Risk Register
Risk Register: Bilko
Project: Bilko — Balkan Accounting SaaS
Version: 0.1
Date: 2026-02-23
Author: John (AI Director)
Status: Draft
Reviewers: Alem Bašić (CEO)
Document History
| Version |
Date |
Author |
Changes |
| 0.1 |
2026-02-23 |
John (AI Director) |
Initial draft — Phase 1 risk identification |
1. Risk Identification Methodology
Identification Methods Used:
Initial Risk Assessment Date: 2026-02-23
Next Scheduled Review: 2026-03-07 (after backend sprint 1)
Risk Owner: John (AI Director)
2. Risk Categories
| Category |
Description |
Common Examples |
| Technical |
Technology failures, integration issues, performance, security |
SEF API changes, infrastructure limits, unknown complexity |
| Resource |
Team availability, skill gaps, capacity constraints |
Agent performance degradation, context window limits |
| Client |
Client-side decisions, availability, requirement volatility |
Alem priority shift, regulatory guidance unavailable |
| External |
Third-party dependencies, regulatory changes, market shifts |
SEF API deprecation, Pantheon price war, BiH e-invoice delay |
| Financial |
Budget overruns, cost estimates, currency exposure |
Underestimated backend complexity, RSD/EUR volatility |
| Timeline |
Schedule risks, deadline pressure, estimation errors |
SEF integration longer than planned, beta feedback volume |
| Quality |
Defect rate, technical debt, process failures |
Mock data not fully replaced, double-entry logic bugs |
| Organizational |
Internal politics, process changes, leadership decisions |
ALAI Serbia entity registration delays, strategic pivot |
3. Risk Probability & Impact Scale
3.1 Probability Scale
| Level |
Score |
Definition |
Example |
| Very Low |
1 |
< 10% chance — rare, theoretical |
Unknown-unknown |
| Low |
2 |
10–30% chance — unlikely but possible |
Historical precedent rare |
| Medium |
3 |
30–50% chance — may occur |
Has happened on similar projects |
| High |
4 |
50–70% chance — likely to occur |
Happens regularly |
| Very High |
5 |
> 70% chance — almost certain |
Happened before on this type |
3.2 Impact Scale
| Level |
Score |
Schedule Impact |
Budget Impact |
Quality Impact |
| Negligible |
1 |
< 1 day |
< 1% |
Minor fix needed |
| Minor |
2 |
1–3 days |
1–5% |
Some rework needed |
| Moderate |
3 |
3–7 days |
5–10% |
Significant rework |
| Major |
4 |
1–2 weeks |
10–20% |
Deliverable at risk |
| Critical |
5 |
> 2 weeks |
> 20% |
Project failure risk |
3.3 Risk Matrix (Probability × Impact)
IMPACT →
1(Neg) 2(Min) 3(Mod) 4(Maj) 5(Crit)
P 5(VH) | 5 | 10 | 15 | 20 | 25 | ← CRITICAL ZONE (≥15)
R 4(H) | 4 | 8 | 12 | 16 | 20 |
O 3(M) | 3 | 6 | 9 | 12 | 15 |
B 2(L) | 2 | 4 | 6 | 8 | 10 | ← MEDIUM ZONE (5-14)
↑ 1(VL) | 1 | 2 | 3 | 4 | 5 | ← LOW ZONE (≤4)
| Score |
Risk Level |
Response Required |
Escalation |
| 1–4 |
LOW |
Monitor; review monthly |
John awareness |
| 5–9 |
MEDIUM |
Active mitigation plan required |
John |
| 10–14 |
HIGH |
Immediate action + weekly review |
John + Alem |
| 15–25 |
CRITICAL |
Emergency response; may stop project |
John + Alem |
4. Risk Appetite Statement
Overall Risk Appetite: Medium
| Risk Category |
Appetite |
Rationale |
| Technical |
Medium |
Known stack (Next.js/Express/PostgreSQL); SEF integration is novel but researched |
| Financial |
Low |
€17K ceiling is fixed; overruns require CEO approval |
| Quality |
Low |
Accounting software errors have direct financial/legal consequences for users |
| Timeline |
Medium |
May 2026 launch preferred but not contractually bound |
| Security |
Very Low |
Financial data; GDPR-adjacent; zero tolerance for breaches |
| Regulatory |
Very Low |
SEF non-compliance means users face fines; must be correct |
Maximum Acceptable Risk Exposure: Score ≤ 9 without escalation to Alem.
Escalation Threshold: Any risk scoring ≥ 10 must be reported to Alem within 24 hours.
