Risk Management Policy

Purpose and Scope

This policy establishes guidelines for identifying, assessing, and managing information security risks at Code Town.

This policy outlines our approach to identifying, assessing, and managing risks related to information security.

Our Commitments

The following policy statements outline our approach to risk management, covering all aspects from risk identification to treatment and monitoring.

Risk Tolerance

Risk Tolerance defines the acceptable variation in performance relative to the company’s risk appetite. Code Town sets thresholds based on the severity of risk impact:

• High residual risks (e.g., regulatory non-compliance, major financial loss): These risks are treated with the highest priority, with immediate corrective actions or controls to reduce exposure.
• Medium residual risks (e.g., operational disruptions): These are actively managed with contingency plans in place.
• Low residual risks (e.g., minor process inefficiencies): These may be tolerated but must still be monitored to prevent escalation.

Risks exceeding the organization’s defined tolerance levels will be escalated to senior management for review and action.

Risk Management Framework

Code Town adopts a structured risk management framework to proactively identify, evaluate, and address risks. The framework includes:

• Risk identification: Identifying risks that could affect company objectives or operations.
• Risk assessment: Evaluating the likelihood and potential impact of identified risks using qualitative or quantitative methods.
• Risk treatment: Applying appropriate measures to mitigate, transfer, accept, or avoid risks.
• Risk monitoring and reporting: Continuously tracking risk levels and control effectiveness, with regular reporting to senior management.

This risk management process aligns with the company’s overall business strategy and will be reviewed periodically.

Risk Identification and Assessment

Employees and managers assess risks regularly and log them in a risk register. Each risk is evaluated based on:

• Likelihood: Probability of occurrence.
• Impact: Potential severity (e.g., financial loss, reputational damage, regulatory penalties).

Risks are rated as high, medium, or low, based on the likelihood and impact combined.

Risk Treatment and Mitigation

Once risks are identified and assessed, appropriate strategies are applied to manage them according to the risk tolerance. Treatment options include:

Treatment	Description
Mitigation	Implementing controls to reduce the risk’s likelihood or impact
Avoidance	Modifying business activities or processes to eliminate the risk entirely
Transfer	Shifting the risk to a third party (e.g., insurance, outsourcing)
Acceptance	Recognizing the risk and choosing to accept it if the potential impact is within acceptable tolerance levels

Each identified risk must have a risk owner and a documented treatment plan, including deadlines, responsible parties, and required resources.

Risk Monitoring and Reporting

Risk monitoring occurs continuously, with reviews of control effectiveness on annual basis.

Any significant changes to risks are updated in the risk register and communicated to senior management.

Compliance and Enforcement

Compliance with this policy is mandatory for all employees, contractors, and third parties with access to Code Town’s data.

In rare cases, business needs, local laws, or regulations may require exceptions. Management will approve any exceptions and define alternative solutions.

Non-compliance may lead to disciplinary action, including termination, as per Code Town’s policies.

Policy Review and Maintenance

This policy will be reviewed annually or when significant changes occur to maintain its continuing suitability, adequacy, and effectiveness.

Reviews must consider changes in the regulatory landscape.