LogoLogo
Current Version
Current Version
  • Welcome to FundApps' Policy Portal
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan for a 3 year cycle
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
      • Third Party Risk Management
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
      • The FundApps Code for Third Parties
  • Legal Information
    • 📖General Terms
      • Fair Usage Policy
      • Third Party Data Provider Terms
    • DORA
      • Operational Resilience Statement
      • Statement on Contractual Compliance
      • Subcontractors and Service Location
      • Threat-Led Penetration Tests (TLPT) Policy
    • 📃Insurance
    • 🌍Carbon Neutral
  • 🤖AI
    • 💬FundApps Assistant (Intercom)
  • Policy Change Log
    • May 2025
    • March 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • August 2024
    • July 2024
    • June 2024
    • April 2024
    • February 2024
    • January 2024
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • June 2023
    • February 2023
    • December 2022
    • October 2022
    • September 2022
    • June 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Overview
  • Risk Appetite
  • Risk Tolerance
  • Risk Management Process
  • A- Risk Identification
  • B- Risk Assessment
  • C- Risk Response
  • D- Risk and Control Monitoring
  • Risk Management Matrix

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Risk Management

Risk Management Framework

Overview

FundApps approaches both information security and business continuity from risk based principles. Each identified information security or business continuity risk is reviewed with regard to Likelihood (the possibility of a risk happening), and Impact (the consequence of a risk happening).

Risks can be identified by any member of staff, and, staff members are encouraged to contribute. Once risks are identified and reviewed for Likelihood and Impact, an appropriate remediation plan can be formulated.

The key is that risk management drives activity to resolve identified risks, and is the responsibility is that of each employee of FundApps.

Risk Appetite

FundApps has no appetite for safety risks that could result in the injury or loss of life of FundApps staff, clients or partners.

FundApps has no appetite for information security risks that could result in unauthorised or accidental disclosure of, client or other sensitive information.

FundApps has a low appetite for business continuity risks which prevent the ability to provide service to clients.

Risk Tolerance

It is important to note that following the risk management framework, any risk that equals or exceeds a risk rating of twelve (12) will exceed the FundApps Risk Tolerance level and therefore will require a risk treatment plan to lower the risk profile. See the FundApps Risk Management Matrix at the bottom of the page for further information.

Risk Management Process

A- Risk Identification

Potential information security risks and business continuity risks are identified through both formal and informal channels:

  1. Monthly security review meetings

  2. Incident response and reviews

  3. As part of the Software Development Lifecycle

  4. As part of the continuous release management

  5. As part of everyday working practice

B- Risk Assessment

Likelihood and impact

Potential risks are recorded in the risk register and assigned an owner. Risks are assessed on two criteria with regards to any current controls that may already be in place:

  • Likelihood, according to the FundApps Risk Management Matrix (cf. bottom of the page). Likelihood should consider the specific vulnerability or threats that may exploit this vulnerability.

Residual risk

The assessment of likelihood and impact places the risk within risk tolerance levels defined in the Risk Management Matrix (cf. bottom of the page).

Each risk level consists of

  • the likelihood and impact levels

  • a timeframe for review while the risk is open

  • a timeframe for review once the risk is closed

C- Risk Response

Based on this categorization we can then design a risk response in order to reduce our residual risk.

Strategies for responding to the risk can include:

  • Avoid risk – activities with a high likelihood of loss and large business impact. The best response is to avoid the activity.

  • Mitigate risk – activities with a high likelihood of occurring, but business impact is small. The best response is to use management control systems to reduce the risk of potential loss.

  • Transfer risk – activities with low probability of occurring, but with a large business impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance, hedging, outsourcing, or entering into partnerships.

  • Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.

Our risk response may generate information security or business continuity controls which could be technical, procedural or policy based.

D- Risk and Control Monitoring

Identified risks and their mitigating controls are monitored and reviewed at least annually in order to ensure the residual risk is within the risk appetite. Should the residual risk change, either due to a change in the intrinsic risk, or due to the control effectiveness, the risk response will be reviewed.

Risk Management Matrix

PreviousRisk ManagementNextInformation Asset Register

Last updated 2 years ago

Was this helpful?

Impact, according to the FundApps Risk Management Matrix (cf. bottom of the page). Further guidance must be taken from the FundApps Data Classification and Handling when referring to impact. This will take into account the Confidentiality, Integrity and Availability requirements of any data asset.

Use of definitions based upon ISACA’s

Policy
standard Glossary of Terms
258KB
Risk Management Matrix.png
image
Risk Management Matrix 2019