| RISK-CHART-01 | Five-module consolidation data migration corrupts clinical records | Low | Critical | CRITICAL | Platform Eng Lead | Migration is idempotent; prod snapshot taken immediately before; dry-run validated in staging; row-count reconciliation post-run | Very low |
| RISK-CHART-02 | Cross-tenant patient data leak via RLS misconfiguration | Low | Critical | CRITICAL | DBA + Security Lead | Mandatory tenant-isolation.spec.ts in CI; RLS on all tables; tenant from JWT only; CRITICAL gate 4 | Very low |
| RISK-CHART-03 | Signed clinical note mutated after signing | Very Low | Critical | CRITICAL | Tech Lead | CHART_NOTE_SIGNED_IMMUTABLE domain error; integration test; addendum-only pattern post-sign | Very low |
| RISK-CHART-04 | NKA rule bypassed — substance allergy added while NKA active | Low | High | HIGH | Tech Lead | Domain invariant in Allergy aggregate; integration test for NKA conflict; CHART_NKA_CONFLICT error | Low |
| RISK-CHART-05 | AI-assist content inserted into note without NoteAIProvenance | Low | High | HIGH | Tech Lead | AcceptAIChunkCommand rejects without provenanceId; CHART_AI_PROVENANCE_MISSING error; integration test | Low |
| RISK-CHART-06 | Allergy advisory failure causes medication safety risk | Medium | High | HIGH | SRE + Clinical Informatics | Advisory is fail-open (callers are responsible); alert on advisory error rate; circuit breaker on advisory endpoint | Medium — callers must implement fail-open correctly |
| RISK-CHART-07 | Break-glass without reason allows unauthorized chart access | Very Low | Critical | CRITICAL | Tech Lead | Domain layer enforces CHART_BREAKGLASS_REASON_MISSING; all break-glass events audited; no override | Very low |
| RISK-CHART-08 | Vitals hard-stop range validation over-blocks legitimate values | Medium | Medium | MEDIUM | Clinical Informatics | Policy is warn by default; reject requires facility-level config; configurable ranges per facility | Low |
| RISK-CHART-09 | Single-service outage impacts all five clinical areas | Low | High | HIGH | SRE | ≥ 3 replicas; pod disruption budget minAvailable=2; multi-AZ scheduling; HPA; fast pod restart | Low |
| RISK-CHART-10 | Legacy subject deprecation breaks downstream consumer (medication-service) | Medium | High | HIGH | Platform Eng | Dual-publish throughout M0→M1; consumer cutover confirmed before legacy deprecation; alert on legacy consumer lag | Low |
| RISK-CHART-11 | Sensitive-segment policy not enforced for mental-health records | Low | Critical | CRITICAL | Security Lead | Sensitive-segment check in InvokeBreakGlass and read use cases; CHART_SENSITIVE_NOT_AUTHORIZED error; audit event | Very low |
| RISK-CHART-12 | Cosign policy bypassed for resident notes | Low | High | HIGH | Clinical Informatics | CHART_NOTE_COSIGN_REQUIRED enforced in domain; pending_cosign sub-state; test coverage | Low |
| RISK-CHART-13 | Terminology-service unavailability prevents problem/allergy coding | Medium | Medium | MEDIUM | SRE | Fail-open: codingPending=true; retry on next edit; terminology-service has its own availability SLO | Low |
| RISK-CHART-14 | Chart summary fan-out calls cause P95 latency degradation | Medium | Medium | MEDIUM | SRE | Per-dependency circuit breaker; partial summary on dependency failure; async pre-fetch for known patients | Medium |
| RISK-CHART-15 | Outbox relay fails silently, downstream consumers miss events | Low | High | HIGH | SRE | ChartOutboxLag alert; NATS JetStream at-least-once; outbox relay monitored; alert at > 100 unpublished rows | Low |