Care Plan Service — Service Risk Register
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template · 03 platform-services · 02 DDD
Risk Register
| ID | Risk | Likelihood | Impact | Owner | Mitigation | Status |
|---|---|---|---|---|---|---|
RISK-CP-001 | Clinicians unaware of version conflicts causing data loss | Medium | High | Engineering | Clear 409 error messages with diff; UX shows "plan was updated by another user" | Open |
RISK-CP-002 | Sensitive care plans (HIV, mental health) visible to unauthorized roles | Low | Critical | Security | ABAC sensitive category scope; security test coverage; annual penetration test | Open |
RISK-CP-003 | Outbox relay failure causes events to go undelivered for extended period | Low | High | SRE | Outbox stuck alert (15 min threshold); on-call runbook; manual replay tool | Open |
RISK-CP-004 | Terminology service degradation causes all care plan writes to fail | Medium | Medium | Engineering | Graceful degradation mode: accept request without coding validation; alert to operator | Open |
RISK-CP-005 | RLS policy regression after schema migration exposes cross-tenant data | Low | Critical | Engineering + Security | CI gate: tenant-isolation spec; schema migration review checklist; quarterly security audit | Open |
RISK-CP-006 | Module growth: care plans accumulate without archival policy | Medium | Low | Product | Define archival/retention policy per tenant; add archived status in future release | Open |
RISK-CP-007 | FHIR mapper produces non-conformant CarePlan resources breaking interop | Low | Medium | Engineering | Golden FHIR fixtures in CI; R4 StructureDefinition validation gate | Open |