5. Active Risk Register
| ID |
Risk Description |
Category |
Prob (1-5) |
Impact (1-5) |
Score |
Response Strategy |
Owner |
Trigger Indicators |
Status |
Date Identified |
Review Date |
| R-001 |
SEF API changes breaking interface between development and launch |
External |
3 |
4 |
12 |
Mitigate |
John |
SEF changelog; API versioning notice from APR |
Open |
2026-02-23 |
2026-03-07 |
| R-002 |
Serbian tax authority mandates software certification for SEF integration |
External |
2 |
5 |
10 |
Mitigate |
Alem + Asmir |
Official gazette announcements; APR bulletins |
Open |
2026-02-23 |
2026-03-07 |
| R-003 |
Backend complexity underestimated — 50 endpoints take >4 weeks |
Technical |
3 |
3 |
9 |
Mitigate |
John |
Sprint 1 velocity below 20 endpoints/week |
Open |
2026-02-23 |
2026-03-07 |
| R-004 |
Double-entry accounting logic bugs in transaction engine |
Quality |
3 |
5 |
15 |
Mitigate |
John |
Balance sheet doesn't balance in test data; debit ≠ credit |
Open |
2026-02-23 |
2026-03-07 |
| R-005 |
RSD/BAM exchange rate API unavailable or unreliable |
External |
2 |
3 |
6 |
Mitigate |
Tech Lead |
API timeout errors; stale rates in production |
Open |
2026-02-23 |
2026-03-07 |
| R-006 |
ALAI Tech d.o.o. Serbia registration delayed beyond launch date |
Organizational |
3 |
4 |
12 |
Mitigate |
Alem |
No progress update on registration by 2026-04-01 |
Open |
2026-02-23 |
2026-04-01 |
| R-007 |
Mock data not fully replaced before beta — beta testers see dummy data |
Quality |
4 |
3 |
12 |
Mitigate |
John |
Mock-data.ts still imported in any production component |
Open |
2026-02-23 |
2026-03-14 |
| R-008 |
Pantheon launches competitive cloud product undercutting Bilko's positioning |
External |
2 |
3 |
6 |
Accept |
John |
Pantheon product announcements; press releases |
Open |
2026-02-23 |
2026-06-01 |
| R-009 |
Beta testers find critical UX issues requiring major redesign |
Quality |
3 |
3 |
9 |
Mitigate |
John |
> 3 beta testers independently report same confusion point |
Open |
2026-02-23 |
2026-04-21 |
| R-010 |
Currency volatility (RSD/EUR) affects pricing model attractiveness |
Financial |
3 |
2 |
6 |
Accept |
Alem |
RSD depreciation > 10% vs EUR in 3 months |
Open |
2026-02-23 |
2026-05-01 |
| R-011 |
BiH e-invoice specs (CPF) released earlier than 2027, requiring faster expansion |
External |
2 |
2 |
4 |
Monitor |
John |
CPF official announcement |
Open |
2026-02-23 |
2026-06-01 |
| R-012 |
PostgreSQL performance under load — N+1 queries in report generation |
Technical |
3 |
3 |
9 |
Mitigate |
Tech Lead |
Slow query logs; report generation > 2s in load test |
Open |
2026-02-23 |
2026-03-28 |
6. Risk Response Strategies
| Risk ID |
Strategy |
Response Actions |
Contingency Plan |
Resources Required |
| R-001 |
Mitigate |
1. Abstract SEF calls behind SefService interface; 2. Pin to tested API version; 3. Monitor APR changelog weekly |
Roll back to previous SEF API version; manual invoice submission as temporary workaround |
Tech Lead: 1 day for abstraction layer |
| R-002 |
Mitigate + Monitor |
1. Asmir monitors official gazette; 2. John follows APR developer portal; 3. Legal review before launch |
Delay Serbia launch until certification obtained; Croatia launch moved up |
Asmir: 2h/week monitoring |
| R-003 |
Mitigate |
1. Break backend into 5-endpoint weekly sprints; 2. Daily progress check at 10-endpoint milestones; 3. Scope reduction lever (defer banking module) |
Reduce Phase 1 scope to 40 core endpoints; banking deferred to Phase 1.1 |
John: daily sprint monitoring |
| R-004 |
Mitigate |
1. Write comprehensive double-entry unit tests before any feature; 2. Balance sheet validation test in CI; 3. Code review by John on all Transaction model changes |
Manual audit by qualified accountant (Asmir's team) before launch |
QA agent: 3 days dedicated accounting logic tests |
| R-005 |
Mitigate |
1. Implement fallback to ECB free API; 2. Cache exchange rates with 4-hour TTL; 3. Manual rate override UI for accountants |
Disable auto-conversion; flag manual rate entry required |
Tech Lead: 0.5 days for fallback |
| R-006 |
Mitigate |
