Product · Risk management
Risk register with assessment, treatment, and traceability to requirements
Each Risk has title, description, category, source, lifecycle stage, priority, probability/impact (1–5), computed score and derived level (Low/Medium/High/Critical), residual assessment, treatment strategy (Avoid/Mitigate/Transfer/Accept), plans, contingency, status flow with controlled transitions, and links to requirements.
Overview
Risk–requirement links: RiskToRequirement links risk to stakeholder or system requirement with linkType (e.g. RiskThreatsRequirement, RequirementDrivesRisk, MitigatedByRequirement), snapshot of requirementVersionAtLink and requirementStatusAtLink.
Stale flag, set by a scheduled job (~30s) when live version > requirementVersionAtLink. The risk gets hasStaleLinks; users can acknowledge the link and refresh the snapshot.
State machine, allowed transitions validated server-side (400 with allowedTransitions if invalid). Example states: Suggested, Identified, Analyzed, TreatmentPlanned, Mitigating, Monitoring, Materialized, Closed, Rejected.
Risk review (session)
Review session
Create a review with description + list riskIds + optional reviewers. A risk cannot be in two active reviews at the same time. In an active review: set decision per risk (Not decided / Approved / Needs action + notes). Finalize when all have a decision ≠ Not decided, writes reviewStatus on the risk. Abort removes the active review.