Risk Management Policy

1. Policy Statement

Clerk.io maintains an ongoing risk management program to identify, assess, treat, and monitor risks that could impact the organisation's objectives or customer trust.

2. Governance

• Information Security Manager (ISM) owns the program.
• Risk Committee (CTO, CFO, ISM, Head of Product) meets bi-monthly.

3. Methodology

We adopt ISO 27005-inspired qualitative assessment (Likelihood × Impact). Detailed methodology is documented in ISO 27001 Risk Assessment Methodology.

Risk Register fields: * Asset * Threat & Vulnerability * Inherent Likelihood (1–5) * Inherent Impact (1–5) * Existing Controls * Residual Score * Treatment Plan & Owner

4. Risk Appetite

Defined by Exec Team – Acceptable residual risk score ≤8.

5. Monitoring & Reporting

• Risk dashboard powered by internal AI agents updates in near real time.
• High & Extreme residual risks escalated to Board within 5 days.

6. Review

Methodology and appetite reviewed annually or after significant change.

Version 1.0