1. Purpose

The purpose of this policy is to define the methodology for the assessment and treatment of information security risks and define cost-effective solutions to managing those risks.

Active risk management helps PROVEN to achieve its strategy, serve its customers and community, and grow its business safely and sustainably.

2. Scope

Risk assessment and risk treatment are applied to the entire scope of PROVEN’s information security program, and to all assets which are used within company or whichcould have an impact on information security within it.

This policy applies to all PROVEN’s employees, who shall also observe any additional Rules to which they may be subject.

3. Background.

A key element of PROVEN’s information security program is a holistic and systematic approach to risk management. This policy defines the requirements and processes to identify information security risks.

The process consists of four parts: identification of critical assets, as well as the threats and vulnerabilities that apply; assessment of the likelihood and consequence (risk) of the threats and vulnerabilities being realized, identification of treatment for each unacceptable risk, and evaluation of the residual risk after treatment.

4. Risk Appetite.

Risk management starts with a strong risk culture, clear accountability, and a formally defined risk appetite that articulates the level and types of risks the company accepts to achieve its strategic objectives.

The Risk Appetite shapes requisite controls and dictates risk behaviors. Risks to business are identified and their materiality assessed by considering their likelihood and potential customer, financial, reputational and regulatory impacts.

The company manages these risks through a combination of limits and controls to ensure risks are within appetite. The company aggregates and reports risk data to highlight material risks and support good decision making. Where necessary, these risks are escalated to PROVEN – Risk Assessment PolicyPUBLICChief Technology Officer (CTO) to facilitate management decisions, challenge and remediation.

Risk appetite is the level and types of risks that the company is willing to take in order to achieve its strategic objectives. Risk appetite supports senior management to make informed decisions on how to optimally allocate capital, funding and liquidity to finance strategic growth within acceptable risk levels, as well as supporting the monitoring of risk exposure.

Risk Appetite is set to ensure that risks can be properly managed, for example, through:

  • Alignment with strategy, purpose, values and customer needs;
  • Compliance with applicable laws and regulations;
  • Level of available staff with the required competencies to manage the risks;
  • Functionality, capacity and resilience of available systems to manage the risks and
  • Effectiveness of the applicable control environment to mitigate the risks.

PROVEN established that risk residual assessments being Medium or higher are outside of its risk appetite, the company will work towards the reduction of such risks ratings to an acceptable level.

5. Compliance with legal and regulatory requirements.

The company and its employees must comply with the letter and spirit of all laws, rules, standards, codes of conduct, regulatory guidance, and regulations (collectively referred to as “rules, regulations, and laws”) which are issued by regulators, government bodies, global organisations or equivalent agencies that have the power to impose legal or regulatory obligations on the company.

Failure to comply with rules, regulations and laws leads to poor customer and conduct outcomes, and puts the company at risk of regulatory enforcement or supervisory action, lawsuits, and reputational damage.

6. Risk management across our third party dependencies

In order to serve customers and meet regulatory obligations the company interacts with a wide range of different third parties and partner organizations. These interactions create risk exposure which the company remains accountable for, even though they arise outside the organisation. These third party dependencies should be managed in line with company’s applicable policies and procedures, taking account of the risk management principles within this policy wherever possible.

7. Identify and assess

To run the company’s processes safely and to grow its business sustainably and in line with risk appetite, it is important to identify risks, assets, threats, vulnerabilities and their potential impacts. Proactive management is required of any material risks identified, and whenever possible, immediate action should be taken to limit the impacts on business and customers.

For each risk, an owner must be identified. The risk owner and the asset owner may be the same individual.

Critical assets are all assets within the scope of the information security program; in other words, all assets which may affect the confidentiality, integrity, and/or availability of information in the organization.

Assets may include documents in paper or electronic form, applications, databases, information technology equipment, infrastructure, and external/outsourced services and processes. For each asset, an owner must be identified.

Threats and vulnerabilities must be listed in a risk assessment table. Each asset may be associated with multiple threats, and each threat may be associated with multiple vulnerabilities.

Due to the ever-changing environment of businesses, risk identification is an ongoing process to ensure all material risks are known, well understood and proactively managed.Therefore, learning from the past and external events is as critical as recognizing new and emerging risks in preparing for what could happen in the future.

