This page outlines Vertic’s current organisational Risk
...
management process as well as the Risk register.
Managing a Risk
If an employee wishes to raise a potential risk, use this form to do so. The review/implementation process from here will follow the below steps:
Vertic management (Jan Tenenberg, Stephen Kent, Matt Romeo) to review the risk
Several actions are possible from here, including:
Rejecting the risk with an appropriate justification
Capturing the risk including:
Risk Details
Severity
Mitigation/Treatment
Post-Treatment Assessment
Vertic management to provide evidence to the employee raising the risk of what the actions and outcomes were by compiling email containing the following information:
Original Risk Details
Review Process Outcome
Action Decision
Decision Outcome
Any actions resulting from the risk management process will be managed using this JIRA workspace.
Vertic’s Risk Register
Risk # | Risk Name | Description/Risk Outcome | Annex A Controls |
|---|
CategoryLikelihood | Impact Level | Severity | Mitigation/Treatment | Post-Treatment Likelihood | Post-Treatment Severity |
|---|
1 | Client Data Breach | A data breach may occur in one of our client’s software environments which may result in exposure of critical information. | A.9.1.1 A.5.1.1 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.10.1.1 A.10.1.2
| | |
Data | | | | |
2 | Staff Breach | A staff member may expose critical data from a client’s software environment which could then be published. | A.7.1.1 A.7.2.2 A.7.2.3 A.9.1.1 A.9.1.2 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.5 A.9.2.6 A.9.4.4
| |
Bluepeople | | | | | |
3 | Hardware Loss | We may experience the failure of our hardware (primarily work laptops) which could result in loss of critical information to perform our duties. | A.8.1.3 A.8.1.4 A.8.3.2 A.8.3.1
| |
PurpleAssets | | | Information Continuity | | |
4 | Software Failures | Software we use might fail; this could include either Salesforce or other key services. | | | |
Data | | | | |
5 | Employee Fraud | An employee might defraud Vertic but stealing critical information. | A.7.1.1 A.7.1.2 A.8.1.3 A.8.2.2 A.8.3.2 A.9.1.1 A.9.2.1 A.9.2.5 A.9.2.6 A.9.4.5 A.11.2.5 A.11.2.6
| |
Bluepeople | | | |
6 | Employee Injury | An employee might get injured whilst performing their duties for Vertic. | | | | | | |
Bluepeople |
7 | Natural Disaster | A natural disaster might strike impacting our geographic area. | | | | |
Data | | | |
8 | Software Development Standard Breach | An employee or contractor might breach our development standards. | | | | | | |
Bluepeople |
9 | Physical Security Breach | An employee or contractor might breach physical security policies, such as leaving laptops unattended. | A.6.2.2 A.8.1.3 A.8.1.4 A.8.2.3 A.8.3.1 A.8.3.2 A.8.3.3 A.11.1.4 A.11.1.5 A.11.1.6 A.11.2.1
| | | |
PHYSICAL | | | |
10 | Contractural Relations Breach | A supplier might breach their contractural obligations with Vertic. | | | | | | | |
Redlegal |
11 | Damage caused by Third Party | A third party, such as visitors, might cause physical or virtual damage to critical Vertic assets. | A.6.1.3 A.6.1.4 A.8.1.3 A.8.1.4
| | |
Data | | | | |
12 | Malicious Code | An employee or contractor might deliberately produce malicious code. | | | | |
Bluepeople | | | |
13 | Equipment Theft | An employee might defraud Vertic but stealing critical hardware infrastructure or laptops. | A.6.2.1 A.8.1.1 A.8.1.2 A.8.1.3 A.8.1.4 A.8.2.3 A.8.3.1 A.8.3.2 A.11.1.1 A.11.1.2 A.11.2.1
| | | | | |
BluepeopleReport to Authorities |
14 | Sensitive Data Threat | Sensitive data might be under threat outside of Vertic’s control. | A.6.2.1 A.8.2.1 A.8.2.2 A.8.3.1 A.8.3.3 A.11.1.3 A.11.1.4 A.11.1.5 A.11.2.2 A.11.2.3
| | |
Data | | | | | |
15 | Security Information System Failure | Our VQMS processes might fail resulting in critical data exposure and/or loss. | A.5.1.1 A.5.1.2 A.6.1.1 A.6.1.2 A.6.1.5 A.7.2.1 A.11.2.2
| | | | | | |
16 | Production Data Loss | Whilst performing our duties, we might experience production data loss. | A.8.2.1 A.8.2.2 A.8.3.2 A.8.3.3 A.8.3.1 A.8.3.3
| | | | | | |
We have used the following matrix to determine the severity of a stated risk:
Risk Likelihood | Risk Impact Level | Risk Severity |
|---|
| | |
| | |
| | |
| | |
| | |
| | |
