Overview
Risk Severity Matrix
Distribution of identified risks by severity and category
6
🔴 CRITICAL
Release blockers. Must be resolved and retested before any production deployment.
7
🟠 HIGH
Must be addressed before release. May be accepted temporarily with documented mitigation.
4
🔵 MEDIUM
Should be addressed in current or next sprint. Limited business impact if mitigated.
2
🟢 LOW
Monitor and address in backlog. Acceptable short-term risk with existing guardrails.
CRITICAL — Financial integrity or security breach risk
HIGH — Significant functional or UX failure risk
MEDIUM — Limited impact with existing fallbacks
LOW — Acceptable risk, monitor only
🔴 Critical Risks
Release Blocking Risk Entries
These must be resolved and verified before any production deployment
Category
Financial Integrity — Business Logic
Affected Layer
Layer 2 — Business Logic (Mapping Engine)
Risk Description
The most critical business risk in the entire feature. If Outlet-to-Company mapping logic is incorrect, credits are applied to the wrong company. This causes financial loss for one company and illegal enrichment of another — with no visible error to the user. The damage may only be discovered during manual financial reconciliation, potentially weeks or months later.
Business Impact
Severe. Direct financial loss. Potential legal liability. Regulatory non-compliance. Loss of client trust. Breach of SLA.
Mitigation Strategy
- Validate mapping at DB level before any write (TC30) — not just from UI data
- Lock the mapping at transaction time (snapshot at S4) — prevent race with concurrent mapping updates
- Implement automated regression test TC29 on every release cycle and after any Brand/Outlet restructure
- Add a pre-submission validation step that cross-checks UI outlet list against DB mapping
- Add financial reconciliation daily job comparing DB credits to QuickBooks quotations per company
Category
Data Integrity — Atomicity
Affected Layer
Layer 5 — Database
Risk Description
If the database transaction is not fully atomic, a failure mid-write (e.g., after crediting Company A but before Company B) leaves the system in an inconsistent state. Company A has excess credits; Company B is under-credited. The QuickBooks quotation exists for the full amount. No rollback occurs. This is an undetectable financial inconsistency without an explicit comparison job.
Likelihood
Low (if implemented correctly)
Business Impact
Catastrophic. Financial inconsistency across companies. Undetectable by user. Requires manual forensic reconciliation.
Mitigation Strategy
- All credit writes MUST be wrapped in a single database transaction (BEGIN / COMMIT / ROLLBACK)
- TC22 explicitly tests mid-transaction failure to verify complete rollback of all partial writes
- TC23 verifies DB state snapshot matches pre-transaction values after rollback
- Transaction log must record ROLLED_BACK status with Transaction ID for every failure
- Automated post-transaction DB balance verification job comparing expected vs actual per company
Category
Financial Integrity — Idempotency
Affected Layer
Layer 3 — QuickBooks Integration
Risk Description
Without idempotency protection (unique Transaction IDs), a retry, double-click, or network replay could create two or more QuickBooks quotations for the same top-up event. This results in double-billing the client and potentially double-crediting SMS tokens — a direct financial fraud risk.
Business Impact
Severe. Double billing of client. Potential double SMS credit. Financial audit failure. Client relationship damage.
Mitigation Strategy
- Generate a unique Transaction ID (UUID v4) at validation time (S4) before any API call
- Pass Transaction ID as idempotency key in every QuickBooks API request header
- If duplicate Transaction ID detected by API — return existing quotation ID, do NOT create new
- Submit button disabled immediately on first click to prevent double-click (TC26)
- TC16 explicitly validates idempotent behaviour — verified in QuickBooks portal
Category
External Dependency — Service Availability
Affected Layer
Layer 3 — QuickBooks Integration
Risk Description
QuickBooks is an external third-party SaaS service with its own SLA. During planned or unplanned downtime, the entire SMS top-up workflow is blocked. Without proper retry logic and graceful degradation, the system may hang indefinitely, throw unhandled exceptions, or — most critically — proceed to credit SMS tokens without a valid quotation.
Likelihood
Medium (monthly scheduled maintenance)
Business Impact
High. Complete feature unavailability. Delayed SMS credits. Financial operation blocked.
