1# Risk Register
2 
3OGC's framing: value and risk are paired. Once an option is preferred, build the register for *that* option and iterate the value-risk balance until acceptable. Don't pre-build a generic register.
4 
5## Entry shape
6 
7```
8ID  Risk                          Likelihood  Impact  Score  Owner   Mitigation                          Trigger / signal
9R1  Cache invalidation gap         M           H       6      X       Stale-while-revalidate + TTL audit  CDN miss-rate spike
10```
11 
12Score = Likelihood x Impact (1-3 each). Sort descending. Review top 5 only.
13 
14## Software risk taxonomy
15 
16Use as a checklist  -  only include risks that actually apply.
17 
18- **Data migration**  -  schema change, backfill, dual-write window.
19- **Cache invalidation**  -  staleness, thundering herd, key collisions.
20- **Permission boundaries**  -  privilege escalation, multi-tenant leak, scope creep on tokens.
21- **Observability gaps**  -  no metric, no log, no alert for the new failure mode.
22- **Deploy order**  -  services brought up out of order, contract mismatch.
23- **Rollback**  -  irreversible writes, missing feature flag, schema-locked rollback.
24- **Compatibility**  -  old clients, queued messages with old schema, third-party API drift.
25- **Test gaps**  -  no integration test, no load test, no chaos test for the new dependency.
26- **Cost surprise**  -  LLM tokens, egress, retry storms, log volume.
27- **Concurrency**  -  races on shared state, lock ordering, idempotency.
28 
29## Non-software risk taxonomy
30 
31- **Stakeholder defection**  -  sponsor leaves, priorities shift.
32- **Skills gap**  -  required expertise unavailable in time.
33- **External dependency**  -  vendor, regulator, partner timing.
34- **Sequencing**  -  blocked by another project's output.
35- **Reputation**  -  failure visible to users/customers.
36- **Sunk-cost lock-in**  -  committing to a path that's hard to abandon.
37 
38## Mitigation patterns
39 
40- **Reduce likelihood**  -  change design, add review gate, shrink scope.
41- **Reduce impact**  -  feature flag, staged rollout, kill switch, blast-radius cap.
42- **Detect early**  -  telemetry, leading indicator, manual check at first run.
43- **Transfer**  -  vendor SLA, insurance, contract.
44- **Accept**  -  name it explicitly with the trigger that would force re-planning.
45 
46For each top-5 risk, name **at least one** detection and **at least one** mitigation. If you can't, the option is not ready for VM4.
47 
48## Question template
49 
50Ask, one at a time:
51 
52> "What signal would tell us R<n> is becoming real before users feel it?"  -  *Recommended: <existing metric, log, or check>; if none, propose adding it.*
53 
54Iterate until every top-5 risk has a signal and an owner.
55