Medication Service — Risk Register
Status: populated Owner: TBD Last updated: 2026-04-17 Companion: Service Template
1. Risks
| ID | Risk | Likelihood | Impact | Mitigation | Owner |
|---|---|---|---|---|---|
| MED-R-001 | Drug KB vendor lock-in or cost spike | Medium | High | Port abstraction + fallback to WHO EML + tenant formulary | tech lead |
| MED-R-002 | Controlled-substance audit gap (regulator exposure) | Low | Critical | 10y retention, disclosure-accounting export, periodic sampling review | compliance |
| MED-R-003 | Inventory data integrity (negative stock) | Low | High | DB CHECK constraint + transactional decrement + p1 alert on negative | SRE |
| MED-R-004 | Alert fatigue — clinicians override without reading | High | Medium | Periodic review cadence of override rates; rule tuning; AI explainer (HITL) | clinical governance |
| MED-R-005 | Offline dispense creating stock conflicts at scale | Medium | Medium | Idempotency + tentative reservation + sync-time conflict resolution UI | pharmacy lead |
| MED-R-006 | Gateway outage interrupting cross-tenant Rx | Medium | High | Outbox retention + manual replay; local queue survives 24h | SRE + platform |
| MED-R-007 | FHIR profile drift vs pinned IGs causing validation failures | Medium | Medium | Contract tests + pinned IG bundle + profile version per tenant | interop lead |
| MED-R-008 | Terminology lag (new RxNorm release) | Low | Medium | Scheduled terminology sync; allow free-text fallback | terminology owner |
| MED-R-009 | Legacy event subjects (MEDICATION.*, PHARMACY.*) left in prod after cut-over | Medium | Low | Dual-publish window + scheduled retirement communication | tech lead |
| MED-R-010 | MoPH controlled-substance reporting format changes | Medium | High | Adapter-based export; test against MoPH sample file monthly | compliance |
| MED-R-011 | Large tenant with > 20M dispensing_events per year | Low | Medium | Monthly partitioning scheme (see DATA_MODEL §5); archive to cold storage | DBA |
| MED-R-012 | Pharmacist staffing gap for counter-sign on nights | Medium | Medium | Tenant-level rota policy; supervisor escalation; audit backlog dashboard | operations |
| MED-R-013 | AI sig parse proposing wrong structure accepted by busy prescriber | Low | High | HITL required confirmation; no auto-save; override audit | clinical governance |
| MED-R-014 | Pharmacy portal offline cache exposes PHI on stolen device | Low | Critical | Device-bound encryption, short revocation window, remote wipe on report | security |