Billing Service — Risk Register
Status: populated Owner: TBD Last updated: 2026-04-17 Companion: Service Template
1. Register
| ID | Risk | Likelihood | Impact | Owner | Mitigation |
|---|---|---|---|---|---|
| R-BILL-01 | Ledger integrity drift (balance ≠ sum(entries)) | Low | Critical | Tech lead | Append-only trigger; nightly integrity job; freeze-write switch; reversing-adjustment script |
| R-BILL-02 | Cross-tenant data leak | Low | Critical | Security | RLS enforced; mandatory tenant-isolation test; static analysis forbids raw SQL |
| R-BILL-03 | Duplicate payment posting | Medium | High | Dev | Idempotency-Key required; unique index (tenant, idempotency_key); 24 h TTL |
| R-BILL-04 | Currency / money arithmetic bug (float drift) | Low | High | Dev | Money = bigint minor_units; property-based tests; static analysis bans floats |
| R-BILL-05 | Payer remittance misposting (wrong account) | Medium | High | Dev | Match on claim_id with strict invariants; manual-review queue for unmatched |
| R-BILL-06 | PCI scope creep (card data inadvertently stored) | Low | Critical | Security | Static analysis blocks card-like regex; adapter token pattern only; periodic PCI audit |
| R-BILL-07 | MoPH / UAE data residency violation | Low | Critical | Compliance | Region-tagged deployment; egress allowlist; DR only to compliant regions |
| R-BILL-08 | Price list lapse causing charge capture failure | Medium | Medium | Product | 7-day expiry alert; grace fallback to retired list with visible warning |
| R-BILL-09 | Refund fraud (self-approved refunds) | Medium | High | Security | Separation-of-duties scope; dual-approval above threshold; audit review weekly |
| R-BILL-10 | Outbox relay back-pressure breaking downstream consumers | Medium | Medium | SRE | SLO alert at 30 s; relay HPA; DLQ routing |
| R-BILL-11 | Statement PDF rendering OOM on RTL large datasets | Medium | Low | Dev | Batch size cap; memory limit; fallback basic PDF |
| R-BILL-12 | Terminology dependency outage blocks charge capture | Medium | Medium | Dev | Draft charge capture allowed; post-validation queue |
| R-BILL-13 | JWT rotation without JWKS propagation | Low | High | SRE | 10-min overlap window; readiness preloads JWKS |
| R-BILL-14 | Tenant onboarding with missing currency/tax config | Medium | Medium | Product | Onboarding checklist gate; guardrail on first charge capture |
| R-BILL-15 | AI-generated CPT suggestion accepted unreviewed | Low | Medium | Product | HITL required in UI; AIProvenance audit; reject server-side if acceptedBy null |
| R-BILL-16 | Large refund triggers payment-gateway compliance hold | Low | Medium | Ops | Circuit breaker; manual workflow path; clear ops playbook |
| R-BILL-17 | GL export drift vs internal ledger | Low | High | Finance | Reconciliation report; GL batch idempotent; monthly attest |
| R-BILL-18 | Schema migration causes RLS regression | Low | Critical | Dev | Pre-prod tenant-isolation test required on every migration; revert playbook |
2. Risk review cadence
- Monthly — tech lead + SRE review top 5 risks, update mitigations.
- Quarterly — compliance review for residency + PCI posture.
- Post-incident — risks updated within 5 business days of an incident.