Risk Register¶
Initial company-level risk register. This is a living record; risks should be added, updated, and closed over time rather than treated as a one-time exercise.
Register¶
| ID | Risk | Category | Likelihood | Impact | Mitigation | Owner |
|---|---|---|---|---|---|---|
| RK-001 | Premature commercialization claims (marketing/product copy asserting capabilities, availability, or results not yet true) are published. | Reputational / Legal | Medium | High | Commercial claims require verified implemented capability and human approval; see docs/ai/context-loading-order.md (commercialization work) and docs/ai/prohibited-behaviors.md. | Founder |
| RK-002 | Fabricated or unsupported research (market size, demand, competitor data, customer quotes) is treated as fact. | Reputational / Decision quality | Medium | High | Evidence and citation requirements mandate fact/evidence/hypothesis/assumption/inference/recommendation classification; prohibited fabrications explicitly listed. See docs/ai/evidence-and-citation-requirements.md. | Founder |
| RK-003 | Venture brand confusion — e.g. conflation of a venture with an unrelated similarly-named entity ("DDLabs" or similar), or blurring of Devonshire Digital, Shelfery, and Digital Products identities. | Brand / Legal | Low-Medium | Medium | Brand architecture and terminology documents (docs/company/) define naming boundaries; commercialization material reviewed against docs/company/brand-architecture.md before publication. | Founder |
| RK-004 | Scope creep into a monorepo structure without an explicit decision. | Architecture | Medium | Medium | Repository boundaries documented as an intentional open decision (see repository-boundaries.md); any monorepo consolidation requires an ADR, not incremental drift. | Repository Maintainer |
| RK-005 | Security of any future customer data collected by a venture product. | Security / Privacy | Low (no customer data yet) | High (if realized) | Information classification policy defines Restricted data handling; no customer data is to be stored in this repository; venture products handling customer data require Security and Privacy Reviewer sign-off before launch. | Security and Privacy Reviewer |
| RK-006 | AI-generated calculation errors in financial products (e.g. Digital Products workbooks) go undetected. | Product quality / Financial | Medium | High | Calculation specifications, test plans, and financial guardrails required before financial calculation features ship; see docs/ai/context-loading-order.md (Digital Products work). | Product Owner (Digital Products) |
| RK-007 | Food-safety guidance liability — Shelfery providing food-storage or shelf-life guidance that is inaccurate or unsupported. | Legal / Safety | Medium | High | Food-safety claims classified as high-risk requiring human/domain-reviewer approval; no unsupported food-safety claims permitted. See docs/ai/prohibited-behaviors.md and docs/company/responsible-ai-principles.md. | Domain Reviewer (Shelfery) |
Fields¶
- Likelihood / Impact — qualitative (Low / Medium / High) at this stage; no formal scoring model is in place yet.
- Mitigation — current or planned control. Should link to the governing document(s).
- Owner — role accountable for monitoring and mitigating the risk, per decision-rights.md.
Maintenance¶
Review this register at least quarterly (see review_cycle) and whenever a new venture, product,
or customer-facing capability is introduced. Close or downgrade risks with evidence, not
assumption — link to the relevant record (ADR, test result, review sign-off).