Skip to main content

Open Risks

Purpose

This page lists unresolved risks that prevent the documentation from being treated as final approved technical documentation.

The risk register should be reviewed before every internal approval round.

Risk Severity

SeverityMeaning
HighMay affect security, financial integrity, tenant isolation, or recovery readiness
MediumMay affect operational reliability, developer onboarding, or audit readiness
LowDocumentation quality or follow-up improvement

Current Open Risk Register

IDRiskSeverityOwnerStatusMitigation
RISK-RBAC-001RBAC evidence is not attached to documentationHighCTO / BackendEvidence PendingTechnical team confirmed test cases and manual testing cover the listed denial scenarios; attach evidence in Evidence Log
RISK-SCOPE-001Scope / account isolation evidence is not attachedHighBackendEvidence PendingMaqsafy is not SaaS; attach school, supplier, and operator negative access evidence for account/scope isolation
RISK-CRED-001Credential lifecycle evidence is not fully attachedHighProduct / BackendEvidence PendingTechnical team confirmed credential replacement is Admin-only; attach test or permission evidence
RISK-PAY-001Payment idempotency evidence is not attachedHighBackend / FinanceEvidence PendingTechnical team confirmed server-to-server status checks and single-update enforcement; attach implementation/test evidence
RISK-RESTORE-001Restore test evidence is incompleteHighCTO / OperationsEvidence PendingRestore test was performed approximately during the last month; add exact date, environment, and validation result
RISK-RPO-001RPO wording is not formally approvedHighCTOOpenReplace "zero data loss target" with approved measurable wording
RISK-API-001API documentation final format is partially confirmedMediumBackendPartially ClosedPostman documentation exists and /openapi.yaml draft exists; decide whether a hosted Swagger UI is required
RISK-INT-001Integration provider names and ownership are still TBDMediumCTO / OperationsOpenConfirm providers or mark as intentionally undisclosed
RISK-REL-001Release approval and rollback ownership require final confirmationMediumCTO / ProductOpenUpdate Release Management with actual approvers
RISK-SEC-001Security controls are documented but not backed by evidenceMediumCTO / SecurityOpenAdd sanitized control evidence

Closure Criteria

A risk can be closed only when:

  1. The owner confirms the final decision.
  2. Evidence is added or the limitation is explicitly accepted.
  3. The affected documentation page is updated.
  4. The Documentation Review Checklist is updated.

Rules

  • Do not close risks based on assumption.
  • Do not downgrade financial, tenant isolation, or credential risks without technical confirmation.
  • Use Accepted Risk only when the responsible owner explicitly accepts it.