This page outlines Vertic’s current organisational Risk management process as well as the Risk register.
Managing a Risk
If an employee wishes to raise a potential risk, use this form to do so. The review/implementation process from here will follow the below steps:
Vertic management (Jan Tenenberg, Stephen Kent, Matt Romeo) to review the risk
Several actions are possible from here, including:
Rejecting the risk with an appropriate justification
Capturing the risk including:
Risk Details
Severity
Mitigation/Treatment
Post-Treatment Assessment
Vertic management to provide evidence to the employee raising the risk of what the actions and outcomes were by compiling email containing the following information:
Original Risk Details
Review Process Outcome
Action Decision
Decision Outcome
Any actions resulting from the risk management process will be managed using this JIRA workspace.
Vertic’s Risk Register
Risk # | Risk Name | Description/Risk Outcome | Annex A Controls | Likelihood | Impact Level | Severity | Mitigation/Treatment | Post-Treatment Likelihood | Post-Treatment Severity | Post-Treatment Assessment |
|---|---|---|---|---|---|---|---|---|---|---|
1 | Client Data Breach | A data breach may occur in one of our client’s software environments which may result in exposure of critical information. |
| LOW | HIGH | LOW | LOW | |||
2 | Staff Breach | A staff member may expose critical data from a client’s software environment which could then be published. | LOW | HIGH | MEDIUM | MEDIUM | ||||
3 | Hardware Loss | We may experience the failure of our hardware (primarily work laptops) which could result in loss of critical information to perform our duties. | MEDIUM | MEDIUM | LOW | LOW | ||||
4 | Software Failures | Software we use might fail; this could include either Salesforce or other key services. | MEDIUM | HIGH | LOW | LOW | ||||
5 | Employee Fraud | An employee might defraud Vertic but stealing critical information. | LOW | HIGH | MEDIUM | HIGH | ||||
6 | Employee Injury | An employee might get injured whilst performing their duties for Vertic. | LOW | MEDIUM | LOW | LOW | ||||
7 | Natural Disaster | A natural disaster might strike impacting our geographic area. | LOW | MEDIUM | LOW | LOW | ||||
8 | Software Development Standard Breach | An employee or contractor might breach our development standards. | MEDIUM | MEDIUM | MEDIUM | LOW | ||||
9 | Physical Security Breach | An employee or contractor might breach physical security policies, such as leaving laptops unattended. | LOW | MEDIUM | LOW | LOW | ||||
10 | Contractural Relations Breach | A supplier might breach their contractural obligations with Vertic. | LOW | MEDIUM | LOW | MEDIUM | ||||
11 | Damage caused by Third Party | A third party, such as visitors, might cause physical or virtual damage to critical Vertic assets. | LOW | MEDIUM | LOW | MEDIUM | ||||
12 | Malicious Code | An employee or contractor might deliberately produce malicious code. | LOW | HIGH | LOW | MEDIUM | ||||
13 | Equipment Theft | An employee might defraud Vertic but stealing critical hardware infrastructure or laptops. | LOW | MEDIUM | LOW | LOW | ||||
14 | Sensitive Data Threat | Sensitive data might be under threat outside of Vertic’s control. | MEDIUM | HIGH | LOW | HIGH | ||||
15 | Security Information System Failure | Our VQMS processes might fail resulting in critical data exposure and/or loss. |
| LOW | MEDIUM | LOW | LOW | |||
16 | Production Data Loss | Whilst performing our duties, we might experience production data loss. |
| HIGH | HIGH | HIGH | MEDIUM | HIGH | We will not undertake production data migration as the information risk is too large for us to accept. |
We have used the following matrix to determine the severity of a stated risk:
Risk Likelihood | Risk Impact Level | Risk Severity |
|---|---|---|
HIGH | HIGH | HIGH |
HIGH | MEDIUM | MEDIUM |
MEDIUM | HIGH | HIGH |
MEDIUM | MEDIUM | MEDIUM |
LOW | HIGH | MEDIUM |
LOW | MEDIUM | LOW |