-
Notifications
You must be signed in to change notification settings - Fork 0
Risk Register
Tiana_ edited this page May 30, 2026
·
1 revision
Non-security risks: technical, operational, regulatory, market, project. Each entry has likelihood, impact, mitigation, owner. Reviewed quarterly. Updated as risks materialize or are retired. Companion to Threat-Modeling (security-specific).
| Likelihood | Description |
|---|---|
| Low | < 5% chance in next 12 months |
| Medium | 5-30% chance |
| High | 30-70% chance |
| Critical | > 70% chance / already happening |
| Impact | Description |
|---|---|
| Low | < 1 day disruption, no customer impact |
| Medium | 1-7 day disruption, recoverable |
| High | Customer impact, regulatory attention possible, week+ to recover |
| Critical | Existential - could end the project / land in court |
Priority = Likelihood × Impact (qualitative).
| Field | Value |
|---|---|
| Likelihood | Medium |
| Impact | Medium |
| Description | Single-instance Postgres saturates beyond ~5000 tx/sec sustained |
| Indicators | DB pool exhaustion, query p99 climbing |
| Mitigation | Partitioning at 10M rows; read replicas; TigerBeetle adapter Y1 H2 |
| Trigger to act | p99 latency > 200ms for ledger post for 7+ days |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Medium |
| Impact | Medium |
| Description | Lazy collection access outside transaction explodes queries |
| Indicators | DB query rate jumps without traffic increase |
| Mitigation | Hibernate Statistics MBean enabled, fail-on-N+1 in tests, code review checklist |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Low |
| Impact | High |
| Description | Multi-day Kafka outage - outbox accumulates 50M+ rows - Postgres degrades |
| Mitigation | Capacity sized for 24h × 3 = 72h tolerance; alert at 1000 rows; runbook to throttle producers if exhausted |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Low |
| Impact | High |
| Description | Bad migration in production breaks startup or corrupts data |
| Mitigation | Migrations append-only (no edits); CI applies migrations to fresh DB on every PR; production rollback runbook |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Medium |
| Impact | Medium |
| Description | 1000+ rules per ruleset slow evaluation past 50ms p99 |
| Mitigation | Rule cache; benchmark every commit; advisory limit at 500 active rules per ruleset; ADR-0008 |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Low |
| Impact | Critical |
| Description | Two transactions race on same account, lost update or invariant breach |
| Mitigation |
SELECT FOR UPDATE on accounts; deferred trigger catches invariant violation; property test under 100 concurrent posters |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Medium (when feature ships) |
| Impact | High |
| Description | When pluggable storage lands, dual-storage mode must guarantee same invariants |
| Mitigation | Single-storage-only deployment in v0.1; conformance test suite validates both backends produce identical results |
| Owner | Maintainer - Y1 H2 |
| Field | Value |
|---|---|
| Likelihood | Critical |
| Impact | Critical |
| Description | Project has a sole maintainer. If unavailable, project stalls. |
| Mitigation | (1) Detailed documentation (this Wiki) reduces dependence on tribal knowledge. (2) Recruit co-maintainer in Y1 H2. (3) Public process for emergency response. |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | High |
| Impact | High |
| Description | Solo maintainer burnout from sustained development + community work |
| Mitigation | Strict scope discipline (no feature creep). Firm time boundaries. Public roadmap to manage expectations. Vacation policy: full disengage 4 weeks/year. |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Medium |
| Impact | Critical |
| Description | Vulnerability in FinCore exploited at adopter site; reputational damage |
| Mitigation | CodeQL + Trivy + Dependabot; SECURITY.md disclosure policy; 48h ack SLA; signed commits |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Medium |
| Impact | High |
| Description | Adopter deploys with bad config (e.g., default Keycloak password); data leak attributed to FinCore |
| Mitigation | Helm chart fails closed (no default secrets); Keycloak admin must be set; runbook for hardening checklist; first-run wizard refuses to start without secrets configured |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Medium |
| Impact | Medium |
