An Initiative Risk is a potential threat to an Initiative that the team wants to proactively identify, assess, and manage. Risks are assessed on two dimensions — likelihood and impact — and tracked through a lifecycle from identification to resolution.
Risk management is a first-class concern in Catalio because modernization projects have inherent uncertainty. Legacy systems contain surprises. Stakeholder alignment is fragile. Integration complexity is often underestimated. Surfacing risks early gives teams time to mitigate them before they materialize.
Key Fields
| Field | Purpose |
|---|---|
| title | Short risk description |
| description | Detailed description of the risk and its context |
| likelihood | Probability of occurrence: high, medium, low |
| impact | Severity if it occurs: high, medium, low |
| mitigation | Planned or applied mitigation strategy |
| owner | The team member responsible for monitoring this risk |
| status | Current lifecycle state |
| initiative_id | Parent Initiative |
Risk Lifecycle
open → mitigated
↘ accepted
↘ occurred
open — The risk has been identified and is being monitored. This is the default state.
mitigated — A mitigation strategy has been applied and the risk has been reduced to acceptable levels.
accepted — The team has acknowledged the risk and consciously decided not to mitigate it. This might be because the cost of mitigation exceeds the potential impact, or because the risk is deemed low enough to tolerate.
occurred — The risk has materialized into an actual problem. Use this state to track realized risks for retrospective analysis.
Risk Matrix
The combination of likelihood and impact defines the priority for management attention:
| High Impact | Medium Impact | Low Impact | |
|---|---|---|---|
| High Likelihood | Critical — Act immediately | High — Prioritize mitigation | Medium — Monitor closely |
| Medium Likelihood | High — Plan mitigation | Medium — Monitor | Low — Acknowledge |
| Low Likelihood | Medium — Plan response | Low — Document | Minimal — Note only |
Common Risk Categories in Modernization
Technical risks
- Integration complexity higher than estimated
- Legacy system contains undocumented behavior
- Data migration quality issues
- Third-party dependency changes
Stakeholder risks
- Key SME unavailability during discovery
- Sponsor changes or priority shifts
- Resistance to process change from users
- Competing initiatives consuming capacity
Scope risks
- Scope creep from incomplete out-of-scope definition
- Requirements discovered late that affect architecture
- Compliance requirements identified after design is locked
Delivery risks
- Team capacity constraints during build
- Vendor delivery delays
- Regulatory approval timelines
- Environment provisioning delays
Best Practices
Identify risks before they become issues.
The most valuable risk is the one identified three months before it occurs, not the day it happens. Build a risk identification session into the Planning stage kickoff.
Assign an owner to every risk.
Unowned risks are ignored risks. Every risk should have a specific named person responsible for monitoring it and escalating if the likelihood or impact changes.
Update risks at stage transitions.
At each stage gate, review all open risks. Has anything changed? Have previously low-likelihood risks become more likely? Have risks occurred that should be marked as such?
Document mitigation strategies specifically.
“We will address this” is not a mitigation strategy. “We will schedule a two-week data quality sprint in March with the DBA team to validate all vendor master records before migration begins” is.
Use occurred for retrospective learning.
Marking risks as occurred when they materialize creates a record for retrospectives. Patterns across multiple Initiatives reveal systemic risk factors that can improve future engagement planning.
Relationships at a Glance
| Related Concept | Relationship |
|---|---|
| Initiative | Risks belong to an Initiative |
| Initiative Tasks | Mitigation activities appear as Tasks |
| Dependencies | Related concept for blocking external factors |
Next Steps
- Understand Initiatives — Learn the governance context for Risk management
- Create Initiative Tasks — Convert mitigation strategies into actionable work items
- Track Dependencies — Manage blocking external factors
Pro Tip: After your first discovery session, hold a 45-minute risk brainstorming workshop with the team. Prompt with: “What could make this Initiative fail? What don’t we know yet? Who might push back?” The risks you identify in this session will prove more valuable than those identified during planning.
Support
- Documentation: Continue reading about Initiatives and Dependencies
- Email: support@catalio.ai
- Community: Share risk management patterns with other Catalio users