Risk Register Risk Register: Bilko Project: Bilko — Balkan Accounting SaaS Version: 0.1 Date: 2026-02-23 Author: John (AI Director) Status: Draft Reviewers: Alem Bašić (CEO) Document History Version Date Author Changes 0.1 2026-02-23 John (AI Director) Initial draft — Phase 1 risk identification 1. Risk Identification Methodology Identification Methods Used: Team brainstorming session (Date: 2026-02-19, Participants: Alem, John) Lessons learned review from Drop (fintech) and BasicFakta projects Risk category checklist (see Section 2) Regulatory research report (research-bilko-multi-region-2026-02-20.md) Assumption analysis (see project charter) Technical spike — SEF API documentation review Initial Risk Assessment Date: 2026-02-23 Next Scheduled Review: 2026-03-07 (after backend sprint 1) Risk Owner: John (AI Director) 2. Risk Categories Category Description Common Examples Technical Technology failures, integration issues, performance, security SEF API changes, infrastructure limits, unknown complexity Resource Team availability, skill gaps, capacity constraints Agent performance degradation, context window limits Client Client-side decisions, availability, requirement volatility Alem priority shift, regulatory guidance unavailable External Third-party dependencies, regulatory changes, market shifts SEF API deprecation, Pantheon price war, BiH e-invoice delay Financial Budget overruns, cost estimates, currency exposure Underestimated backend complexity, RSD/EUR volatility Timeline Schedule risks, deadline pressure, estimation errors SEF integration longer than planned, beta feedback volume Quality Defect rate, technical debt, process failures Mock data not fully replaced, double-entry logic bugs Organizational Internal politics, process changes, leadership decisions ALAI Serbia entity registration delays, strategic pivot 3. Risk Probability & Impact Scale 3.1 Probability Scale Level Score Definition Example Very Low 1 < 10% chance — rare, theoretical Unknown-unknown Low 2 10–30% chance — unlikely but possible Historical precedent rare Medium 3 30–50% chance — may occur Has happened on similar projects High 4 50–70% chance — likely to occur Happens regularly Very High 5 > 70% chance — almost certain Happened before on this type 3.2 Impact Scale Level Score Schedule Impact Budget Impact Quality Impact Negligible 1 < 1 day < 1% Minor fix needed Minor 2 1–3 days 1–5% Some rework needed Moderate 3 3–7 days 5–10% Significant rework Major 4 1–2 weeks 10–20% Deliverable at risk Critical 5 > 2 weeks > 20% Project failure risk 3.3 Risk Matrix (Probability × Impact) IMPACT → 1(Neg) 2(Min) 3(Mod) 4(Maj) 5(Crit) P 5(VH) | 5 | 10 | 15 | 20 | 25 | ← CRITICAL ZONE (≥15) R 4(H) | 4 | 8 | 12 | 16 | 20 | O 3(M) | 3 | 6 | 9 | 12 | 15 | B 2(L) | 2 | 4 | 6 | 8 | 10 | ← MEDIUM ZONE (5-14) ↑ 1(VL) | 1 | 2 | 3 | 4 | 5 | ← LOW ZONE (≤4) Score Risk Level Response Required Escalation 1–4 LOW Monitor; review monthly John awareness 5–9 MEDIUM Active mitigation plan required John 10–14 HIGH Immediate action + weekly review John + Alem 15–25 CRITICAL Emergency response; may stop project John + Alem 4. Risk Appetite Statement Overall Risk Appetite: Medium Risk Category Appetite Rationale Technical Medium Known stack (Next.js/Express/PostgreSQL); SEF integration is novel but researched Financial Low €17K ceiling is fixed; overruns require CEO approval Quality Low Accounting software errors have direct financial/legal consequences for users Timeline Medium May 2026 launch preferred but not contractually bound Security Very Low Financial data; GDPR-adjacent; zero tolerance for breaches Regulatory Very Low SEF non-compliance means users face fines; must be correct Maximum Acceptable Risk Exposure: Score ≤ 9 without escalation to Alem. Escalation Threshold: Any risk scoring ≥ 10 must be reported to Alem within 24 hours. 