| Description | Dependabot misses an alert; or fix takes too long to apply |
| Mitigation | Dependabot daily; manual weekly review; security alert subscriptions for Spring/Hibernate/Liquibase; CVE response runbook (4h ack, 7 days fix for HIGH/CRITICAL) |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Medium |
| Impact | Low |
| Description | Adopter writes a bug, blames FinCore publicly |
| Mitigation | Clear documentation about scope; reproducer requirement for bug reports; community process for triage |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Low (FinCore is OSS, adopter takes liability) |
| Impact | Low (for FinCore) |
| Description | Adopter using FinCore gets regulator action, claims FinCore is at fault |
| Mitigation | License explicitly disclaims warranty; SECURITY.md clarifies adopter responsibilities; documentation framing FinCore as infrastructure, not advice |
| Owner | Maintainer / legal counsel (contract Y1 H2) |
| Field | Value |
|---|---|
| Likelihood | Medium |
| Impact | Medium (for adopters in EU) |
| Description | FinCore lacks SCA primitive; adopter struggles to comply |
| Mitigation | Document SCA flow in Wiki; add SCA helper in v0.4; Keycloak supports OTP/WebAuthn out of box |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | High (will happen for any EU adopter) |
| Impact | Medium |
| Description | v0.1 lacks soft delete + DEK rotation for "forget user" capability |
| Mitigation | Documented as known gap; on Y1 H2 roadmap; manual procedure for v0.1 adopters |
| Owner | Maintainer - Y1 H2 |
| Field | Value |
|---|---|
| Likelihood | Medium (only matters for EU SEPA adopters) |
| Impact | Medium |
| Description | EU adopters must transform between FinCore and SEPA messages manually |
| Mitigation | Documented; on Y1 H2 roadmap |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Low |
| Impact | Medium |
| Description | BSL discourse on HN/Reddit/Twitter creates negative perception |
| Mitigation | FAQ; engage substantively in discussions; precedent from Sentry/CockroachDB; ADR-0009 rationale is public |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Medium |
| Impact | Medium |
| Description | Y1 ends with < 100 stars, no public adopter mentions |
| Mitigation | Decision Engine subproject potentially stronger adoption vector; quality and documentation drive organic discovery |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Very Low (BSL legally tested) |
| Impact | High |
| Description | AWS / Google offers managed service in violation of BSL |
| Mitigation | BSL has been defended successfully (CockroachDB precedent); attorney for high-stakes scenarios; community pressure |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Medium (over project lifetime) |
| Impact | Medium |
| Description | Contributor or commenter behaves badly; reflects on project |
| Mitigation | Code of Conduct (Contributor Covenant 2.1); enforcement playbook; clear escalation |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | High |
| Impact | Medium |
| Description | Adopters request features that pull project off-strategy |
| Mitigation | Public roadmap; explicit "out of scope" docs; "Decision Records" for declines |
| Owner | Maintainer |
| Field | Value |
|---|---|
| Likelihood | Low |
| Impact | High |
| Description | Private-vertical code or docs accidentally committed to public repo |
| Mitigation | Private-vertical docs are gitignored; SECURITY.md clarifies boundaries; pre-commit hooks scan for forbidden terms; .gitleaks scan in CI |
| Owner | Maintainer |
A risk is considered mitigated when:
- The mitigation is documented (here or in linked artifact)
- The mitigation is implemented (not aspirational)
- The mitigation has monitoring or check that confirms it's working
- There is a runbook for what to do if the risk materializes
Risks that don't meet all four criteria are flagged in red on the quarterly review.
- Review each risk: still likely? still impactful?
- Add new risks discovered in the past quarter
- Retire risks that no longer apply (project evolved past them)
- Update mitigations based on incidents
- Communicate changes via release notes or status page update
Date: 2026-07-25 (90 days from creation)
- Threat-Modeling - security-specific risks
- Architecture-Resilience - operational mitigations
- Incident-Response - what to do when risks materialize
- Roadmap - when remediations ship
- Overview
- Services
- Data Model
- Domain Model
- Event Flow
- Security
- Observability
- Resilience
- SLA / SLI / SLO