Risk management is considered a key cultural objective of Ballpark as an organisational structure. In achieving this the organisation should treat:
- Management of risk as a concern of all employees.
- Management of risk is part of everyone’s normal day to day business
- The process for managing risk is systematic and logical and should be implemented on a routine basis integrated cross team and in aspects of service delivery.
The Risk Management Policy and its supporting controls, processes and procedures apply to all individuals who have access to Ballpark's information and technologies, including external parties that provide information processing services to Ballpark.
Roles and responsibilities
Ballpark's CTO is considered the chair of the SANS Team and has accountability to the CEO and Ballpark Board for managing risk.
The SANS team will direct the risk benchmarking for the organisation and review the information risk register. They will be involved in assessing and reviewing High risks via the SANS team review sessions.
The CTO is responsible to the CEO and Board for managing the risk assessment process and maintaining an up-to-date risk register. The Data Protection Officer and COO will conduct risk assessments and recommend action for Medium and Low risks, where these can be clearly defined in terms of the Ballpark's base benchmark for risk.
The SANS team is responsible for assessing and reviewing High risks, and will have visibility of the risk register.
Information Asset Owners and department managers must be responsible for agreeing and implementing appropriate treatments to risks under their control. They must also take an active role in identifying and reporting new risks.
CTO: Brendan Moore - firstname.lastname@example.org
COO: Kelsey Traher - email@example.com
SANS Team: firstname.lastname@example.org
Our Risk Management Policy sits alongside our Security Policy, Data Management Policy and Data Protection Policy to provide the high-level outline of and justification for Ballpark's risk-based information security controls.
Author: Kelsey Traher, COO
Date of change: May 2022
Summary of changes: Reviewed for accuracy; minor changes
Author: Brendan Moore, CTO
Date of change: Oct 2019
Summary of changes: Initial externalised policy document, outlining Ballpark's internal risk management processes