Risk assessment
Product/release risk register with likelihood, impact, and mitigation per risk.
320 wordsRiskMitigationPlanning
Risk Assessment — Product Name / Release
Version: 1.0 Author: Name Date: YYYY-MM-DD Release: v0.0 Review date: YYYY-MM-DD
Overview
Brief description of what is being released and the context for this risk assessment.
Risk Scoring Guide
| Likelihood | Definition |
|---|---|
| High | Very likely to occur; has occurred in similar contexts before |
| Medium | Could occur; some precedent or contributing factors present |
| Low | Unlikely; no known contributing factors |
| Impact | Definition |
|---|---|
| High | Significant user impact, data loss, regulatory exposure, or revenue loss |
| Medium | Degraded experience, workaround available, or limited user group affected |
| Low | Cosmetic or minor inconvenience; easily recoverable |
Risk score = Likelihood × Impact
| Score | Level | Action |
|---|---|---|
| High × High | Critical | Block release until mitigated |
| High × Medium or Medium × High | High | Active mitigation required before release |
| Medium × Medium or High × Low | Medium | Monitor and have contingency plan |
| Low × any | Low | Accept or defer |
Risk Register
| ID | Risk | Category | Likelihood | Impact | Score | Mitigation | Owner | Status |
|---|---|---|---|---|---|---|---|---|
| R01 | Risk description | Technical / Process / Business / External | H / M / L | H / M / L | Score | Mitigation action | Name | Open / Mitigated / Accepted |
| R02 | Risk description | H / M / L | H / M / L | Score | Mitigation action | Name | ||
| R03 | Risk description | H / M / L | H / M / L | Score | Mitigation action | Name | ||
| R04 | Risk description | H / M / L | H / M / L | Score | Mitigation action | Name | ||
| R05 | Risk description | H / M / L | H / M / L | Score | Mitigation action | Name |
Residual Risks Accepted for Release
List any remaining risks that have been accepted rather than fully mitigated, with the business justification.
| ID | Risk | Accepted by | Reason |
|---|---|---|---|
| RXX | Risk | Name / Role | Justification |
Risk Review History
| Date | Reviewer | Changes Made |
|---|---|---|
| Date | Name | Initial version |
Risk Assessment — Novu Bank Mobile App v3.2
Version: 1.1 Author: Priya Mehta Date: 2024-03-08 Release: v3.2.0 Review date: 2024-03-13
Overview
This risk assessment covers the v3.2.0 release of the Novu Bank Mobile App, which introduces Open Banking integration with three external providers, biometric re-authentication for high-value transfers, and a redesigned notifications centre. The most significant risk area is the Open Banking integration, which involves external dependencies and new OAuth consent flows not previously tested in production.
Risk Scoring Guide
| Likelihood | Definition |
|---|---|
| High | Very likely to occur; has occurred in similar contexts before |
| Medium | Could occur; some precedent or contributing factors present |
| Low | Unlikely; no known contributing factors |
| Impact | Definition |
|---|---|
| High | Significant user impact, data loss, regulatory exposure, or revenue loss |
| Medium | Degraded experience, workaround available, or limited user group affected |
| Low | Cosmetic or minor inconvenience; easily recoverable |
Risk Register
| ID | Risk | Category | Likelihood | Impact | Score | Mitigation | Owner | Status |
|---|---|---|---|---|---|---|---|---|
| R01 | Open Banking provider returns unexpected error codes in production that were not replicated in the sandbox, causing silent failures in the consent flow | External | Medium | High | High | Implement comprehensive error logging on the consent callback handler; define fallback messaging for all 4xx/5xx provider error codes; monitor error rates on Day 1 via Datadog alert | Ayo Adeyemi | Mitigated |
| R02 | Biometric re-auth prompt fails to appear on a subset of Android 14 devices due to fragmentation in the BiometricManager API implementation | Technical | Medium | Medium | Medium | Tested on Pixel 7 and Samsung S24; added graceful fallback to PIN entry if biometric unavailable; alert monitoring on biometric-failure event | Dev Patel | Mitigated |
| R03 | Open Banking sandbox instability during sprint causes insufficient test coverage of provider-specific flows | Process | Medium | High | High | Worked with Platform team to rate-limit sandbox; fallback test scripts using mocked provider responses; NOVU-2041 and NOVU-2042 caught and fixed before release | Priya Mehta | Mitigated |
| R04 | User mid-redirect bank session expiry scenario has no defined behaviour in the spec, leaving a potential edge case untested | Technical | Low | Medium | Medium | Agreed with product to document expected behaviour in Sprint 25; on-call runbook updated with manual recovery steps; monitoring on consent-session-expired events | Ayo Adeyemi | Accepted |
| R05 | Four Appium regression tests quarantined as flaky, leaving a gap in automated coverage of the biometric re-auth iOS flows | Technical | Low | Low | Low | Flaky tests identified as infrastructure-related (simulator timing), not feature regressions; manual execution on real device confirmed no feature issues; root cause investigation in Sprint 25 | Dev Patel | Accepted |
| R06 | Open Banking marketing campaign drives a spike in first-time connection attempts, stressing the consent callback endpoint beyond the tested load | Business | Low | High | Medium | Performance test confirmed P95 latency of 187ms at 200 concurrent users; auto-scaling configured; Datadog alert on latency > 300ms | Dev Patel | Mitigated |
Residual Risks Accepted for Release
| ID | Risk | Accepted by | Reason |
|---|---|---|---|
| R04 | Mid-redirect bank session expiry behaviour undefined and untested | Clara Whitfield (PO) | Low likelihood; manual runbook in place; behaviour will be fully specified and tested in Sprint 25 before further Open Banking marketing |
| R05 | Four Appium regression tests quarantined | James Morley (Eng. Manager) | Manual device testing confirms no feature issue; tests fail due to simulator timing, not production code; root cause deferred to Sprint 25 |
Risk Review History
| Date | Reviewer | Changes Made |
|---|---|---|
| 2024-03-01 | Priya Mehta | Initial version — 5 risks identified |
| 2024-03-08 | Priya Mehta | Added R06 (load spike) after marketing confirmed campaign scope. R01 and R03 partially mitigated after sandbox stabilisation. |
| 2024-03-13 | Priya Mehta | R01, R02, R03 updated to Mitigated after NOVU-2041 and NOVU-2042 resolved and verified. R04 and R05 accepted for release. |
// Related templates
Test plan
Scope, approach, schedule, risks, entry/exit criteria. IEEE 829-style structure.
Test strategy
High-level testing approach for an entire product or release programme. Org-level document.
Release readiness checklist
Pre-release sign-off checklist covering testing, monitoring, rollback, and comms.