Risk Management Procedure

Policy Statement#

This procedure supports the DefectDojo Risk Management Policy by providing practical steps for identifying, assessing, treating, monitoring, and reporting risks.

Scope#

Covers organizational and process-level risks affecting DefectDojo, including operational, strategic, compliance, and information security risks.

References#

• DefectDojo Risk Management Policy
• Internal and external audit frameworks
• Applicable legal and regulatory requirements

Definitions#

• Risk: The possibility that an event may impact DefectDojo’s ability to achieve objectives.
• Likelihood: Probability of the risk occurring.
• Consequence: Magnitude of the impact if the risk occurs.
• Risk Treatment: Actions taken to mitigate, avoid, transfer, or accept a risk.
• Risk Register: A documented record of all identified organizational-level risks.

Procedure#

Organizational Roles#

• Board: Provides strategic guidance for risk management.
• CTO: Accountable for ensuring risks are identified and appropriately treated.
• Engineering Team: Identifies risks and applies treatments as directed.

Risk management occurs at two levels:

1. Organizational level: High-line risks with potential significant impact, recorded in the Risk Register and reviewed by CTO and Board.
2. Process level: Operational risks managed via existing policies, procedures, and audits.

Identifying Risks#

• Identify all risks, whether within or outside organizational control.
• Use consistent methodology across functions.
• Integrate identification with decision-making processes, audits, surveys, evaluations, and new initiatives.

Analysing Risk#

• Assess consequence (impact) and likelihood (probability).
• Combine to determine risk level.

Table 1: Likelihood of Risk Occurring

Table 2: Risk Level Determination

Questions to Guide Risk Management#

1. Are assumptions about environment, technology, and resources valid?
2. What risks arise from implementing or not implementing the strategy?
3. Are the risk solutions effective and cost-efficient?
4. Are management and accounting controls adequate?
5. Do solutions comply with legal, ethical, and organizational requirements?
6. Can improvements be made?

Evaluating Risks#

• Acceptable risks: Low impact, uncontrollable, or cost of treatment exceeds benefit.
• Unacceptable risks: Prioritized for treatment in action plans.

Managing Risks#

Options include:

• Acceptance: Risk within threshold; no treatment required.
• Avoidance: Alter activity to reduce or eliminate risk.
• Reduction: Lower likelihood or consequences via mitigation.
• Transfer: Shift risk to another party (e.g., contractor, insurance).
• Retention: Accept residual risk after mitigation measures.

Assessing Treatment Options:

• Consider cost-effectiveness, practicality, and organizational context.
• Budget and assign responsibility for implementing risk reduction measures.

Monitoring, Reviewing, and Reporting Risks#

• CTO monitors risks and reports monthly to the Board.
• Formal quarterly reviews by CTO and Executive Management Team.
• Annual review of full Risk Register by the Board.

Methods of Review:

• External and internal audits (financial, safety, WSH)
• Equipment maintenance checks
• Program audits, contract reviews, and staff performance reviews

Communication of Risk#

• Medium or higher risks must be included in reports with treatment strategies.
• High and extreme risks must be verbally communicated immediately to supervisors and CTO.
• Low risks do not require formal reporting.

Disaster Management and Business Continuity#

• DefectDojo maintains disaster management and business continuity plans to ensure ongoing operations.
• Plans reviewed annually by CTO.
• Participation in local disaster management planning to support vulnerable populations.

Supporting Documents#

• Risk Management Policy
• Organizational Audit Reports
• Disaster Recovery Plans

Review#

This procedure is reviewed annually or as needed to ensure relevance and effectiveness.