1. Alem tracks registration weekly; 2. Launch in Croatia (EU-compliant) if Serbia entity delayed; 3. Investigate operating under SnowIT (BiH) during gap |
Soft launch under ALAI Holding AS (Norway) with Serbian VAT documentation |
Alem: legal counsel consultation |
| R-007 |
Avoid |
1. CI check: grep for mock-data.ts imports in src/ — fail build if found outside test files; 2. Feature flag: MOCK_DATA=false in staging/production; 3. Every PR blocked if mock import detected |
Manual audit of all 8 modules before beta onboarding |
Hook: CI grep check; 0.5 days |
| R-008 |
Accept |
Monitor Pantheon announcements; maintain UX and price advantage |
Accelerate feature roadmap; increase marketing spend |
John: 1h/month competitive monitoring |
| R-009 |
Mitigate |
1. Structured beta feedback form; 2. Session recording for confusion points; 3. 2-sprint buffer between beta end and launch |
Delay launch by 2 weeks maximum; only block on P1 UX issues |
John: beta program coordination |
| R-012 |
Mitigate |
1. Add database indexes before launch; 2. Load test reports module specifically; 3. Implement query result caching for reports |
Async report generation with job queue if sync too slow |
Tech Lead: 1 day performance audit |
Response Strategy Definitions
| Strategy |
When to Use |
Action |
| Avoid |
High score + feasible to eliminate |
Change plan to remove the risk source |
| Mitigate |
Cannot avoid; must reduce probability or impact |
Implement controls, monitoring, early warning systems |
| Transfer |
Risk can be shared with third party |
Insurance, contractual liability transfer, outsourcing |
| Accept (Active) |
Low score; mitigation cost > risk cost |
Monitor and create contingency plan |
| Accept (Passive) |
Negligible score |
Acknowledge, no action required |
| Escalate |
Exceeds project authority or appetite |
Raise to Alem |
7. Risk Heat Map
quadrantChart
title Risk Heat Map — Bilko Phase 1
x-axis Low Impact --> High Impact
y-axis Low Probability --> High Probability
quadrant-1 "CRITICAL — Immediate Action"
quadrant-2 "HIGH — Active Management"
quadrant-3 "LOW — Monitor"
quadrant-4 "MEDIUM — Watch"
R-001 SEF API change: [0.7, 0.55]
R-004 Double-entry bugs: [0.9, 0.55]
R-002 Certification mandate: [0.9, 0.35]
R-006 Serbia entity delay: [0.7, 0.55]
R-007 Mock data in prod: [0.55, 0.75]
R-003 Backend complexity: [0.55, 0.55]
R-009 Beta UX issues: [0.55, 0.55]
R-005 Exchange rate API: [0.55, 0.35]
R-008 Pantheon competition: [0.55, 0.35]
R-011 BiH early launch: [0.35, 0.35]
Update coordinates as Probability/Impact scores change. X = Impact/5, Y = Probability/5.
8. Escalation Thresholds
| Threshold |
Action |
Responsible |
Timeframe |
| Any new risk Score ≥ 15 |
Immediate escalation to Alem |
John |
Within 4 hours of identification |
| Any existing risk score increases by ≥ 5 |
Escalate to Alem |
John |
Within 24 hours |
| > 2 risks at Score ≥ 12 simultaneously |
Emergency risk review with Alem |
John |
Within 48 hours |
| Any risk triggers its contingency plan |
Notify Alem |
John |
Immediately |
| Risk causes milestone slip > 5 days |
Formal escalation + revised timeline |
John |
Within 24 hours |
9. Risk Review Schedule
| Frequency |
Activity |
Participants |
Output |
| Weekly (Sprint Planning) |
Review all active risks, update scores/status |
John |
Updated register |
| Sprint Retrospective |
Identify new risks; close resolved risks |
John |
New risks added |
| Monthly |
Full risk register review + heat map update |
John + Alem |
Risk report |
| Ad-hoc |
New risk identified (any time) |
John |
New risk logged within 24h |
| Pre-launch |
Risk review before Serbia production launch |
John + Alem + Asmir |
Go/no-go input |
Review Log
| Date |
Reviewer |
Risks Reviewed |
New Risks Added |
Risks Closed |
Key Changes |
| 2026-02-23 |
John |
12 |
12 |
0 |
Initial population |
10. Closed / Accepted Risks Archive
| ID |
Risk Description |
Resolution Type |
Resolution Notes |
Date Closed |
| — |
No closed risks yet — project in early development |
— |
— |
— |
Approval
| Role |
Name |
Date |
Signature |
| Author |
John (AI Director) |
2026-02-23 |
|
| Reviewer |
|
|
|
| Project Manager |
John |
2026-02-23 |
|
| AI Director (John) |
John |
2026-02-23 |
|
| Project Sponsor |
Alem Bašić |
|
|