Risks & Open Questions
Risk Analysis
Identified risks, likelihood, impact, and mitigation strategies.
Critical Risks
| Risk | Likelihood | Impact | Mitigation | Owner |
|---|---|---|---|---|
| QMS Checklist not provided by Chin in time | Medium | Critical (blocks WS-3, delays WS-5) | Start v1 with mock checklist; real checklist swapped in once ready. Parallel path for validation engine development. | Chin (input), Build team (mitigation) |
| Build team not selected by Feb 2026 | Medium | Critical (delays entire project) | Greg to finalize decision on build approach (internal vs. external) by early Feb. If external, RFP issued by Jan 31. | Greg |
| Validation engine proves technically harder than estimated | Medium-High | High (extends v1 by 3-4 weeks) | Spike on document parsing & checklist logic in first 1-2 weeks. If spike results show 2x complexity, revise timeline and reduce v1.1 scope. | Build team lead |
| Compliance team expectations misaligned (e.g., expects full anomaly detection in v1) | Medium | High (UAT failure, launch delay, user dissatisfaction) | Schedule walkthrough of this Blueprint with Chin + Compliance Team Manager before build starts. Confirm scope, get sign-off on v1 vs. v2+ delineation. | Chin |
| Data privacy/security requirements not defined | Low-Medium | High (rework needed post-build if data residency/encryption requirements emerge) | Greg to clarify: any specific compliance requirements (PIPEDA, SOX, data residency)? Add to Architecture section before WS-1 begins. | Greg |
Medium Risks
| Risk | Likelihood | Impact | Mitigation | Owner |
|---|---|---|---|---|
| Document parsing (PDF/DOCX) complexity underestimated | Medium | Medium (extends validation engine work by 1-2 weeks) | Prototype document parsing early (WS-5 week 1). Use established libraries (PyPDF, python-docx, etc.). If extraction is lossy, flag as limitation in v1 scope. | Build team technical lead |
| UI complexity (dashboards, tables) underestimated | Medium | Medium (extends WS-6/WS-7 by 2-3 weeks) | Build interactive mockups/wireframes before implementation (1 week sprint). Validate with Compliance Team Manager. Use component library (Material-UI, Ant Design) to reduce build time. | Build team frontend lead |
| Approval workflow (WS-7) requires more business logic than expected | Low-Medium | Medium (extends WS-7 by 1-2 weeks) | Define approval rules spec in detail before WS-7 starts. Clarify: how many approvers? Escalation rules? Parallel vs. sequential approval? Document in Architecture section. | Chin + Greg |
| Testing & QA takes longer than 2-3 weeks (WS-9) | Medium-High | Medium (delays launch by 1-2 weeks) | Start QA earlier: WS-9 begins during WS-8 (overlap by 1 week). Parallel testing of core flows while reporting finishes. | Build team QA lead |
| Deployment complexity (WS-10) underestimated | Low-Medium | Medium (delays launch by 1-2 weeks) | Set up production environment early (WS-1). Do dry-run deployment in week 10 to surface issues. Use infrastructure-as-code (Terraform, Docker) to standardize setup. | Build team devops/infrastructure lead |
Low Risks (Manageable)
- Scope creep during development: Mitigation: Freeze scope once Blueprint approved. All requests for v1 changes go to v1.1/v2 backlog.
- Team turnover during build: Mitigation: Excellent documentation, code comments, wiki. Knowledge transfer in place by week 6.
- Performance issues at scale: Mitigation: Test with 100+ projects in week 10. Identify bottlenecks early. Optimize DB queries and indexes if needed.
- Browser compatibility issues: Mitigation: Test on Chrome, Firefox, Safari, Edge from day 1. Use modern browser APIs only; polyfill if needed.
Open Questions / TBD
| Question | Impact | Owner | Status |
|---|---|---|---|
| What is the exact scope of the QMS compliance checklist? (Agile standards? Waterfall standards? Both? Specific docs required?) | Critical (defines validation engine rules) | Chin | PENDING |
| Are there specific regulatory requirements (PIPEDA, SOX, etc.)? | High (affects security, data residency, compliance scope) | Greg | PENDING |
| What is the approval chain? How many approvers? Parallel or sequential? | High (affects WS-7 workflow logic) | Chin + Compliance Team Manager | PENDING |
| Who will build this? Internal (Rafa)? External contractor? Combination? | Critical (affects timeline, cost, capability) | Greg | TBD |
| What is the budget for v1 development? | High (affects build approach, team selection, phasing) | Greg | TBD |
| Should artifact storage be cloud (S3, GCS) or on-prem? | Medium (affects WS-4, deployment, security model) | Greg + Build team | TBD |
| Are there market-specific QMS variants needed for v1, or does v2 handle this? | Medium (affects validation engine scope) | Chin | PENDING |
| Should v1 support batch auditing (100+ projects), or single-project only? | Low-Medium (affects WS-5, WS-6 scope) | Chin + Greg | TBD |
| What's the acceptable false positive rate? (e.g., is flagging 10% non-issues okay, or must we hit 99%+?) | Medium (affects validation engine tuning, UAT scope) | Chin + Compliance Team | PENDING |
| Should user onboarding/training be part of v1 launch, or separate? | Low-Medium (affects go-live timing) | Chin | TBD |
Highest-Impact Wins (Quick Leverage)
If the build team finds spare capacity, prioritize these over scope creep:
- Batch audit capability: Let auditors upload 10+ projects at once, run parallel validations. Huge time savings.
- Finding templates/canned responses: Let auditors quickly validate findings with pre-written responses instead of typing. 10-20% time savings per audit.
- Keyboard shortcuts: Make finding review blazingly fast (arrow keys to navigate, number keys to action). Small effort, big UX win.
- Email notifications: Notify manager when audit ready for approval. Removes manual coordination friction.
- Artifact preview in findings: Show PDF/document snippet alongside finding instead of forcing download. UX improvement, no backend complexity.
Success Criteria for Launch
- Blueprint reviewed and approved by Chin + Greg + Compliance Team Manager
- All critical risks mitigated or have fallback plans
- QMS checklist v1 finalized by build team kick-off
- Build team confirmed (internal/external, capacity, timeline)
- Production environment ready by week 10 of build
- UAT passed with 95%+ accuracy and <5% false positives
- Compliance team trained and ready to use system
- Go-live decision made 1 week before launch (full sign-off from Chin + Greg)