Walkthrough — Acme Platform Migration (PRQ)
This article walks through the sample register that ships with PRQ. Open /prq in another tab and follow along — the register on screen is exactly the one we describe here. The example is small enough to read end-to-end (four risks) but big enough to exercise every PRQ mechanic: triangular and PERT distributions, a meaningful base estimate, a tornado that actually ranks something, and a convergence diagnostic that comes back green.
The four risks
Each risk in the register has a probability of occurrence (per iteration) and an impact distribution (a triangular or PERT triple of low / mode / high values).
1. Vendor SaaS dependency outage
Operational risk. Probability of occurrence: 30%. Impact distribution: triangular (TRI) $50,000 / $120,000 / $350,000.
Reading: in any given iteration, there's a 30% chance the vendor outage triggers; if it does, the impact is somewhere in the triangular range with the mode at $120,000. The bounds are realistic — small business-day disruption at the low end, multi-day SaaS-vendor outage with workflow knock-on at the high end.
2. Data migration schedule slip
Schedule risk. Probability: 50%. Distribution: PERT $75,000 / $200,000 / $500,000.
PERT was chosen here because schedule slips tend to cluster tightly near a most-likely value — the mean of the planning team's estimate plus typical-buffer overrun. PERT puts more weight on the mode than triangular does, capturing that clustering. The 50% probability reflects that schedule slip is a near-coin-flip event for migration projects of this size.
3. Cyber incident during cutover
Technical risk. Probability: 10%. Distribution: triangular $200,000 / $600,000 / $1,500,000.
Low-probability, high-impact. Triangular keeps the bounds as hard limits; the wide spread (mode at $600k, max at $1.5M) reflects genuine uncertainty about how big a cutover-window cyber incident could get.
4. Regulatory approval delay
Regulatory risk. Probability: 20%. Distribution: PERT $30,000 / $80,000 / $250,000.
PERT, narrow spread. Regulatory delay impacts cluster around a well-understood per-day cost; the maximum captures the rare scenario where the delay extends past a budget cycle.
What the simulation produces
Hit ▶ Run simulation at the default 10 000 iterations. The simulation completes in well under a second; the results panel expands below the simulation block.
Indicative output (your numbers will vary by ~1–2% per run since PRQ doesn't use a seedable PRNG):
- P50 — about $228,000. Half the time, total risk-driven cost lands at or below this value.
- P80 — about $427,000. The recommended contingency. Carrying $427k means an 80% chance the budget won't be breached by these risks.
- P90 — about $629,000. Tail check. The gap from P80 to P90 (~$200k) tells you there's meaningful tail risk you're explicitly not funding at the P80 level.
- Mean — about $290,000. The arithmetic average of all 10 000 iterations.
- Std dev — about $300,000. Wide relative to the mean, reflecting the cyber-incident risk's fat tail.
Reading the contingency recommendation
Recommended contingency at P80: about $427,000, or 28.5% of the $1.5M base estimate. This is the single number the project sponsor cares most about — it's the dollars to add to the base estimate so that risk events have an 80% probability of fitting within the contingency line.
That 28.5% is meaningfully higher than the rule-of-thumb 15% contingency. Why? Because one risk (cyber incident) drives most of the variance. The deterministic heuristic doesn't see that; the simulation does. The right next conversation is whether treatments could buy down the cyber-incident probability or top-end impact materially — see the tornado below.
The tornado tells you where to invest
The sensitivity tornado ranks the four risks by their contribution to total variance. With the default Acme register (no correlation specified), expect roughly:
- Cyber incident during cutover — 65–75% of variance. Renders as the top bar in teal (the singular "fix this first" cue).
- Data migration schedule slip — 15–22% of variance.
- Vendor SaaS dependency outage — 6–10% of variance.
- Regulatory approval delay — 1–3% of variance.
Read this as: if you can buy down the cyber-incident risk — say by halving its probability via additional cutover-window controls — the contingency recommendation will move materially. Treating regulatory approval delay would have almost no effect on the contingency. The tornado is the specific input to the treatment-prioritisation conversation.
Adding correlation: what changes
The default run assumes the four risks are independent. In reality, several pairs are likely positively correlated:
- Vendor outage and schedule slip might co-occur — both can stem from infrastructure pressure during cutover. Anchor: +0.3 (mild positive).
- Cyber incident and schedule slip can also co-occur — a cyber incident during cutover may also delay the schedule. Anchor: +0.3.
Open the "Correlation between risks" panel, enter those values, and re-run. The matrix will be PSD-valid (those mild pairwise positives don't conflict). After re-running:
- P80 will rise modestly — typically by $15,000–$30,000. The recommended contingency climbs from ~$427k to ~$450k.
- The tornado caption changes from "closed-form variance contribution" to "Spearman rank correlation (ρ²)" — the methodology is now correlation-aware.
- A correlation heatmap card appears below the tornado, showing the pairwise rank correlations with a teal-to-ink-red diverging palette.
- The independence-assumption disclosure flips from "independence assumed" to "rank correlations specified — see correlation heatmap".
That P80 difference (~$25k on a $1.5M base) might look small, but it's the right answer. Independence-assumed simulations understate tail risk by around that much on registers of this shape; specifying realistic correlations brings the contingency recommendation in line with what the project will actually need.
Exporting the report
Hit Download PDF. The 6+ page A4 portrait report opens with the Solid M brand cover and includes:
- Cover — project name, headline narrative paragraph, project glance.
- Executive summary — project metadata, key findings (mean, std-dev, contingency at P80), full percentile grid.
- Distribution + S-curve — histogram on the top half, S-curve on the bottom half, both with P50 / P80 / P90 markers in the brand palette.
- Sensitivity tornado — top contributors with the top-1 in teal, others in ink.
- Correlation heatmap — only if you specified correlations; teal-to-ink-red diverging palette.
- Risk register — paginated table of every risk in the register.
- Methodology annex — independence notice (matching the on-screen text), run parameters, contingency calculation, sensitivity method, distribution params per active risk, tool / schema / generation timestamp.