risk-profile.md 8.3 KB
risk-profile
Generate a comprehensive risk assessment matrix for a story implementation using probability × impact analysis.
Inputs
required:
- story_id: "{epic}.{story}" # e.g., "1.3"
- story_path: "docs/stories/{epic}.{story}.*.md"
- story_title: "{title}" # If missing, derive from story file H1
- story_slug: "{slug}" # If missing, derive from title (lowercase, hyphenated)
Purpose
Identify, assess, and prioritize risks in the story implementation. Provide risk mitigation strategies and testing focus areas based on risk levels.
Risk Assessment Framework
Risk Categories
Category Prefixes:
TECH: Technical RisksSEC: Security RisksPERF: Performance RisksDATA: Data RisksBUS: Business RisksOPS: Operational Risks
Technical Risks (TECH)
- Architecture complexity
- Integration challenges
- Technical debt
- Scalability concerns
- System dependencies
Security Risks (SEC)
- Authentication/authorization flaws
- Data exposure vulnerabilities
- Injection attacks
- Session management issues
- Cryptographic weaknesses
Performance Risks (PERF)
- Response time degradation
- Throughput bottlenecks
- Resource exhaustion
- Database query optimization
- Caching failures
Data Risks (DATA)
- Data loss potential
- Data corruption
- Privacy violations
- Compliance issues
- Backup/recovery gaps
Business Risks (BUS)
- Feature doesn't meet user needs
- Revenue impact
- Reputation damage
- Regulatory non-compliance
- Market timing
Operational Risks (OPS)
- Deployment failures
- Monitoring gaps
- Incident response readiness
- Documentation inadequacy
- Knowledge transfer issues
Risk Analysis Process
1. Risk Identification
For each category, identify specific risks:
risk:
id: "SEC-001" # Use prefixes: SEC, PERF, DATA, BUS, OPS, TECH
category: security
title: "Insufficient input validation on user forms"
description: "Form inputs not properly sanitized could lead to XSS attacks"
affected_components:
- "UserRegistrationForm"
- "ProfileUpdateForm"
detection_method: "Code review revealed missing validation"
2. Risk Assessment
Evaluate each risk using probability × impact:
Probability Levels:
High (3): Likely to occur (>70% chance)Medium (2): Possible occurrence (30-70% chance)Low (1): Unlikely to occur (<30% chance)
Impact Levels:
High (3): Severe consequences (data breach, system down, major financial loss)Medium (2): Moderate consequences (degraded performance, minor data issues)Low (1): Minor consequences (cosmetic issues, slight inconvenience)
Risk Score = Probability × Impact
- 9: Critical Risk (Red)
- 6: High Risk (Orange)
- 4: Medium Risk (Yellow)
- 2-3: Low Risk (Green)
- 1: Minimal Risk (Blue)
3. Risk Prioritization
Create risk matrix:
## Risk Matrix
| Risk ID | Description | Probability | Impact | Score | Priority |
| -------- | ----------------------- | ----------- | ---------- | ----- | -------- |
| SEC-001 | XSS vulnerability | High (3) | High (3) | 9 | Critical |
| PERF-001 | Slow query on dashboard | Medium (2) | Medium (2) | 4 | Medium |
| DATA-001 | Backup failure | Low (1) | High (3) | 3 | Low |
4. Risk Mitigation Strategies
For each identified risk, provide mitigation:
mitigation:
risk_id: "SEC-001"
strategy: "preventive" # preventive|detective|corrective
actions:
- "Implement input validation library (e.g., validator.js)"
- "Add CSP headers to prevent XSS execution"
- "Sanitize all user inputs before storage"
- "Escape all outputs in templates"
testing_requirements:
- "Security testing with OWASP ZAP"
- "Manual penetration testing of forms"
- "Unit tests for validation functions"
residual_risk: "Low - Some zero-day vulnerabilities may remain"
owner: "dev"
timeline: "Before deployment"
Outputs
Output 1: Gate YAML Block
Generate for pasting into gate file under risk_summary:
Output rules:
- Only include assessed risks; do not emit placeholders
- Sort risks by score (desc) when emitting highest and any tabular lists
