Risk management
Introduction
Risk management allows us to create a culture of risk awareness and accountability throughout the organization. By promoting a systematic and structured approach to risk management, this enhances decision-making processes, optimizes resource allocation, and ultimately protects the achievement of our strategic objectives.
Our guiding principles
Risks are categorized based on the impact on Altus Group businesses.
Risk assessments are conducted on assets or business processes within Altus Group or any outside entity that has signed a third-party agreement with Altus Group
Appropriate mitigations are selected to address identified risks.
Risk identification
Risk identification allows for the identification of potential threats before they cause damage and helps to make sound decisions based on accurate information. Identifying potential threats to Altus Group include both internal and external threats.
Potential risks are identified through regular risk assessments, incident reports or reviews(internal/external)
Identified risk are assigned to a risk owner.
Assets and processes are clearly identified linked to their threat sources.
Risk identification includes the identified threats and impact to Altus Group business processes and assets.
Risk assessment
Whilst the purpose of risk assessment includes the prevention of risks, it will not always be achievable in practice. Where elimination of risks is not possible, the risks should be reduced, and the residual risk controlled. Assessing risks, including the likelihood and magnitude of harm to Altus Group business processes and assets adheres to these requirements.
The risk assessment process uses the output of the risk identification process.
All identified risks undergo a risk analysis and evaluation.
Risk assessment results are documented.
Risk assessment results are reviewed periodically.
Risk assessment results are shared with stakeholders and risk owners.
Risk assessments are updated whenever there are significant changes to the business processes, business context or assets.
Risk treatment
The treatment of identified risks is implemented to reduce risk to an acceptable level. The risk owners are responsible for implementing mitigation measures and the reporting process. The treatment of the identified risks includes any or a combination of the following options: Risk Mitigation, Risk Transfer, Risk acceptance, or Risk avoidance.
A risk treatment plan is in place for all identified risks.
Treatment is an iterative process.
Risk mitigation
Our Risk mitigation involves introducing or modifying controls that reduce the overall risk rating – by reducing the impact, the likelihood or both. The objective is to lower the risk to a level that is assessed as being within tolerance.
All identified risks have planned controls identified.
Risk acceptance
The purpose of the risk acceptance is to formally confirm that the relevant process owner, asset owner and stakeholders aware of the risk, and that they are confirming that activities to reduce the risk to a level that is within the Altus Group’s risk tolerance are either not being pursued or will require significant resources and time to implement.
A risk acceptance is approved by the owner of the impacted asset or business process.