Mitigation Strategy
- Implement exponential backoff retry: Attempt 1 (wait 2s) → Attempt 2 (wait 5s) → Attempt 3 (wait 10s)
- After all retries fail: abort flow completely, display user-friendly error with Transaction ID reference
- Never proceed to SMS credit step without confirmed QuickBooks quotation ID
- Trigger admin alert on consecutive API failures (circuit breaker pattern)
- Document escalation path for finance team during QuickBooks maintenance windows
Category
Security — Input Sanitisation
Affected Layer
Layer 1 — UI / Layer 2 — Business Logic
Risk Description
A malicious Finance Executive (or an external attacker who has gained authenticated access) could attempt SQL injection, XSS, or server-side request forgery through the top-up amount fields. Client-side-only validation provides zero protection against direct API manipulation via tools like Postman or curl.
Likelihood
Low (authenticated users)
Business Impact
Catastrophic. Data breach, database corruption, unauthorised financial manipulation, regulatory penalty.
Mitigation Strategy
- ALL database queries must use parameterised statements — no string concatenation in SQL
- Server-side validation must be implemented independently of client-side (never trust client input)
- Input type enforcement: numeric-only fields reject non-numeric at both UI and API layer
- Output encoding for all rendered values — prevent XSS in success/error messages
- TC09 specifically tests injection attempts at both client and server layers
Category
Data Integrity — Recovery
Affected Layer
Layer 5 — Database
Risk Description
In the worst-case scenario, if both the credit write AND the rollback mechanism fail simultaneously, the system enters an unknown state. Without an admin escalation path, this inconsistency may go undetected. The DB is in a partially written state with no automatic recovery — requiring dangerous manual intervention without transaction context.
Business Impact
Catastrophic. Financial data corruption. Manual forensic recovery required. Potential audit failure.
Mitigation Strategy
- Implement dedicated admin alert on rollback failure — send immediate notification with Transaction ID and context
- Flag affected transaction in DB as INCONSISTENT_STATE with maximum detail for manual recovery
- Maintain pre-transaction balance snapshot in transaction log to enable manual reversal
- TC25 tests this extreme edge case — verify admin escalation mechanism exists and fires correctly
🟠 High Risks
High Severity Risk Entries
Must be addressed before production release
Category
Concurrency — Data Integrity
Affected Layer
Layer 5 — Database
Risk Description
When two Finance Executives submit top-up transactions for the same Brand simultaneously, a race condition on the Company credit record could result in a "lost update" — where one transaction's write overwrites the other's. Final company balance would be incorrect (showing only one submission's credits instead of both).
Mitigation Strategy
- Implement row-level locking (SELECT FOR UPDATE) on Company credit records during write phase
- Use database-level atomic increment operations (e.g., UPDATE credits SET balance = balance + X) rather than read-modify-write cycles
- TC27 tests simultaneous submission — verified at DB level by summing both inputs
- Transaction isolation level must be at minimum READ COMMITTED
Affected Layer
Layer 1 — UI
Risk Description
A user rapidly double-clicking the Submit button could trigger two simultaneous API calls before the first response is received. Without button-state management, this results in two QuickBooks quotations and potentially double SMS credits — without the user realising any error has occurred.
Mitigation Strategy
- Disable Submit button immediately on first click — re-enable only after final result received
- Server-side: Transaction ID uniqueness check prevents duplicate processing even if UI fails
- TC26 verifies via browser DevTools Network tab that exactly ONE API request is sent
Category
Security — Validation
Affected Layer
Layer 1 — UI / Layer 2 — Business Logic
Risk Description
If input validation exists only on the client side (JavaScript), any authenticated user can bypass it using browser developer tools, Postman, or curl. Negative values, text strings, or injected payloads could reach the server and the QuickBooks API unchecked.
