# Risk Register

# Risk Register: Bilko

> **Project:** Bilko — Balkan Accounting SaaS
> **Version:** 0.1
> **Date:** 2026-02-23
> **Author:** John (AI Director)
> **Status:** Draft
> **Reviewers:** Alem Bašić (CEO)

## Document History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 0.1     | 2026-02-23 | John (AI Director) | Initial draft — Phase 1 risk identification |

---

## 1. Risk Identification Methodology

**Identification Methods Used:**
- [x] Team brainstorming session (Date: 2026-02-19, Participants: Alem, John)
- [x] Lessons learned review from Drop (fintech) and BasicFakta projects
- [x] Risk category checklist (see Section 2)
- [x] Regulatory research report (research-bilko-multi-region-2026-02-20.md)
- [x] Assumption analysis (see project charter)
- [x] Technical spike — SEF API documentation review

**Initial Risk Assessment Date:** 2026-02-23
**Next Scheduled Review:** 2026-03-07 (after backend sprint 1)
**Risk Owner:** John (AI Director)

---

## 2. Risk Categories

| Category | Description | Common Examples |
|----------|-------------|----------------|
| **Technical** | Technology failures, integration issues, performance, security | SEF API changes, infrastructure limits, unknown complexity |
| **Resource** | Team availability, skill gaps, capacity constraints | Agent performance degradation, context window limits |
| **Client** | Client-side decisions, availability, requirement volatility | Alem priority shift, regulatory guidance unavailable |
| **External** | Third-party dependencies, regulatory changes, market shifts | SEF API deprecation, Pantheon price war, BiH e-invoice delay |
| **Financial** | Budget overruns, cost estimates, currency exposure | Underestimated backend complexity, RSD/EUR volatility |
| **Timeline** | Schedule risks, deadline pressure, estimation errors | SEF integration longer than planned, beta feedback volume |
| **Quality** | Defect rate, technical debt, process failures | Mock data not fully replaced, double-entry logic bugs |
| **Organizational** | Internal politics, process changes, leadership decisions | ALAI Serbia entity registration delays, strategic pivot |

---

## 3. Risk Probability & Impact Scale

### 3.1 Probability Scale

| Level | Score | Definition | Example |
|-------|-------|------------|---------|
| Very Low | 1 | < 10% chance — rare, theoretical | Unknown-unknown |
| Low | 2 | 10–30% chance — unlikely but possible | Historical precedent rare |
| Medium | 3 | 30–50% chance — may occur | Has happened on similar projects |
| High | 4 | 50–70% chance — likely to occur | Happens regularly |
| Very High | 5 | > 70% chance — almost certain | Happened before on this type |

### 3.2 Impact Scale

| Level | Score | Schedule Impact | Budget Impact | Quality Impact |
|-------|-------|----------------|---------------|----------------|
| Negligible | 1 | < 1 day | < 1% | Minor fix needed |
| Minor | 2 | 1–3 days | 1–5% | Some rework needed |
| Moderate | 3 | 3–7 days | 5–10% | Significant rework |
| Major | 4 | 1–2 weeks | 10–20% | Deliverable at risk |
| Critical | 5 | > 2 weeks | > 20% | Project failure risk |

### 3.3 Risk Matrix (Probability × Impact)

```
         IMPACT →
         1(Neg) 2(Min) 3(Mod) 4(Maj) 5(Crit)
P  5(VH) |  5  |  10  |  15  |  20  |  25  |  ← CRITICAL ZONE (≥15)
R  4(H)  |  4  |   8  |  12  |  16  |  20  |
O  3(M)  |  3  |   6  |   9  |  12  |  15  |
B  2(L)  |  2  |   4  |   6  |   8  |  10  |  ← MEDIUM ZONE (5-14)
↑  1(VL) |  1  |   2  |   3  |   4  |   5  |  ← LOW ZONE (≤4)
```

| Score | Risk Level | Response Required | Escalation |
|-------|-----------|-------------------|------------|
| 1–4   | LOW | Monitor; review monthly | John awareness |
| 5–9   | MEDIUM | Active mitigation plan required | John |
| 10–14 | HIGH | Immediate action + weekly review | John + Alem |
| 15–25 | CRITICAL | Emergency response; may stop project | John + Alem |

---

## 4. Risk Appetite Statement

**Overall Risk Appetite:** Medium

| Risk Category | Appetite | Rationale |
|--------------|----------|-----------|
| Technical | Medium | Known stack (Next.js/Express/PostgreSQL); SEF integration is novel but researched |
| Financial | Low | €17K ceiling is fixed; overruns require CEO approval |
| Quality | Low | Accounting software errors have direct financial/legal consequences for users |
| Timeline | Medium | May 2026 launch preferred but not contractually bound |
| Security | Very Low | Financial data; GDPR-adjacent; zero tolerance for breaches |
| Regulatory | Very Low | SEF non-compliance means users face fines; must be correct |

**Maximum Acceptable Risk Exposure:** Score ≤ 9 without escalation to Alem.
**Escalation Threshold:** Any risk scoring ≥ 10 must be reported to Alem within 24 hours.