If no risks: totals all zeros, omit highest, keep recommendations arrays empty
# risk_summary (paste into gate file): risk_summary: totals: critical: X # score 9 high: Y # score 6 medium: Z # score 4 low: W # score 2-3 highest: id: SEC-001 score: 9 title: "XSS on profile form" recommendations: must_fix: - "Add input sanitization & CSP" monitor: - "Add security alerts for auth endpoints"
Output 2: Markdown Report
Save to: qa.qaLocation/assessments/{epic}.{story}-risk-{YYYYMMDD}.md
# Risk Profile: Story {epic}.{story}
Date: {date}
Reviewer: Quinn (Test Architect)
## Executive Summary
- Total Risks Identified: X
- Critical Risks: Y
- High Risks: Z
- Risk Score: XX/100 (calculated)
## Critical Risks Requiring Immediate Attention
### 1. [ID]: Risk Title
**Score: 9 (Critical)**
**Probability**: High - Detailed reasoning
**Impact**: High - Potential consequences
**Mitigation**:
- Immediate action required
- Specific steps to take
**Testing Focus**: Specific test scenarios needed
## Risk Distribution
### By Category
- Security: X risks (Y critical)
- Performance: X risks (Y critical)
- Data: X risks (Y critical)
- Business: X risks (Y critical)
- Operational: X risks (Y critical)
### By Component
- Frontend: X risks
- Backend: X risks
- Database: X risks
- Infrastructure: X risks
## Detailed Risk Register
[Full table of all risks with scores and mitigations]
## Risk-Based Testing Strategy
### Priority 1: Critical Risk Tests
- Test scenarios for critical risks
- Required test types (security, load, chaos)
- Test data requirements
### Priority 2: High Risk Tests
- Integration test scenarios
- Edge case coverage
### Priority 3: Medium/Low Risk Tests
- Standard functional tests
- Regression test suite
## Risk Acceptance Criteria
### Must Fix Before Production
- All critical risks (score 9)
- High risks affecting security/data
### Can Deploy with Mitigation
- Medium risks with compensating controls
- Low risks with monitoring in place
### Accepted Risks
- Document any risks team accepts
- Include sign-off from appropriate authority
## Monitoring Requirements
Post-deployment monitoring for:
- Performance metrics for PERF risks
- Security alerts for SEC risks
- Error rates for operational risks
- Business KPIs for business risks
## Risk Review Triggers
Review and update risk profile when:
- Architecture changes significantly
- New integrations added
- Security vulnerabilities discovered
- Performance issues reported
- Regulatory requirements change
Risk Scoring Algorithm
Calculate overall story risk score:
Base Score = 100
For each risk:
- Critical (9): Deduct 20 points
- High (6): Deduct 10 points
- Medium (4): Deduct 5 points
- Low (2-3): Deduct 2 points
Minimum score = 0 (extremely risky)
Maximum score = 100 (minimal risk)
Risk-Based Recommendations
Based on risk profile, recommend:
Testing Priority
- Which tests to run first
- Additional test types needed
- Test environment requirements
Development Focus
- Code review emphasis areas
- Additional validation needed
- Security controls to implement
Deployment Strategy
- Phased rollout for high-risk changes
- Feature flags for risky features
- Rollback procedures
Monitoring Setup
- Metrics to track
- Alerts to configure
- Dashboard requirements
Integration with Quality Gates
Deterministic gate mapping:
- Any risk with score ≥ 9 → Gate = FAIL (unless waived)
- Else if any score ≥ 6 → Gate = CONCERNS
- Else → Gate = PASS
- Unmitigated risks → Document in gate
Output 3: Story Hook Line
Print this line for review task to quote:
Risk profile: qa.qaLocation/assessments/{epic}.{story}-risk-{YYYYMMDD}.md
Key Principles
- Identify risks early and systematically
- Use consistent probability × impact scoring
- Provide actionable mitigation strategies
- Link risks to specific test requirements
- Track residual risk after mitigation
- Update risk profile as story evolves