Welcome to our module no 4: analyse from our online course “Best Practices of Risk Management in 7 modules”.

After all the identifying and collecting of risks we did in module 3
it is now time for a game of risk poker!

But wait! You have to analyse the risk before you can put your pokerface on

In our essential risk management app:
> open the risk identification tree
> select a risk
> add the risk analysis page

If you haven’t access to our app go to https://overcloud.atlassian.net/servicedesk/customer/portals
or copy and paste the table below.

Content: Risk analysis page
> Participants
> Summary
Describe the risk and the context.
> How did you identify the risk?
Brainstorming, Experience, Incident report, records or publications,
stakeholder consultation, risk reports of previous projects

> Situation
At which location, phase or process step will the risk occur?
> Risk Categories
Severity, likelihood, detectibility (see module 2)
> Risk rating
look up matrix : traffic light risk rating

The group has to analyse the consequences and impact of the risk (severity) and the likelihood that this risk will occur. And this initially on the assumption no mitigation measures are in place.
Sounds strange? But only then you can see whether current mitigation measures are spot on, too little or too much.
Missing detectibility? Then you missed the discussion in module2.
The short answer: If you are not a risk management badass then ignore detectibility for now. It will make the introduction of risk management a lot easier.

Put your pokerface on and get your cards ready!

Draw a card. Dont forget playing poker is a serious business, don’t let anybody see your card.

After everybody has made a choice, turn the cards over. Don’t be surprised if the answers vary extensively. Even the AAPM TG100 authors made this experience. Ask the participants who selected the “extrem” categories to explain their choice.

The advantage to use the cards are:
+ you hear everybody’s opinion
+ one’s decision is not changed when other opinions are voiced

After the group has reached an agreement, the risk rating before mitigation can be determined with help of a risk rating matrix.

This will be followed by discussion on how to handle the risk and then another round of risk poker. This time considering the implemented mitigation measures.

A lot more about this in our next module.


  1. display risk identification tree or list containing the risks
  2. display risk rating catagories (hands out work well too)
  3. hand out risk poker cards
  4. play risk poker
  5. agree
  6. rate before mitigation