Reference · Risk PRD §15 + SRS / synthesised

Risk Register

The top risks tracked by the Founder weekly sync. Six categories — technical, compliance, operational, strategic, financial, legal — each with a likelihood × impact score, an owner, a mitigation, a contingency, and a status. Pulled from PRD §15 "Top 15 risks" and extended with the risks one would expect for a 24-month, 22-module, regulated-market platform build. Severity is recorded as Severity in the PRD table but re-cast here as Impact for heatmap clarity.

Risks tracked

High / Catastrophic

Open

Mitigated

Accepted

Likelihood × Impact heatmap

Cells are colour-coded by composite score. Any High-likelihood / High-impact cell is "sprint-blocking" under PRD §15.5 rules: it auto-creates a Question to the Founder via the Compliance Cockpit. Hover a chip to inspect.

Impact: Low

Impact: Med

Impact: High

Likely · High

Likely · Med

Likely · Low

low = low concern med = monitor high = active mitigation required crit = sprint-blocking, founder review

Operational rules · PRD §15.5

Severity × Likelihood produces a heat-mapped score; any High–High lands on the Compliance Cockpit and triggers a Question to the Founder.
Risks are reviewed weekly during the Founder weekly sync; status (Open / Mitigated / Realised / Closed) is updated.
A realised risk triggers an AAR (After-Action Review); the AAR is captured in BRAIN Layer 2 with the lesson-learned tag and is surfaced in future similar contexts via GraphRAG.
New risks added between phases require Founder approval; they are not auto-accepted from CUO's suggestion stream.

CyberOS Documentation · Risk Register · PRD v2026.05 §15 + synthesised additions

RSK-01 through RSK-15 quote the PRD verbatim; R-EXT-* additions are inferred from project context and marked with their rationale.