---

## 5. Active Risk Register

| ID | Risk Description | Category | Prob (1-5) | Impact (1-5) | Score | Response Strategy | Owner | Trigger Indicators | Status | Date Identified | Review Date |
|----|-----------------|----------|------------|-------------|-------|-------------------|-------|-------------------|--------|-----------------|-------------|
| R-001 | SEF API changes breaking interface between development and launch | External | 3 | 4 | 12 | Mitigate | John | SEF changelog; API versioning notice from APR | Open | 2026-02-23 | 2026-03-07 |
| R-002 | Serbian tax authority mandates software certification for SEF integration | External | 2 | 5 | 10 | Mitigate | Alem + Asmir | Official gazette announcements; APR bulletins | Open | 2026-02-23 | 2026-03-07 |
| R-003 | Backend complexity underestimated — 50 endpoints take >4 weeks | Technical | 3 | 3 | 9 | Mitigate | John | Sprint 1 velocity below 20 endpoints/week | Open | 2026-02-23 | 2026-03-07 |
| R-004 | Double-entry accounting logic bugs in transaction engine | Quality | 3 | 5 | 15 | Mitigate | John | Balance sheet doesn't balance in test data; debit ≠ credit | Open | 2026-02-23 | 2026-03-07 |
| R-005 | RSD/BAM exchange rate API unavailable or unreliable | External | 2 | 3 | 6 | Mitigate | Tech Lead | API timeout errors; stale rates in production | Open | 2026-02-23 | 2026-03-07 |
| R-006 | ALAI Tech d.o.o. Serbia registration delayed beyond launch date | Organizational | 3 | 4 | 12 | Mitigate | Alem | No progress update on registration by 2026-04-01 | Open | 2026-02-23 | 2026-04-01 |
| R-007 | Mock data not fully replaced before beta — beta testers see dummy data | Quality | 4 | 3 | 12 | Mitigate | John | Mock-data.ts still imported in any production component | Open | 2026-02-23 | 2026-03-14 |
| R-008 | Pantheon launches competitive cloud product undercutting Bilko's positioning | External | 2 | 3 | 6 | Accept | John | Pantheon product announcements; press releases | Open | 2026-02-23 | 2026-06-01 |
| R-009 | Beta testers find critical UX issues requiring major redesign | Quality | 3 | 3 | 9 | Mitigate | John | > 3 beta testers independently report same confusion point | Open | 2026-02-23 | 2026-04-21 |
| R-010 | Currency volatility (RSD/EUR) affects pricing model attractiveness | Financial | 3 | 2 | 6 | Accept | Alem | RSD depreciation > 10% vs EUR in 3 months | Open | 2026-02-23 | 2026-05-01 |
| R-011 | BiH e-invoice specs (CPF) released earlier than 2027, requiring faster expansion | External | 2 | 2 | 4 | Monitor | John | CPF official announcement | Open | 2026-02-23 | 2026-06-01 |
| R-012 | PostgreSQL performance under load — N+1 queries in report generation | Technical | 3 | 3 | 9 | Mitigate | Tech Lead | Slow query logs; report generation > 2s in load test | Open | 2026-02-23 | 2026-03-28 |

---

## 6. Risk Response Strategies

| Risk ID | Strategy | Response Actions | Contingency Plan | Resources Required |
|---------|----------|-----------------|------------------|-------------------|
| R-001 | Mitigate | 1. Abstract SEF calls behind `SefService` interface; 2. Pin to tested API version; 3. Monitor APR changelog weekly | Roll back to previous SEF API version; manual invoice submission as temporary workaround | Tech Lead: 1 day for abstraction layer |
| R-002 | Mitigate + Monitor | 1. Asmir monitors official gazette; 2. John follows APR developer portal; 3. Legal review before launch | Delay Serbia launch until certification obtained; Croatia launch moved up | Asmir: 2h/week monitoring |
| R-003 | Mitigate | 1. Break backend into 5-endpoint weekly sprints; 2. Daily progress check at 10-endpoint milestones; 3. Scope reduction lever (defer banking module) | Reduce Phase 1 scope to 40 core endpoints; banking deferred to Phase 1.1 | John: daily sprint monitoring |
| R-004 | Mitigate | 1. Write comprehensive double-entry unit tests before any feature; 2. Balance sheet validation test in CI; 3. Code review by John on all Transaction model changes | Manual audit by qualified accountant (Asmir's team) before launch | QA agent: 3 days dedicated accounting logic tests |
| R-005 | Mitigate | 1. Implement fallback to ECB free API; 2. Cache exchange rates with 4-hour TTL; 3. Manual rate override UI for accountants | Disable auto-conversion; flag manual rate entry required | Tech Lead: 0.5 days for fallback |
| R-006 | Mitigate | 1. Alem tracks registration weekly; 2. Launch in Croatia (EU-compliant) if Serbia entity delayed; 3. Investigate operating under SnowIT (BiH) during gap | Soft launch under ALAI Holding AS (Norway) with Serbian VAT documentation | Alem: legal counsel consultation |
| R-007 | Avoid | 1. CI check: grep for mock-data.ts imports in src/ — fail build if found outside test files; 2. Feature flag: MOCK_DATA=false in staging/production; 3. Every PR blocked if mock import detected | Manual audit of all 8 modules before beta onboarding | Hook: CI grep check; 0.5 days |
| R-008 | Accept | Monitor Pantheon announcements; maintain UX and price advantage | Accelerate feature roadmap; increase marketing spend | John: 1h/month competitive monitoring |
| R-009 | Mitigate | 1. Structured beta feedback form; 2. Session recording for confusion points; 3. 2-sprint buffer between beta end and launch | Delay launch by 2 weeks maximum; only block on P1 UX issues | John: beta program coordination |
| R-012 | Mitigate | 1. Add database indexes before launch; 2. Load test reports module specifically; 3. Implement query result caching for reports | Async report generation with job queue if sync too slow | Tech Lead: 1 day performance audit |