Mitigation Strategy
- Server-side validation must mirror all client-side rules independently
- TC06, TC08, TC09 tested via Postman to explicitly bypass client-side validation
- Any server-side validation failure must return HTTP 400 with descriptive error body
Category
Integration — Error Handling
Affected Layer
Layer 3 — QuickBooks Integration
Risk Description
QuickBooks may return unexpected responses — HTML error pages instead of JSON, empty response bodies, or partial JSON. If the system does not guard against this, an unhandled JSON parsing exception could expose raw server errors to the user, crash the transaction flow, and leave the audit log incomplete.
Mitigation Strategy
- Wrap all API response parsing in try/catch blocks
- Validate response structure before accessing nested fields (defensive parsing)
- Log full raw response body on parse failure — never expose to user
- TC17 specifically tests malformed JSON, HTML response, and empty body scenarios
Category
Financial Accuracy — Data Type Handling
Affected Layer
Layer 2 — Business Logic
Risk Description & Mitigation
Floating-point arithmetic can produce rounding errors (e.g., 100.999 + 200.001 ≠ 301.00 in some environments). Mitigation: Use fixed-precision arithmetic (DECIMAL type in DB, avoid float/double for monetary values). System must explicitly define and enforce maximum 2 decimal places. TC10 tests this boundary.
Category
Regulatory Compliance — Audit Trail
Affected Layer
Layer 5 — Database
Risk Description & Mitigation
If audit log entries are incomplete (missing Transaction ID, user ID, amounts, or status), financial reconciliation and regulatory audits become impossible. Mitigation: Define mandatory audit log schema. Verify all required fields in TC24. Audit log write failure must NOT silently pass — log the log failure to a secondary channel.
Category
Email Service — Data Quality
Affected Layer
Layer 4 — Email Service
Risk Description & Mitigation
If the client's email address in QuickBooks is null, empty, or malformed, the system may throw an unhandled null pointer or SMTP exception — potentially crashing the flow before SMS credits are applied, despite the email step being non-blocking by design. Mitigation: Explicitly validate email field before any send attempt. Catch null/empty as a graceful skip. TC19 tests null, empty, whitespace, and invalid format variants.
🔵 Medium Risks
Medium Severity Risk Entries
Address within current or next sprint with monitored workarounds
Risk & Mitigation
SMTP outages prevent client notification emails. By design, email failure is non-blocking — SMS credits proceed regardless. However, without a retry queue, the failure is permanent. Mitigation: Implement email retry queue (e.g., dead-letter queue with 3 retry attempts over 24 hours). Finance Executive shown a non-critical warning. TC18 validates non-blocking behaviour.
Risk & Mitigation
Brands with 50+ outlets may cause UI rendering delays or dropdown freezing. Aggregation of 50 outlet amounts before submission may also cause perceptible delay. Mitigation: Paginate or virtualise large outlet lists. Implement client-side debounced aggregation. TC03 establishes performance baseline and documents acceptable thresholds.
Risk & Mitigation
Email template caching or incorrect variable binding could result in a previous transaction's data (amount, client name, brand) appearing in the current email. Clients receive an email with the wrong financial details. Mitigation: Each email must be freshly rendered per-transaction. TC20 explicitly verifies email content accuracy for each field, and runs two consecutive transactions to detect cross-contamination.
Risk & Mitigation
Input such as "1e9" (1,000,000,000) may pass type="number" HTML validation while being an unexpectedly large value. Some numeric parsers accept scientific notation. Mitigation: Explicitly disallow scientific notation in server-side validation. Define and enforce a maximum permitted top-up value. TC08 specifically tests this input variant.
🟢 Low Risks
Low Severity Risk Entries
Monitor and address in backlog — acceptable with existing guardrails
Risk & Mitigation
If one outlet field fails validation and the system resets all other fields, the Finance Executive must re-enter all amounts — a poor UX experience that may lead to re-entry errors. Mitigation: Only highlight and focus the invalid field. All valid fields retain their values. TC05 and TC12 document expected field isolation behaviour. Log as UX defect if reset occurs.
Risk & Mitigation
If QuickBooks API timeout is hardcoded (e.g., always 30s), it cannot be adjusted for different environments or QuickBooks SLA changes without a code deployment. Mitigation: Timeout value must be environment-variable configurable. TC14 records the actual configured timeout value in the test report for documentation.