Risks & Documentation Gaps
Known technical risks, compliance concerns, and documentation gaps identified across the Aidacare MS-GP environment.
Disclaimer: Risks are derived exclusively from source documents in the Aidacare MS-GP TechCodebase. Items marked TBD indicate information not present in the source documents and require Aidacare IT validation.
3
High Severity Risks
6
Medium Severity Risks
4
Documentation Gaps
13
Total Risks Logged
High Severity Risks
| ID | Risk | Impact | Status | Source |
|---|---|---|---|---|
| risk-001 | SQL Server Developer Edition in Production Developer Edition is not licensed for production workloads under Microsoft licensing |
Licensing compliance breach; potential audit liability | Open | Infrastructure Details.docx |
| risk-006 | POS Direct SQL Connection to GP Database Envisage POS connects directly to the HANDLR SQL database — bypasses eConnect/SmartConnect pattern |
Data integrity risk; direct writes could corrupt GP database | Documented | POS@Aidacare.docx |
| risk-005 | Single Key Contact (Travis/Envisage) for Multiple Critical Systems Travis (Envisage Software) is the sole vendor contact for POS, FreightMaster, and ECHIA |
Single point of failure for vendor support across 3 Tier-1 systems | Open | POS@Aidacare.docx · Freight@Aidacare.docx · ECHIA@Aidacare.docx |
Medium Severity Risks
| ID | Risk | Impact | Status | Source |
|---|---|---|---|---|
| risk-007 | On-Premises Infrastructure — Single Data Centre Exposure No failover mechanism; no clustering or Always On configured; all workloads in one data centre |
Full system outage if data centre experiences failure; RTO 4 hours | Open — Roadmap | Infrastructure Details.docx |
| risk-008 | Citrix 2203 LTSR — End of Life Timeline Citrix 2203 LTSR has a defined end-of-life date; upgrade planning required |
Loss of vendor support and security patches for primary access method | Open — Roadmap | Infrastructure Details.docx |
| risk-010 | WennSoft Version 14.0.2.0 (2015 R) — Legacy Version WennSoft Signature 2015 R is an older release; vendor support lifecycle should be reviewed |
Potential loss of vendor support; compatibility risk with future GP upgrades | Open | Infrastructure Details.docx |
| risk-003 | ECHIA Hosted on AWS — Vendor-Managed Platform ECHIA EDI platform is fully hosted on AWS and managed by Envisage; Aidacare has no direct control |
Outage or change by Envisage directly impacts NDIS/BUPA/aged care order flows | Accepted | ECHIA@Aidacare.docx |
| risk-004 | FreightMaster — IP Ownership with Envisage FreightMaster is built by Envisage (React/NodeJS); IP and source code belong to vendor |
Dependency on Envisage for all FreightMaster customisation and support | Accepted | Freight@Aidacare.docx |
| risk-009 | BUPA Manual / Assisted EDI Processing BUPA orders through ECHIA require semi-manual processing and BUPA portal confirmation before GP entry |
Higher manual effort and error rate; delays in BUPA order fulfilment | Open | ECHIA@Aidacare.docx |
Documentation Gaps
| ID | Gap | Impact | Action Required |
|---|---|---|---|
| risk-002 | Infrastructure Document V0.1 — May Not Reflect Current State QR-IT-INF-001 is version 0.1 (created Sep 2025). Versions, IPs, and server names may have changed. |
Portal may contain outdated server/application information | Validate all IPs and versions against live environment; update to V1.0 |
| risk-011 | Docuphase Status Unclear — Infrastructure Register Shows N/A Docuphase/OnPhase appears in the installed application list with version N/A. Active status unconfirmed. |
Unknown whether AP invoice OCR workflow is fully operational | Confirm Docuphase is active, version, and licence status with Aidacare Finance/IT |
| risk-012 | Windows Server 2019 — Future End of Support (Oct 2029) Windows Server 2019 Mainstream Support ends Jan 2024; Extended Support ends Oct 2029 |
Planning for OS migration to Server 2022 required ahead of 2029 | Include in infrastructure roadmap; begin Server 2022 upgrade planning |
| risk-013 | Management Reporter / Financial Reporting Tool Not Confirmed Management Reporter is listed in the application register with version N/A. Active status and financial reporting toolchain is unclear. |
Unknown reporting capability for financial statements — SSRS and SmartView confirmed, MR status uncertain | Confirm Management Reporter licence/activation with Finance and IT |
Risk Mitigation Summary
Immediate Actions (High)
- Upgrade SQL Server to Standard or Enterprise Edition (risk-001)
- Review Envisage POS SQL connection scope — restrict to read-only (risk-006)
- Identify secondary vendor contacts for POS, FreightMaster, ECHIA (risk-005)
Medium-Term (6–12 months)
- Plan Citrix upgrade from 2203 LTSR (risk-008)
- Assess WennSoft upgrade path from v14.0.2.0 (risk-010)
- Implement MFA for Citrix access
- Begin Azure Site Recovery evaluation for DR (risk-007)
Documentation Actions
- Validate infra doc against live environment → V1.0 (risk-002)
- Confirm Docuphase active status (risk-011)
- Confirm Management Reporter status (risk-013)
- Plan Server 2022 migration ahead of 2029 (risk-012)