5. Active Risk Register ID Risk Description Category Prob (1-5) Impact (1-5) Score Response Strategy Owner Trigger Indicators Status Date Identified Review Date R-001 SEF API changes breaking interface between development and launch External 3 4 12 Mitigate John SEF changelog; API versioning notice from APR Open 2026-02-23 2026-03-07 R-002 Serbian tax authority mandates software certification for SEF integration External 2 5 10 Mitigate Alem + Asmir Official gazette announcements; APR bulletins Open 2026-02-23 2026-03-07 R-003 Backend complexity underestimated — 50 endpoints take >4 weeks Technical 3 3 9 Mitigate John Sprint 1 velocity below 20 endpoints/week Open 2026-02-23 2026-03-07 R-004 Double-entry accounting logic bugs in transaction engine Quality 3 5 15 Mitigate John Balance sheet doesn't balance in test data; debit ≠ credit Open 2026-02-23 2026-03-07 R-005 RSD/BAM exchange rate API unavailable or unreliable External 2 3 6 Mitigate Tech Lead API timeout errors; stale rates in production Open 2026-02-23 2026-03-07 R-006 ALAI Tech d.o.o. Serbia registration delayed beyond launch date Organizational 3 4 12 Mitigate Alem No progress update on registration by 2026-04-01 Open 2026-02-23 2026-04-01 R-007 Mock data not fully replaced before beta — beta testers see dummy data Quality 4 3 12 Mitigate John Mock-data.ts still imported in any production component Open 2026-02-23 2026-03-14 R-008 Pantheon launches competitive cloud product undercutting Bilko's positioning External 2 3 6 Accept John Pantheon product announcements; press releases Open 2026-02-23 2026-06-01 R-009 Beta testers find critical UX issues requiring major redesign Quality 3 3 9 Mitigate John > 3 beta testers independently report same confusion point Open 2026-02-23 2026-04-21 R-010 Currency volatility (RSD/EUR) affects pricing model attractiveness Financial 3 2 6 Accept Alem RSD depreciation > 10% vs EUR in 3 months Open 2026-02-23 2026-05-01 R-011 BiH e-invoice specs (CPF) released earlier than 2027, requiring faster expansion External 2 2 4 Monitor John CPF official announcement Open 2026-02-23 2026-06-01 R-012 PostgreSQL performance under load — N+1 queries in report generation Technical 3 3 9 Mitigate Tech Lead Slow query logs; report generation > 2s in load test Open 2026-02-23 2026-03-28 6. Risk Response Strategies Risk ID Strategy Response Actions Contingency Plan Resources Required R-001 Mitigate 1. Abstract SEF calls behind SefService interface; 2. Pin to tested API version; 3. Monitor APR changelog weekly Roll back to previous SEF API version; manual invoice submission as temporary workaround Tech Lead: 1 day for abstraction layer R-002 Mitigate + Monitor 1. Asmir monitors official gazette; 2. John follows APR developer portal; 3. Legal review before launch Delay Serbia launch until certification obtained; Croatia launch moved up Asmir: 2h/week monitoring R-003 Mitigate 1. Break backend into 5-endpoint weekly sprints; 2. Daily progress check at 10-endpoint milestones; 3. Scope reduction lever (defer banking module) Reduce Phase 1 scope to 40 core endpoints; banking deferred to Phase 1.1 John: daily sprint monitoring R-004 Mitigate 1. Write comprehensive double-entry unit tests before any feature; 2. Balance sheet validation test in CI; 3. Code review by John on all Transaction model changes Manual audit by qualified accountant (Asmir's team) before launch QA agent: 3 days dedicated accounting logic tests R-005 Mitigate 1. Implement fallback to ECB free API; 2. Cache exchange rates with 4-hour TTL; 3. Manual rate override UI for accountants Disable auto-conversion; flag manual rate entry required Tech Lead: 0.5 days for fallback R-006 Mitigate 1. Alem tracks registration weekly; 2. Launch in Croatia (EU-compliant) if Serbia entity delayed; 