As part of ramping up the #security-team we want to keep actionable inside of phabricator even for risk/governance/compliance work. In negotiating this workflow it seems the only missing component for this to be achieved is a formal "risk" field.
Rather than create a new form at https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/ my proposal is to add this field to the 'advanced' form at https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/view/3/.
This form is already restricted to folks who are known quantities and I don't expect this to be a problem. I don't want to add 'risk' to the simplified public reporting security form as keeping that as simple as possible is the right idea. Open to whatever works but I think adding it to the existing and adjusting if that's an issue is probably the sanest approach.