Slice-Level Risk Register
Execution-layer artifact. Companion to ROADMAP.md. Per-slice risks with severity, impact, mitigation, and ownership.
Severity Levels
| Level | Name | Definition |
|---|---|---|
| S1 | Critical | Could block the milestone or cause data loss / patient safety issue |
| S2 | High | Likely to cause significant delay or quality degradation |
| S3 | Medium | May cause minor delay or require workaround |
| S4 | Low | Cosmetic or minor inconvenience |
S0 — Platform Foundation
| ID | Risk | Sev | Impact | Mitigation | Owner | Dependency |
|---|---|---|---|---|---|---|
| S0-R1 | Tenant isolation regression | S1 | Cross-tenant PHI leak; compliance violation; contract termination | Two-tenant CI suite mandatory; RLS policies on all tables; automated cross-tenant access test | Platform + Security | All services |
| S0-R2 | Keycloak configuration complexity delays IAM | S2 | All services blocked waiting for auth | Automated realm provisioning scripts; documented playbook; dedicated SRE for Keycloak | Platform + DevOps | All services |
| S0-R3 | SQLite schema freeze too early limits future features | S2 | Desktop offline features constrained | Additive-only migration strategy; version field in all tables; thorough clinical workflow analysis before freeze | Desktop | S1–S5 offline |
| S0-R4 | NATS JetStream operational immaturity | S3 | Event delivery reliability issues | Dedicated SRE spike weeks 1–2; fallback to Redis Streams documented; at-least-once delivery verified | DevOps | All events |
| S0-R5 | FHIR profile disagreements between clinical SMEs | S2 | Delayed M0 freeze; cascade to all clinical services | Clinical SME review before freeze; profile decisions documented in ADRs; WHO IPS profiles as baseline | Architecture + Clinical SME | Clinical services |
| S0-R6 | Sync protocol edge cases in conflict resolution | S1 | Data loss or incorrect patient data after offline sync | Server-authority model for clinical data; manual conflict UI for rare cases; extensive E2E testing; formal verification of key scenarios | Platform + Desktop | Offline workflows |
| S0-R7 | PHI encryption key management scheme inadequate | S1 | Compliance violation; data breach | Key hierarchy design review by security team; HSM evaluation; rotation automation | Security | All PHI storage |
| S0-R8 | Kong configuration drift between environments | S3 | Route failures in staging/prod | Kong DB-less with declarative config in git; automated config validation in CI | DevOps | All API routes |
S1 — Core Clinical
| ID | Risk | Sev | Impact | Mitigation | Owner | Dependency |
|---|---|---|---|---|---|---|
| S1-R1 | Clinical workflow complexity underestimated | S2 | Scope creep; delayed M1 | Clinical SME embedded in team; iterative pilot feedback; MVP scope locked by sprint 2 | Clinical + Clinical SME | All clinical services |
| S1-R2 | Offline conflict resolution edge cases | S1 | Conflicting patient data after concurrent offline edits | Server-authority for clinical data; LWW for demographics; manual conflict resolution UI; conflict audit trail | Desktop + Platform | Sync engine |
| S1-R3 | Drug safety database licensing cost/availability | S2 | Medication safety checks limited | RxNorm (free) as baseline; commercial DB (First Databank, Medi-Span) as optional add-on; AI fallback for basic checks | Clinical + AI | Medication management |
| S1-R4 | RTL layout bugs in clinical forms | S3 | Poor UX for Dari/Pashto/Arabic users | RTL testing suite in CI; Dari/Pashto test data fixtures; dedicated RTL testing sprint | QA + Desktop | All UIs |
| S1-R5 | Pilot clinic connectivity worse than expected | S2 | Sync failures; data loss; poor user experience | Pre-deployment connectivity audit per site; sync tuning (batch size, retry intervals); offline-first everything | Ops + Desktop | Pilot deployment |
| S1-R6 | Patient duplicate detection accuracy | S3 | False positives block registration; false negatives create duplicates | Probabilistic matching with configurable thresholds; manual merge workflow; phonetic matching for Dari/Pashto names | Clinical | Registration |
| S1-R7 | AI note suggestion quality insufficient for clinical use | S3 | Clinicians ignore AI features; wasted investment | Prompt engineering with clinical SME; A/B testing; provenance tag for user confidence; opt-out per clinician | AI + Clinical SME | Clinical notes |
S2 — Orders & Diagnostics Entry
| ID | Risk | Sev | Impact | Mitigation | Owner | Dependency |
|---|---|---|---|---|---|---|
| S2-R1 | Order safety check completeness | S1 | Missed drug interactions or duplicate orders; patient safety risk | Phased rollout: basic checks M2, full CDS M3–M4; clinical validation of rule set; override with documentation | Clinical + Clinical SME | Orders-CPOE |
| S2-R2 | Billing localization complexity (AFN/AED/tax) | S2 | Billing errors; revenue recognition issues | Multi-currency from day one; tax rules configurable per tenant; financial audit before M2 launch | Finance | Billing |
| S2-R3 | Results integration with external lab systems | S2 | Manual result entry until integration complete | FHIR DiagnosticReport as canonical; HL7v2 adapter for legacy labs; manual entry as fallback | Diagnostics + Interop | Results |
| S2-R4 | Offline order safety with stale reference data | S1 | Safety check based on outdated drug/allergy data | Timestamp-aware checks; warning UI for stale data (>24h); force-refresh before safety-critical orders | Desktop + Clinical | Offline orders |
| S2-R5 | Terminology service performance under load | S3 | Slow code lookups; poor clinician UX | Elasticsearch indexing; client-side caching; pre-loaded common codes; lazy loading of rare codes | Platform | All clinical services |
