This policy defines the formal risk management programme in Authentic Digital Limited “the company”, designed to protect the company, its staff and its clients from risks, providing a framework in which risks will be identified, considered, reviewed and controlled. Recognising that risk is inherent in all administrative and business activities and everyone working for or on behalf of the company manages risk, the company encourages a pro-active rather than re-active risk management approach.
The company directors have approved the Risk Management Policy. This policy will be reviewed every year and updated, as applicable, to ensure that it remains appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.
It is the policy of the company to ensure that:
Regular risk assessments are undertaken. The degree of security control required will depends on the sensitivity or criticality of the information, asset or activity, hence the first step in determining the appropriate level of security is a process of risk assessment to identify and classify the nature of the information held, the adverse consequences of security breaches and the likelihood of those consequences occurring.
The risk assessment will identify the information assets; define the ownership of those assets; and classify them, according to their sensitivity and/or criticality to the services provided by the company.
- The Risk Assessment will establish:
the existence of information risks within the company (physical or electronic)
the probability that these risks might occur
their potential impact in terms of resulting costs, client exposure, reputational damage
any action that could be taken to ameliorate or reduce the likelihood of the risk occurring, or the potential impact if it did
Assets should be handled in accordance with their criticality and sensitivity.
Personal Data. Personal data will be handled in accordance with GDPR and in accordance with any supplementary client specific policy and guidance on personal data.
All information assets will be documented within the Company’s Information Asset Register, together with the details of the ‘Information Asset Owner’ and risk assessments undertaken or planned.
Information within the company will be classified in accordance with one of the four following definitions:
- Protected (P4)
Compromise could cause serious damage to the company or members of staff:
threaten life directly;
substantially damage the company finances or economic and commercial interests.
- Confidential (C3)
Compromise could cause damage to the to the company or members of staff including:
endanger individuals and private entities;
work substantially against the finances or economic and commercial interests;
substantially undermine the financial viability of major project or organisations;
impede the investigation or facilitate the commission of serious crime;
seriously impede the development or operation of major company policies.
- Restricted (R2)
Compromise could cause limited damage to the company or members of staff, including:
cause substantial distress to individuals or private entities;
cause financial loss or loss of earning potential to, or facilitate improper gain or advantage for, individuals or private entities;
prejudice the investigation or facilitate the commission of crime;
breach proper undertakings to maintain the confidentiality of information provided by third parties;
impede the effective development or operation of company policies;
breach statutory restrictions on the management and disclosure of information;
disadvantage the company in commercial or policy negotiations with others;
Information is only available for official use by employees.
- Public (P1)
Information authorised for unlimited public access and circulation, such as publications and web sites.
All risk management measures will take account of company policies, obligations to clients, contractual arrangements with 3rd party suppliers and contractors and statutory requirements.
The designated owner of this policy, James Webster, has direct responsibility for maintaining and reviewing this policy and providing guidance on its implementation.
All managers are directly responsible for implementing this policy within their business areas.
It is the responsibility of each employee to adhere to this policy and any applicable laws. Where appropriate compliance will be monitored, failure to comply will be dealt with under the appropriate disciplinary procedure.
All third parties who are given access to the organisation’s information systems, whether suppliers, customers or otherwise, must agree to comply with and follow this policy.
2020-09 move to public docs