Risk Register

Enterprise risk inventory — inherent, treatment, residual, accountable owner.

Open risks

Accepted

Avg residual

Reviewed this Q

Impact

1×5

2×5

3×5

4×5

5×5

1×4

2×4

3×4

4×4

5×4

1×3

2×3

3×3

4×3

5×3

1×2

2×2

3×2

4×2

5×2

1×1

2×1

3×1

4×1

5×1

L1L2L3L4L5

Likelihood

R-0044

DDoS against public checkout surface

Sara Okafor • review Q1 2025

R-0108

Legacy ledger service unpatchable critical CVE

Diego Alvarez • review Q4 2024

ID	Risk	Category	L	I	Inherent	Residual	Treatment	Owner	Status
R-001	Loss of payment card data due to insider threat	Data Protection	2	5	18	6	mitigate	Priya Shah	mitigating
R-002	Cloud account takeover via leaked CI/CD credentials	Cloud Security	3	5	20	9	mitigate	Sara Okafor	open
R-003	Supply chain compromise via npm dependency	AppSec	4	4	16	10	mitigate	Marcus Lin	mitigating
R-004	DDoS against public checkout surface	Availability	4	3	12	4	transfer	Sara Okafor	accepted
R-005	Regulatory fine for delayed breach notification	Compliance	2	4	12	4	mitigate	Priya Shah	open
R-006	Internal data lake PII exfiltration	Data Protection	3	5	18	9	mitigate	Mei Wong	mitigating
R-007	Loss of availability — payments-api outage	Availability	2	5	15	6	mitigate	Jordan Vega	mitigating
R-008	Phishing-led credential compromise of admin	Identity	4	4	16	9	mitigate	Priya Shah	open
R-009	Third-party vendor breach exposing customer data	Third Party	3	4	12	6	transfer	Priya Shah	mitigating
R-010	Legacy ledger service unpatchable critical CVE	AppSec	2	5	12	8	accept	Diego Alvarez	accepted
R-011	Mobile app reverse-engineering and API abuse	Mobile	3	3	9	6	mitigate	Ben Carter	open
R-012	Misconfigured S3 bucket exposing internal docs	Cloud Security	3	3	9	4	mitigate	Sara Okafor	mitigating
R-013	Insider IP theft via departing engineer	Insider	2	3	6	4	mitigate	Priya Shah	open
R-014	AI model prompt-injection leaking customer context	AI/ML	4	3	12	8	mitigate	Mei Wong	open
R-015	Unauthorized changes to production via overly broad IAM	Identity	3	4	12	6	mitigate	Sara Okafor	mitigating