-
Notifications
You must be signed in to change notification settings - Fork 0
Risk management
Codemagic performs regular risk assessments in order to stay ahead of the threat landscape, both from security-focused risks as well as mundane risks. This policy establishes the procedures and standard that risk assessments are held to at Codemagic.
Codemagic maintains a business continuity plan and disaster recovery plan. We also have our vendor management policy. Apart from these, once a year, as part of Threat Management and Security Assurance, the management team completes a risk assessment on the inventory.
Risk assessment of Inventory shall be asset-based and follow these procedures and policies:
- Inventory all assets.
- Evaluate the effectiveness of existing controls.
- Identify the threats and vulnerabilities of each asset.
- Assess each risk’s potential impact.
-
As part of the risk assessment process, identified risks are logged in a risk register. Each risk is evaluated based on likelihood (probability of occurrence) and impact (potential severity), then rated as High, Medium, or Low.
-
Each risk must have a risk treatment plan established.
-
Risks are treated according to the following options:
Treatment Description Mitigation Implementing controls to reduce the risk's likelihood or impact Avoidance Modifying business activities or processes to eliminate the risk entirely Transfer Shifting the risk to a third party (e.g., insurance, outsourcing) Acceptance Recognizing and accepting the risk if within tolerance levels -
Risk tolerance is based on residual risk level:
- High residual risks (e.g., regulatory non-compliance, major financial loss): Treated with highest priority and immediate action.
- Medium residual risks (e.g., operational disruptions): Actively managed with contingency plans.
- Low residual risks (e.g., minor process inefficiencies): May be tolerated but monitored to prevent escalation.
-
Risk monitoring occurs continuously, with annual reviews of control effectiveness. Significant changes are updated in the risk register and communicated to senior management.