### Response Strategy Definitions

| Strategy | When to Use | Action |
|----------|------------|--------|
| **Avoid** | High score + feasible to eliminate | Change plan to remove the risk source |
| **Mitigate** | Cannot avoid; must reduce probability or impact | Implement controls, monitoring, early warning systems |
| **Transfer** | Risk can be shared with third party | Insurance, contractual liability transfer, outsourcing |
| **Accept (Active)** | Low score; mitigation cost > risk cost | Monitor and create contingency plan |
| **Accept (Passive)** | Negligible score | Acknowledge, no action required |
| **Escalate** | Exceeds project authority or appetite | Raise to Alem |

---

## 7. Risk Heat Map

```mermaid
quadrantChart
    title Risk Heat Map — Bilko Phase 1
    x-axis Low Impact --> High Impact
    y-axis Low Probability --> High Probability
    quadrant-1 "CRITICAL — Immediate Action"
    quadrant-2 "HIGH — Active Management"
    quadrant-3 "LOW — Monitor"
    quadrant-4 "MEDIUM — Watch"
    R-001 SEF API change: [0.7, 0.55]
    R-004 Double-entry bugs: [0.9, 0.55]
    R-002 Certification mandate: [0.9, 0.35]
    R-006 Serbia entity delay: [0.7, 0.55]
    R-007 Mock data in prod: [0.55, 0.75]
    R-003 Backend complexity: [0.55, 0.55]
    R-009 Beta UX issues: [0.55, 0.55]
    R-005 Exchange rate API: [0.55, 0.35]
    R-008 Pantheon competition: [0.55, 0.35]
    R-011 BiH early launch: [0.35, 0.35]
```

> _Update coordinates as Probability/Impact scores change. X = Impact/5, Y = Probability/5._

---

## 8. Escalation Thresholds

| Threshold | Action | Responsible | Timeframe |
|-----------|--------|-------------|-----------|
| Any new risk Score ≥ 15 | Immediate escalation to Alem | John | Within 4 hours of identification |
| Any existing risk score increases by ≥ 5 | Escalate to Alem | John | Within 24 hours |
| > 2 risks at Score ≥ 12 simultaneously | Emergency risk review with Alem | John | Within 48 hours |
| Any risk triggers its contingency plan | Notify Alem | John | Immediately |
| Risk causes milestone slip > 5 days | Formal escalation + revised timeline | John | Within 24 hours |

---

## 9. Risk Review Schedule

| Frequency | Activity | Participants | Output |
|-----------|----------|-------------|--------|
| Weekly (Sprint Planning) | Review all active risks, update scores/status | John | Updated register |
| Sprint Retrospective | Identify new risks; close resolved risks | John | New risks added |
| Monthly | Full risk register review + heat map update | John + Alem | Risk report |
| Ad-hoc | New risk identified (any time) | John | New risk logged within 24h |
| Pre-launch | Risk review before Serbia production launch | John + Alem + Asmir | Go/no-go input |

### Review Log

| Date | Reviewer | Risks Reviewed | New Risks Added | Risks Closed | Key Changes |
|------|----------|---------------|-----------------|--------------|-------------|
| 2026-02-23 | John | 12 | 12 | 0 | Initial population |

---

## 10. Closed / Accepted Risks Archive

| ID | Risk Description | Resolution Type | Resolution Notes | Date Closed |
|----|-----------------|----------------|-----------------|-------------|
| — | No closed risks yet — project in early development | — | — | — |

---

## Approval

| Role | Name | Date | Signature |
|------|------|------|-----------|
| Author | John (AI Director) | 2026-02-23 | |
| Reviewer | | | |
| Project Manager | John | 2026-02-23 | |
| AI Director (John) | John | 2026-02-23 | |
| Project Sponsor | Alem Bašić | | |