Software project delivery risk
Who uses it: Project manager assessing risks at the start of a six-month development project
Critical (high prob / high impact): Key developer leaves mid-project
High (high prob / medium impact): Scope creep from stakeholder changes
High (medium prob / high impact): Integration failure with legacy system
Medium (low prob / high impact): Data breach during development
Low (low prob / low impact): Minor library deprecation
Response: Cross-train second developer; lock scope after sprint 2; prototype integration in sprint 1
Why this works: Scoring 'key developer leaves' as critical forces the team to act before the risk materializes — cross-training in sprint one costs two days but prevents a potential two-month delay.
IT security risk assessment
Who uses it: CISO or IT manager conducting an annual security review
Critical: Unpatched RCE vulnerability in public-facing service
High: Weak password policy on admin accounts
High: No MFA on cloud console access
Medium: Outdated SSL certificate on internal tools
Low: Unused open port on development server
Response: Patch within 48h; enforce MFA immediately; schedule cert renewal
Why this works: An IT security risk matrix forces prioritization when the patch backlog is long — the team patches the RCE vulnerability this week, not next quarter, because the matrix makes the relative severity visible.
Product launch risk matrix
Who uses it: Product manager planning a major feature release to 100,000 users
Critical: Payment processing failure at launch
High: Performance degradation under peak load
High: Marketing campaign goes live before feature is stable
Medium: Feature flag rollout does not work as expected
Low: Documentation not ready on day one
Response: Load test to 3x expected peak; stagger campaign 48h after launch; dark launch first
Why this works: A launch risk matrix aligns marketing and engineering on the same risk picture — when both teams see that a premature campaign is rated High, the 48-hour stagger becomes an easy agreement, not a negotiation.
Supply chain risk assessment
Who uses it: Operations manager evaluating component sourcing before a production run
Critical: Single-source supplier for key component goes out of stock
High: Shipping delay due to port congestion
Medium: Quality defect rate above acceptable threshold
Medium: Currency fluctuation increases component cost 15%
Low: Minor packaging supplier substitution needed
Response: Qualify second supplier; increase safety stock to 8 weeks; add FX hedge
Why this works: Single-source dependency is a risk that feels low-probability until it is not. Seeing it plotted as Critical on the matrix prompts procurement to qualify a second supplier during normal conditions, not during a shortage.
Business continuity risk
Who uses it: COO assessing operational resilience for a 200-person company
Critical: Primary data center outage with no failover
High: Key finance system unavailable during month-end close
High: Simultaneous sick leave of three or more senior engineers
Medium: Office inaccessible due to weather or building issue
Low: Single SaaS tool unavailability for less than four hours
Response: Enable cloud failover; document manual close process; update remote work policy
Why this works: Business continuity risks are often ignored because they feel unlikely. A risk matrix that shows 'data center outage with no failover' as Critical creates pressure to fund the failover project before the outage, not after.
Agile sprint risk review
Who uses it: Scrum master reviewing risks at sprint planning
High: Dependency on design assets not yet finalized
High: New team member needs onboarding time
Medium: Third-party API documentation is incomplete
Low: Two team members on leave on Friday
Response: PM to confirm design sign-off by day 2; pair new member with senior dev
Why this works: A lightweight risk check at sprint planning prevents the most common sprint failure — the team starts a story on day one and discovers a blocking dependency on day eight. Two minutes of risk scoring saves two days of idle time.
