Risk Assessment & Mitigation Planning
Identify market, competitive, operational, financial, and customer risks with probability and impact assessment, creating prioritized mitigation strategies and key risk indicators to monitor for board discussions and strategic planning.
Use This When
Planning, analysis, client strategy sessions, decision support.
Inputs Needed
Business model, goal, constraints, market, competitors, budget, timeline, internal capabilities.
Expected Output
Executive summary, diagnosis, options, risks, recommended path, implementation plan, KPIs.
The Workflow Prompt
You are a business strategist and operator. Objective: Risk Assessment & Mitigation Planning Context: Identify market, competitive, operational, financial, and customer risks with probability and impact assessment, creating prioritized mitigation strategies and key risk indicators to monitor for board discussions and strategic planning. Original task: **Act as a risk management strategist with experience mitigating business risks for [COMPANY_STAGE] [INDUSTRY] companies.I need a comprehensive risk assessment for our business that goes beyond basic compliance issues. Identify:(1) Market risks (demand uncertainty, market saturation, positioning)(2) Competitive risks (new entrants, feature leapfrogging, price wars)(3) Operational risks (key person dependencies, scaling challenges, tech debt)(4) Financial risks (cash runway, unit economics, funding availability)(5) Customer risks (concentration, retention, expansion)(6) Regulatory/external risks specific to our industry. For each risk, evaluate:Probability (high/medium/low), Impact (financial, strategic, operational), and create a mitigation strategy with specific actions. Prioritize by risk score and actionability. Present as: Risk Summary Dashboard → Detailed Risk Profiles → Mitigation Plans with Timeline → Key Risk Indicators to Monitor → Contingency Plans for High-Impact Scenarios. Make it practical for board discussions and strategic planning.** Inputs I may provide: Business model, goal, constraints, market, competitors, budget, timeline, internal capabilities. Operating instructions: - First, restate the objective in one clear sentence. - If critical information is missing, ask up to 5 focused questions. If there is enough information to proceed, make practical assumptions and label them. - Use a Detailed response style. - Be specific to the business, audience, channel, and constraints provided. - Avoid generic AI advice. Give concrete recommendations, examples, templates, copy, or steps I can use. - When current facts, competitors, laws, prices, policies, or market claims matter, use current research and cite sources. - Do not expose hidden chain-of-thought. Provide a concise rationale or decision summary instead. - End with a short QA checklist that helps me verify the output. Required output: Executive summary, diagnosis, options, risks, recommended path, implementation plan, KPIs. Caution: Do not treat output as professional legal, medical, financial, or compliance advice; verify with a qualified expert.
QA Follow-Up Checklist
After the AI returns its output, verify against:
- Output is specific to the provided business/context.
- Assumptions are clearly labeled.
- No unsupported claims without source checks.
- Next actions are clear and usable.
Follow-Up Prompt
Now turn the result for 'Risk Assessment & Mitigation Planning' into a client-ready version: tighten wording, remove fluff, add missing assumptions, and provide the next 3 actions.
Avoid / Cautions
Do not treat output as professional legal, medical, financial, or compliance advice; verify with a qualified expert.
How Different Verticals Use This Workflow
Restaurant & Hospitality
A 12-unit restaurant group at $30M revenue runs the risk assessment and surfaces three top-tier risks: a 32% concentration in catering revenue from 4 corporate clients, a key-person dependency on the executive chef, and lease expirations at 3 locations within 18 months. The mitigation plan diversifies catering, formalizes the chef's protege program, and starts lease negotiations 14 months early — preventing a known operator failure pattern.
Retail & E-commerce
A DTC brand at $18M ARR runs the assessment with their CFO and surfaces a top-tier risk: 78% of new customer acquisition is through Meta, with CPMs up 40% YoY. The mitigation plan accelerates a 12-month organic + creator program, sets a trigger ('if Meta acquisition cost exceeds $X for 60 days, pause and reallocate'), and defines a 'safe harbor' budget allocation that doesn't depend on Meta scaling further.
Professional Services & B2B
A B2B SaaS at $12M ARR surfaces three top-tier risks: their largest customer is 18% of ARR and renewing in 9 months, their lead engineer holds 60% of system knowledge with no documentation, and their financing extends only 14 months. The plan includes a customer success investment in the top 5 accounts, a 90-day technical documentation push, and starting Series B conversations 12 months pre-runway — all with explicit triggers.
Beauty & Personal Care
A clean beauty brand at $7M ARR surfaces a top-tier risk: 40% of formulations rely on a single contract manufacturer with a 4-month lead time. The mitigation plan develops a backup manufacturer over 18 months (qualified for the 3 highest-volume SKUs), builds 90 days of safety stock for hero products, and sets a trigger ('if primary CM has any delivery delay over 14 days, activate backup conversations'). Prevents the kind of stockout that kills a brand.
Local & Trade Services
A regional contracting business at $14M revenue surfaces a top-tier risk: their two senior estimators wrote 80% of bids that won last year, and one is approaching retirement. The mitigation plan formalizes a 12-month estimator-shadowing program, documents the proprietary bidding methodology, and sets a hire trigger ('post the role when estimator-pipeline-coverage drops below 75%').
Frequently Asked
What separates a useful risk register from a CYA document nobody reads?
Specificity and ownership. A useful register names a risk in concrete terms ('our top customer is 22% of revenue and their CEO just left'), assigns an owner, and includes the early warning signal that triggers action. A CYA document says 'customer concentration risk' with no owner and no trigger. Force the prompt to produce both columns — without owner and trigger, it's a binder, not a plan.
How do I avoid the risk-assessment trap of 100 medium-priority risks?
Force a hard prioritization: only 5-7 risks can be 'top tier' at any time. Everything else is monitored but not actively mitigated. Most risk registers fail because they list every conceivable risk with no triage — which produces a document leadership ignores. The discipline is saying 'we accept these 30 risks and will only act on these 5.' Without that, the register becomes a museum, not a tool.
How often should I actually update the risk assessment?
Quarterly for the full review, with continuous monitoring on the top 5-7 risks. Most boards request annual updates and that's too slow — by the time the annual review surfaces a risk, it's already a crisis. The discipline is a 30-minute quarterly leadership meeting specifically on risks and mitigations, separate from the broader strategy review.
When is formal risk assessment overkill?
Below $5M ARR with under 25 employees, formal risk planning is overhead. The founder usually knows the top 3 risks intuitively (cash, key customer, key hire). Write them down in a single page, review monthly with the leadership team, skip the formal framework. Once you cross $10M ARR or take institutional capital, the formal version becomes worth the time — before that, you're playing corporate.