S3 — Integrated Care
| ID | Risk | Sev | Impact | Mitigation | Owner | Dependency |
|---|---|---|---|---|---|---|
| S3-R1 | LIS instrument integration diversity | S2 | Each lab instrument requires custom adapter | Standard ASTM/HL7 interface; adapter SDK for custom instruments; partner with instrument vendors; start with 3 common instruments | Diagnostics | LIS |
| S3-R2 | E-prescribing national spine not ready | S1 | E-prescribing gateway cannot connect to live spine | Mock spine for development; parallel track with MoPH; degrade gracefully to PDF prescriptions | Interop + Pharmacy | E-prescribing |
| S3-R3 | Patient portal consent model complexity | S2 | Over-sharing or under-sharing patient data | Default-deny for sensitive categories; consent categories defined with legal review; granular opt-in UI | Engagement + Legal | Patient portal |
| S3-R4 | Virtual care (Jitsi) reliability in low-bandwidth | S3 | Video calls drop frequently | Jitsi self-hosted with bandwidth adaptation; audio-only fallback; video optional for M3; WebRTC stats monitoring | Engagement | Digital communication |
| S3-R5 | Insurance eligibility API availability (Afghanistan) | S2 | No real-time eligibility check | Manual eligibility entry as fallback; async eligibility batch check; partnership with major insurers | Finance | Insurance |
| S3-R6 | Pharmacy dispensing workflow correctness | S1 | Wrong medication dispensed; patient safety | Barcode verification; double-check workflow; dispensing event audit; clinical SME validation | Pharmacy + Clinical SME | Pharmacy |
S4 — Full Platform
| ID | Risk | Sev | Impact | Mitigation | Owner | Dependency |
|---|---|---|---|---|---|---|
| S4-R1 | DICOM integration complexity and storage costs | S2 | Slow PACS rollout; high storage costs | DICOM/DICOMweb standard compliance; tiered storage (hot/warm/cold); compression; cloud object storage for images | Diagnostics + DevOps | PACS |
| S4-R2 | Claims submission format varies by payer | S2 | Per-payer adapter work | Standard claim envelope with payer-specific adapters; start with 2–3 major payers; EDI 837 as baseline | Finance | Claims |
| S4-R3 | Population health data quality from upstream services | S2 | Inaccurate quality metrics; misleading HMIS reports | Data quality rules at ingestion; validation dashboards; data steward role; reconciliation with source systems | PopHealth | All clinical services |
| S4-R4 | HL7v2 adapter edge cases from legacy systems | S3 | Integration failures with specific legacy EHRs | HL7v2 message validation; comprehensive test harness; per-partner adapter testing; graceful rejection with error details | Interop | HL7v2 interop |
| S4-R5 | Local ONNX model quality insufficient for clinical use | S3 | Offline AI features unreliable; clinician distrust | Model evaluation pipeline; clinical validation; fallback to "AI unavailable" rather than bad suggestions; A/B testing | AI + Clinical SME | AI orchestrator |
| S4-R6 | GA readiness across 40+ services | S2 | Delayed GA; partial feature gaps | Service readiness matrix tracking; weekly GA readiness reviews; clear L3/L4 criteria; exception process | Architecture + All teams | GA milestone |
S5 — National Scale
| ID | Risk | Sev | Impact | Mitigation | Owner | Dependency |
|---|---|---|---|---|---|---|
| S5-R1 | Multi-region data residency compliance | S1 | Legal/regulatory violation | Region-aware tenant provisioning; data routing rules; legal review per region; compliance audit before deployment | DevOps + Legal | Multi-region |
| S5-R2 | Mobile app security in untrusted environments | S2 | PHI exposure on lost/stolen devices | Device encryption; biometric auth; remote wipe; certificate pinning; jailbreak detection | Mobile + Security | Mobile app |
| S5-R3 | SMART on FHIR third-party app quality | S3 | Bad third-party apps damage platform reputation | App review process; sandboxed scopes; rate limiting per app; usage monitoring | Interop | SMART on FHIR |
| S5-R4 | National HMIS indicator mapping accuracy | S2 | Incorrect national reports; government trust erosion | Mapping validated with MoPH; indicator catalog version controlled; automated reconciliation | PopHealth + Clinical SME | HMIS |
| S5-R5 | Scale testing across 40+ services | S2 | Performance degradation at national scale | Load testing at 10x expected volume; horizontal scaling verified; degradation plans per service | DevOps + QA | All services |
Cross-Cutting Risks
| ID | Risk | Sev | Impact | Mitigation | Owner | Dependency |
|---|---|---|---|---|---|---|
| CC-R1 | Developer hiring timeline | S2 | Understaffed teams; delayed milestones | Early hiring pipeline; competitive compensation; remote-first to expand talent pool; contractor bridge | HR + VP Eng | All milestones |
| CC-R2 | Clinical SME availability | S2 | Workflow decisions without clinical validation | Embedded SME from M0; clinical advisory board; partnership with teaching hospital | Product + Clinical SME | All clinical features |
| CC-R3 | Regulatory changes (Afghanistan/UAE health IT) | S3 | Rework to meet new regulations | Regulatory monitoring; modular compliance; configurable rules engine; legal review quarterly | Legal + Product | All milestones |
| CC-R4 | Open-source dependency vulnerabilities | S2 | Security patches on critical path | Automated dependency scanning (Snyk/Dependabot); patch SLA (critical: 24h, high: 1 week) | Security + DevOps | All services |
| CC-R5 | AI provider API changes or pricing | S3 | AI features break or become too expensive | Provider abstraction layer; multi-provider support; local ONNX fallback; budget alerts | AI | AI orchestrator |