Section §11
Risk register
Concrete risks observed, severity, time-horizon.
This is the highest-value section for a CFO reader. Each row is a concrete, evidence-based risk observed in the audit, with severity, time-horizon, and reference to the modernisation considerations in §12.
11.1 Severity scale
- Sev-1 — material business risk. Loss event would block operations for a full working day or more, or would cause uncorrectable data loss, or would force regulatory non-compliance.
- Sev-2 — significant operational risk. Loss event would degrade operations for hours but not block; or would create a recoverable data integrity problem; or would expose the business to one missed contractual obligation.
- Sev-3 — quality/hygiene risk. Inconvenient or embarrassing but not operationally consequential.
11.2 Time horizon
- Now — risk is realised in normal operating conditions today; observed within last 12 months.
- Soon — risk has a clear trigger expected within 12–24 months (e.g. named person retirement, support end-of-life).
- Eventually — risk is structural; trigger is uncertain but inevitable on multi-year horizon.
11.3 Register
| # | Title | Sev | Horizon | §12 tier |
|---|---|---|---|---|
| R-01 | MRP batch fails non-recoverably mid-run | 1 | Now | Mend |
| R-02 | Integration broker has single-person knowledge; retires 2027 | 1 | Soon | Retrofit |
| R-03 | role_sysadmin_legacy SQL login enabled with 2008 default password | 1 | Now | Patch |
| R-04 | Backup/DR procedure not tested since 2019; broker secrets not key-escrowed | 1 | Now | Patch (DR test) + Retrofit (secret escrow) |
| R-05 | ~12 % of supplier invoices bypass three-way match (no PO) | 2 | Now | Mend |
| R-06 | svc_broker has db_owner on production database | 2 | Now | Patch |
| R-07 | Broker encryption key is machine-bound, not externally escrowed | 2 | Now | Patch |
| R-08 | PO approvals over €25 000 captured in scanned-PDF notes, not structured field | 3 | Eventually | Mend |
| R-09 | Supplier confirmation captured as free-text PO-line note, no structured status | 3 | Eventually | Mend |
| R-10 | role_shopfloor can edit customer_order_lines.delivery_date via production-confirmation screen | 2 | Now | Patch |
| R-11 | MRP “regenerative” overwrite of unreleased planned orders loses planner intent | 3 | Now | Retrofit |
| R-12 | Crystal Reports 2013 runtime no longer in support | 3 | Eventually | Retrofit |
| R-13 | ~40 Crystal Reports embed direct SQL; schema changes break them silently | 2 | Eventually | Retrofit |
| R-14 | Activity log does not capture report reads, soft-deletes, service-account triggers | 2 | Eventually | Mend |
| R-15 | No MFA on MES-Plus access (only on VPN) | 2 | Soon | Mend |
| R-16 | Internal SQL traffic between client and database is not TLS-encrypted | 3 | Eventually | Patch |
| R-17 | SQL Server cumulative updates last applied 2022 | 2 | Soon | Patch |
| R-18 | Dormant 2018 schema-version copy (~40 GB) consumes storage and adds confusion | 3 | Now | Patch |
| R-19 | EDI partner #1 invoice SLA — 2 missed in 12 months triggers chargeback clause | 2 | Now | Mend |
| R-20 | Engineering BOM/routing backlog (~30 items at audit time) due to single-person engineering staffing | 2 | Now | Mend (process) |
| R-21 | Sales-director’s customer workbook (~600 records) has no backup beyond OneDrive default | 3 | Now | Patch |
| R-22 | Server room UPS coverage 25 minutes; no generator | 3 | Eventually | (out of MES-Plus scope) |
| R-23 | Tail-of-log restore documented but last rehearsed 2020 | 2 | Now | Patch |
11.4 The top five
If only five risks are addressed in the next 12 months, the auditor’s recommendation is:
1. R-04 — DR test + broker secret key escrow. Restoring from a six-year-old DR procedure on the day of an outage is the single largest unforced risk. The fix is a planned, controlled DR exercise (one weekend, two engineers) plus an offline export of the broker’s encryption key with two-person custody. Patch tier. Cost: ~10 person-days.
2. R-02 — Integration broker documentation. The single-person dependency. The fix is not “rewrite the broker” — that is a Retrofit project on its own multi-quarter scale. The near-term fix is extracting what the maintainer knows into structured documentation while he is still available, including a runnable demo environment and a recorded troubleshooting walkthrough. Patch tier of a future Retrofit. Cost: ~20 person-days of maintainer + auditor pairing.
3. R-01 — MRP non-recovery scenario. The sp_mrp_rollback stored procedure was last tested in 2020. A rehearsal — restoring last night’s snapshot, running sp_mrp_rollback, verifying state — would either confirm it works or surface what is broken before a real incident. Mend tier. Cost: ~5 person-days.
4. R-03 — Disable role_sysadmin_legacy SQL login. Trivially fixable; the only reason it has not been done is that nobody is sure who or what might still use it. The fix is a 30-minute audit of database connection attempts (visible in SQL Server’s logon trigger) followed by disabling the login. Patch tier. Cost: ~1 person-day.
5. R-15 — MFA on MES-Plus access. Bringing MES-Plus into the customer’s MFA boundary (currently only the VPN) would significantly raise the bar for an attacker who has reached the internal LAN. Implementation requires AD federation or a third-party MFA insertion at the SQL Server level; both are well-trodden. Mend tier. Cost: ~15 person-days.
11.5 Risk de-prioritisation
Several risks are recorded for completeness but are not in the auditor’s recommended near-term action set:
- R-18 (dormant 40 GB schema copy) — cosmetic; drop on next planned maintenance window.
- R-21 (sales workbook backup) — solve with OneDrive versioning configuration, near-zero cost.
- R-22 (UPS / generator) — out of MES-Plus scope; recorded so it is not lost.
11.6 Risks the audit could not assess
Honest limits of what the audit could find:
- Vendor binary risks. The vendor’s compiled MES-Plus.exe cannot be inspected. Whether it contains its own latent vulnerabilities — e.g. SQL-injection paths in the dynamic-query patterns observed in some screens — is unknowable without source access. The audit treats the binary as a black box. [INF]
- Performance under stress. No load test was conducted. The performance characterisation in §10.8 is current-state under normal operation; behaviour at 2× load is inferred, not measured.
- Vendor’s own support trajectory. The auditor did not interview the vendor. Whether the vendor is investing in this product, considering end-of-life, or pursuing a successor is outside scope. (The customer’s IT believes the vendor is “maintaining without investing”; this is reported but not verified.)
- People-attached risks beyond named. The audit identified single-person dependency on the broker maintainer. There are likely similar single-person dependencies in payroll, engineering, and accounting that the audit, scoped to MES-Plus, did not investigate.