Risk Register

:::info Source Sourced from services/assignment-service/SERVICE_RISK_REGISTER.md in the documentation repo. :::

ID	Risk	Sev	Impact	Mitigation	Owner
R-AG-01	RRULE + timezone correctness	S2	Wrong due dates; compliance failures	1000-fixture suite; DST + leap + TZ matrix; property tests	Assignment
R-AG-02	ABAC policy complexity → mis-grants	S1	Wrong learners assigned	Policy linter; sample-data tests; two-tenant iso; tenant preview	Assignment + Tenant + Security
R-AG-03	Compliance window not triggering escalation	S1	Regulatory gap	Cron reliability SLO; alert on stuck windows; chaos tests	Assignment + SRE
R-AG-04	Dynamic group re-eval stale	S2	New hires miss assignments	5-min SLA; incremental re-eval on membership change	Assignment + Tenant
R-AG-05	Bulk assignment creates orphan windows	S2	Administrative burden	Saga + idempotent creation; cleanup job	Assignment
R-AG-06	Escalation flood (1000 managers at once)	S3	Notification DoS	Rate-limit; batch escalation; digest	Assignment + Notification
R-AG-07	AI-suggested assignments biased	S2	Unfair workload	Limited-risk; HITL; quarterly eval	Assignment + AI
R-AG-08	GDPR erasure of assigned learner	S1	Regulator	Remove compliance windows; retain aggregate audit	Assignment + Compliance
R-AG-09	SCORM-imported courseVersion mismatch	S3	Broken assignment	Validate courseVersion at activation	Assignment + Content
R-AG-10	Assignment pause race with escalation	S3	Spurious escalations	Idempotent state check; pause prevents new escalations	Assignment
R-AG-11	Timezone change mid-compliance window	S3	Due-date drift	Snapshot tz at window creation	Assignment
R-AG-12	Large assignment (50k targets) slow	S3	Admin UX	Async materialization; progress events	Assignment
R-AG-13	Assignment retention beyond GDPR	S2	Regulator	Tenant retention policy; legal hold exception	Compliance + Assignment