3. Investigate operating under SnowIT (BiH) during gap Soft launch under ALAI Holding AS (Norway) with Serbian VAT documentation Alem: legal counsel consultation R-007 Avoid 1. CI check: grep for mock-data.ts imports in src/ — fail build if found outside test files; 2. Feature flag: MOCK_DATA=false in staging/production; 3. Every PR blocked if mock import detected Manual audit of all 8 modules before beta onboarding Hook: CI grep check; 0.5 days R-008 Accept Monitor Pantheon announcements; maintain UX and price advantage Accelerate feature roadmap; increase marketing spend John: 1h/month competitive monitoring R-009 Mitigate 1. Structured beta feedback form; 2. Session recording for confusion points; 3. 2-sprint buffer between beta end and launch Delay launch by 2 weeks maximum; only block on P1 UX issues John: beta program coordination R-012 Mitigate 1. Add database indexes before launch; 2. Load test reports module specifically; 3. Implement query result caching for reports Async report generation with job queue if sync too slow Tech Lead: 1 day performance audit Response Strategy Definitions Strategy When to Use Action Avoid High score + feasible to eliminate Change plan to remove the risk source Mitigate Cannot avoid; must reduce probability or impact Implement controls, monitoring, early warning systems Transfer Risk can be shared with third party Insurance, contractual liability transfer, outsourcing Accept (Active) Low score; mitigation cost > risk cost Monitor and create contingency plan Accept (Passive) Negligible score Acknowledge, no action required Escalate Exceeds project authority or appetite Raise to Alem 7. Risk Heat Map quadrantChart title Risk Heat Map — Bilko Phase 1 x-axis Low Impact --> High Impact y-axis Low Probability --> High Probability quadrant-1 "CRITICAL — Immediate Action" quadrant-2 "HIGH — Active Management" quadrant-3 "LOW — Monitor" quadrant-4 "MEDIUM — Watch" R-001 SEF API change: [0.7, 0.55] R-004 Double-entry bugs: [0.9, 0.55] R-002 Certification mandate: [0.9, 0.35] R-006 Serbia entity delay: [0.7, 0.55] R-007 Mock data in prod: [0.55, 0.75] R-003 Backend complexity: [0.55, 0.55] R-009 Beta UX issues: [0.55, 0.55] R-005 Exchange rate API: [0.55, 0.35] R-008 Pantheon competition: [0.55, 0.35] R-011 BiH early launch: [0.35, 0.35] Update coordinates as Probability/Impact scores change. X = Impact/5, Y = Probability/5. 8. Escalation Thresholds Threshold Action Responsible Timeframe Any new risk Score ≥ 15 Immediate escalation to Alem John Within 4 hours of identification Any existing risk score increases by ≥ 5 Escalate to Alem John Within 24 hours > 2 risks at Score ≥ 12 simultaneously Emergency risk review with Alem John Within 48 hours Any risk triggers its contingency plan Notify Alem John Immediately Risk causes milestone slip > 5 days Formal escalation + revised timeline John Within 24 hours 9. Risk Review Schedule Frequency Activity Participants Output Weekly (Sprint Planning) Review all active risks, update scores/status John Updated register Sprint Retrospective Identify new risks; close resolved risks John New risks added Monthly Full risk register review + heat map update John + Alem Risk report Ad-hoc New risk identified (any time) John New risk logged within 24h Pre-launch Risk review before Serbia production launch John + Alem + Asmir Go/no-go input Review Log Date Reviewer Risks Reviewed New Risks Added Risks Closed Key Changes 2026-02-23 John 12 12 0 Initial population 10. Closed / Accepted Risks Archive ID Risk Description Resolution Type Resolution Notes Date Closed — No closed risks yet — project in early development — — — Approval Role Name Date Signature Author John (AI Director) 2026-02-23 Reviewer Project Manager John 2026-02-23 AI Director (John) John 2026-02-23 Project Sponsor Alem Bašić