LogoLogo
v2018-04
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
v2018-04
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification
    • Information Security
      • Employee Guide
      • Information Security Framework
      • Security Awareness Program
      • Incident Response Policy
      • Privacy Policy
      • Social Media Policy
      • Access Control
      • Vulnerability Management
      • Information Security Risk Register
    • Business Continuity
      • Business Continuity Framework
      • Business Continuity Risk Register
      • Business Continuity Plan
    • Personnel & Security
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
  • Frequently Asked Questions
    • Untitled
Powered by GitBook
On this page
  • Overview
  • Risk Tolerance
  • Risk Management Process
  • Identify
  • Assess
  • Risk response
  • Closing a risk
  • Review

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Risk Management

Risk Management Framework

Overview

FundApps approaches both information security and business continuity from risk based principles. Each identified information security or business continuity risk is reviewed with regard to Likelihood (the possibility of a risk happening), and Impact (the consequence of a risk happening).

Risks can be identified by any member of staff, and, staff members are encouraged to contribute. Once risks are identified and reviewed for Likelihood and Impact, an appropriate remediation plan can be formulated.

The key is that risk management drives activity to resolve identified risks, and is the responsibility is that of each employee of FundApps.

Risk Tolerance

It is important to note that following the risk management framework, any risk that equals or exceeds a risk scoring of twelve (12) will exceed the FundApps Risk Tolerance level and therefore will require a risk treatment plan to lower the risk profile. See the Risk Matrix and treatment for further information.

Risk Management Process

Identify

Potential information security risks and business continuity risks are identified through both formal and informal channels

  1. Monthly company-wide security awareness sessions

  2. Monthly security review meetings

  3. Incident response and reviews

  4. As part of the Software Development Lifecycle

  5. As part of the continuous release management

  6. As part of everyday working practice

Assess

Likelihood and impact

Potential risks are recorded in the risk register and assigned an owner. Risks are assessed on two criteria with regards to any current controls that may already be in place:

  • Likelihood, according to the FundApps likelihood table. Likelihood should consider the specific vulnerability or threats that may exploit this vulnerability.

  • Impact, according to the FundApps impact table. Further guidance must be taken from the FundApps Data Classification and Handling Policy when referring to impact. This will take into account the Confidentiality, Integrity and Availability requirements of any data asset.

Residual risk

The assessment of likelihood and impact places the risk within risk tolerance levels defined in the risk tolerance table.

Each risk level consists of

  • the likelihood and impact levels

  • a timeframe for review while the risk is open

  • a timeframe for review once the risk is closed

Risk response

Based on this categorization we can then design a risk response in order to reduce our residual risk.

Strategies for responding to the risk can include:

  • Avoid risk – activities with a high likelihood of loss and large business impact. The best response is to avoid the activity.

  • Mitigate risk – activities with a high likelihood of occurring, but business impact is small. The best response is to use management control systems to reduce the risk of potential loss.

  • Transfer risk – activities with low probability of occurring, but with a large business impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance, hedging, outsourcing, or entering into partnerships.

  • Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.

Our risk response may generate information security or business continuity controls which could be technical, procedural or policy based.

Closing a risk

Risks remain open until we have:

  • implemented any new controls identified to reduce the likelihood or impact of the risk, and therefore reduce the residual risk

  • re-assessed the risk and ensured it is below High

  • decided to accept the residual risk level

Review

Once closed, risks are re-assessed on a timeframe defined in in the risk levels.

Use of definitions based upon ISACA’s standard Glossary of Terms

PreviousRisk ManagementNextInformation Asset Register

Last updated 5 years ago

Was this helpful?