4Ts Distribution:
- "Tolerate: X% | Treat: Y% | Transfer: Z% | Terminate: W%"
Next steps:
- "Review with [Risk Owners] to validate assessment"
- "Escalate [N] critical/high risks to Steering Committee"
- "Use risk register for SOBC Management Case Part E"
- "Implement priority actions from Action Plan"
- "Schedule monthly risk review meeting"

Orange Book Compliance Checklist

Ensure the risk register demonstrates Orange Book compliance:

✅ Governance and Leadership: Risk owners assigned from senior stakeholders
✅ Integration: Risks linked to objectives, stakeholders, and business case
✅ Collaboration: Risks sourced from stakeholder concerns and expert judgment
✅ Risk Processes: Systematic identification, assessment, response, monitoring
✅ Continual Improvement: Review framework and action plan for ongoing management

Common Risk Patterns

Pattern 1: Technology Modernization:

TECHNOLOGY: Legacy system failure during migration (High)
OPERATIONAL: Skills gap in new technology (Medium)
FINANCIAL: Cloud costs exceed estimates (Medium)
REPUTATIONAL: Service outage during cutover (High)

Pattern 2: New Digital Service:

STRATEGIC: User adoption below target (High)
TECHNOLOGY: Scalability limitations at peak (High)
COMPLIANCE: GDPR/Accessibility non-compliance (Critical)
OPERATIONAL: Support team not ready for go-live (Medium)

Pattern 3: Vendor Procurement:

FINANCIAL: Vendor pricing increases post-contract (Medium)
OPERATIONAL: Vendor delivery delays (Medium)
TECHNOLOGY: Vendor lock-in limits future options (High)
REPUTATIONAL: Vendor security breach affects reputation (High)

UK Government Specific Risks

For UK Government/public sector projects, include:

STRATEGIC:

Policy/ministerial direction change mid-project
Manifesto commitment not delivered
Machinery of government changes

COMPLIANCE/REGULATORY:

Spending controls (HMT approval delays)
NAO audit findings
PAC scrutiny and recommendations
FOI requests reveal sensitive information
Judicial review of procurement

REPUTATIONAL:

Parliamentary questions and media scrutiny
Citizen complaints and service failures
Social media backlash
Select Committee inquiry

OPERATIONAL:

GDS Service Assessment failure
CDDO digital spend control rejection
Civil service headcount restrictions
Security clearance delays

Error Handling

If stakeholder analysis doesn't exist:

DO NOT proceed with risk register
Tell user: "Risk register requires stakeholder analysis to identify risk owners and affected parties. Please run $arckit-stakeholders first."

If risks are very high/critical:

Flag explicitly: "⚠️ WARNING: [N] Critical risks (score 20-25) identified. Immediate escalation required. Consider if project should proceed."

If all risks exceed appetite:

Flag: "⚠️ WARNING: Project risk profile significantly exceeds organizational appetite. Senior approval required to proceed."

Template Reference

Use the template at .arckit/templates/risk-register-template.md as the structure. Fill in with:

Stakeholder analysis data (owners, affected parties, concerns)
Architecture principles (non-compliance risks)
Organizational risk appetite (if exists)
User's project description
Industry/sector specific risks
UK Government risks (if applicable)

Generate a comprehensive, Orange Book-compliant risk register that enables informed decision-making and effective risk management.

Important Notes

Markdown escaping: When writing less-than or greater-than comparisons, always include a space after < or > (e.g., < 3 seconds, > 99.9% uptime) to prevent markdown renderers from interpreting them as HTML tags or emoji

Suggested Next Steps

After completing this command, consider running:

$arckit-sobc -- Feed risk register into SOBC Management Case
$arckit-requirements -- Create risk-driven requirements
$arckit-secure -- Validate security controls against risks
$arckit-tenders -- Ground supplier-concentration risk in real UK procurement award data (when UK government procurement context)