Use when making architectural decisions without documentation, skipping risk analysis, accepting risks without mitigation, or treating governance as optional bureaucracy - enforces mandatory DAR/RSKM based on project risk level
View on GitHubtachyon-beep/skillpacks
axiom-sdlc-engineering
February 3, 2026
Select agents to install to:
npx add-skill https://github.com/tachyon-beep/skillpacks/blob/main/plugins/axiom-sdlc-engineering/skills/governance-and-risk/SKILL.md -a claude-code --skill governance-and-riskInstallation paths:
.claude/skills/governance-and-risk/# Governance and Risk
## Overview
This skill implements the **Decision Analysis & Resolution (DAR)** and **Risk Management (RSKM)** process areas from the CMMI-based SDLC prescription.
**Core principle**: Proactive governance prevents costly reactive firefighting. Documentation and risk management are investments that pay 3-10x returns by avoiding crisis mode.
**Critical distinction**:
- **Reactive**: Handle problems when they occur (expensive, stressful, compounding)
- **Proactive**: Identify and mitigate problems before they occur (cheap, controlled, preventive)
**Reference**: See `docs/sdlc-prescription-cmmi-levels-2-4.md` Sections 3.4.1 (DAR) and 3.4.2 (RSKM) for complete policy.
---
## When to Use
Use this skill when:
- Making architectural or technical decisions without ADRs
- Hearing "it's obvious" or "everyone agrees" (groupthink red flag)
- Skipping risk identification ("what could go wrong?")
- Accepting risks without mitigation plans
- Deferring to authority without independent analysis (CTO says, tech lead suggests)
- Using sunk cost to justify decisions ("we've already invested...")
- Treating governance as bureaucracy or overhead
- No ongoing risk monitoring ("set and forget")
**Do NOT use for**:
- Trivial decisions (variable names, code style) → Use coding standards
- Implementation details → Use design-and-build skill
- Security-specific risk analysis → Use ordis-security-architect
---
## Quick Reference
| Situation | Framework | Mandatory At | Key Action |
|-----------|-----------|--------------|------------|
| "Obvious" architectural decision | DAR with ADR | Level 3+ | Document alternatives even if choice is clear |
| High-risk decision (vendor, framework) | DAR with decision matrix | Level 2+ for high-risk | Evaluate alternatives before committing |
| Authority wants specific option | DAR with independent analysis | Level 3+ | Analyze alternatives BEFORE authority input |
| External dependency (API, vendor) | RSKM with mitigation | Le