8. Risk environment.

There are many factors that could result in changes of the existing operating environment and have a significant impact on the company. To identify and then assess risks, it is criticalto understand the internal and external environments along with potential changes and respond to these changes appropriately.

Businesses can be affected by external factors, such as legal, regulatory, political, social, economic and financial market factors that are out of company’s control. The potential impacts of these external factors need to be well understood to ensure that can be adequately mitigated.

Examples include changes in political and regulatory landscape, macroeconomic conditions and financial market movements.

Customers’ expectations, needs and behaviors continuously evolve, which may introduce new risks and changes to businesses’ existing risk profile. A good understanding of customers’ profiles, which can change over time, helps the company to identify risks to businesses and serve its customers better.

PROVEN – Risk Assessment PolicyPUBLICThe risk profile of businesses and operations may change as new products or services are launched, or when new processes, tools or infrastructure are implemented.

These activities are often carried out as strategic change initiatives with a clear plan and risk controls. In addition to strategic changes, risks can also occur due to unexpected changes or failures in internal processes, people and systems.

When these internal events occur, immediate action should be taken to limit the impacts on business and customers. These remedial actions aim to deliver solutions to minimise risk until a strategic fix can be implemented post-root cause analysis.

9. Risk assessment and measurement.

When assessing risk, the likelihood of a risk occurring and the impact on business against risk appetite must be measured. The outcome of the risk assessment should provide a forward-looking view that enables the prioritization of appropriate management actions to mitigate the most material risks.

Risks are identified, assessed, recorded and used for reporting and management decisions.

Risk impact is assessed by considering the financial, customer, regulatory and reputation implications (impact for each combination of threats and vulnerabilities for an individual asset if such a risk materializes).

The factors being considered include, but are not limited to:

  • Financial impact: increased cost, reduced revenue, credit/trading/operational losses or other losses, higher capital demand;
  • Customer impact: service disruption, product delivery delay, client data loss, unfair pricing;
  • Regulatory impact: regulatory enforcement, heightened regulatory scrutiny;
  • Reputational impact: brand damage; negative media coverage, activist actions.

Understanding the risk likelihood is equally important and is assessed along with the risk impact.There are a number of factors considered and different methodologies used when assessing risk likelihood; for example, using historic data and management overlay to model the probability of similar risks materializing in the future (i.e. the probability that a threat will exploit the vulnerability of the respective asset).

Robust and comprehensive risk measurement methodologies, models and analytical tools, as well as adequate resources, capabilities, data and infrastructure must be in place for risk assessment.

It is important to support risk assessment with both quantitative information (data, calculations or model outputs) and qualitative information and insights (expert judgment and PROVEN – Risk Assessment Policy PUBLIC critical analysis), and also be aware of key limitations and assumptions of any inputs used in risk assessments to make the most informed decisions.

Criteria for determining impact, likelihood and risk rating are defined in the tables below.

10. Assessment criteria.

The Risk Prioritization Matrix (“RPM”) provides consistent criteria for the materiality assessment of risks. The Impact Scale of the RPM is also used to consistently assess the impact of risk events.

Inherent Risk: Is an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of controls.

Residual Risk: The amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.

There are two different criteria for determine the risk scenario to be assessed:

  • Use of a hypothetical single plausible risk event
  • Use of hypothetical estimated cumulative impact. Where similar risk events are expected to occur over the next 12 months, these are grouped and treated as a single plausible risk event

11. Risk Remediation

As part of this risk remediation process, the company shall determine objectives for mitigating or treating risks. All high and critical risks must be treated. For continuous improvement purposes, company managers may also opt to treat medium and/or low risks for company assets.

Treatment options for risks include the following:

  • Selection or development of security control(s).
  • Transferring the risks to a third party; for example, by purchasing an insurance policyor signing a contract with suppliers or partners.
  • Avoiding the risk by discontinuing the business activity that causes such risk.
  • Accepting the risk, this option is permitted only if the selection of other risk treatment options would cost more than the potential impact of the risk being realized. The business should formally accept the level of risk it is running and review the associated issues and actions.

After selecting a treatment option, the risk owner should estimate the new impact and likelihood values after the remediation plan is implemented.

12. Regular Reviews of Risk Assessment and Risk Treatment.

The results of risk assessments, and all subsequent reviews, shall be documented in a RiskAssessment Report.

The Risk Assessment Report must be updated when newly identified risks are identified. Ata minimum, this update and review shall be conducted annually.