C2. Risk Register Central living document recording all identified risks. Each entry records risk ID, description, likelihood, severity across four dimensions (health and safety, fundamental rights, operational integrity, reputational exposure), current mitigations, residual risk level, and assigned owner. Initially populated through five-method risk identification: FMEA, stakeholder consultation, regulatory gap analysis, adversarial red-teaming, and horizon scanning. Updated continuously from PMM findings, serious incidents, regulatory developments, and system modifications. Reviewed formally each quarter and at every governance gate. Responsible party: AI System Assessor populates. Technical SME provides technical risk input. AI Governance Lead reviews and accepts residual risk. Regulations addressed: Article 9 (risk management system, all sub-requirements); Article 9(2)(a) (identification and analysis); Article 9(4) (residual risk communication); Annex IV(2)(g) (risk management documentation). Key outputs

• Five-method risk identification evidence
• Per-risk FMEA RPN scoring (1,000-point scale)
• Quarterly review records