Risk management

Introduction

We apply a risk-based approach in which risks are identified, analysed, assessed, treated, and monitored. Risk assessment is based on a structured methodology combining probability and impact, supported by threat analysis and defined impact criteria.

Supporting processes for business continuity (BCP and BIA), change management, and information classification ensure that information security and privacy risks are managed in a consistent and controlled way.

Detailed explanation

Risk assessment method

We use a structured methodology for identifying, analysing, and prioritising risks, based on threats derived from context and stakeholder analysis, combined with a standardized threat model for information security and privacy.

Risk is determined as probability × impact. Probability considers both the likelihood of occurrence and the likelihood that a threat results in an incident. Impact is assessed using defined levels, including factors such as financial loss, reputational damage, and loss of critical information.

Based on this assessment, risks are treated by accepting, avoiding, mitigating, or transferring them. All risks, decisions, and measures are recorded in a risk register and monitored in Jira.

The methodology is embedded in continuous improvement activities, periodic (at least annual) risk assessments, and annual internal audits.

Business continuity plan (BCP) and Business impact analysis (BIA) register

The business continuity plan ensures continuity of services in case of a disaster, focusing on recovery when preventive measures are insufficient.

Key elements include:

• Cloud-first principle: critical data is not stored locally

• BIA register (Jira): applications and data are recorded, including CIA classification (confidentiality, integrity, availability), relevant legislation, and involved suppliers

• Impact and criticality: based on CIA, an impact score is assigned; applications with a score of 8 or higher are considered critical, and their suppliers are classified as critical suppliers

• RTO/RPO: recovery objectives are defined per system-data combination, particularly for critical applications

For critical applications, continuity relies on cloud providers and contractual arrangements (e.g. SLAs and terms). A fallback/disaster recovery environment is available via a hosting partner, including a manual failover procedure.

Different continuity scenarios are defined (e.g. unavailability of applications, buildings, personnel, or suppliers). Testing is risk-based:

• the failover scenario for critical applications is tested periodically (twice a year)

• other scenarios are not tested periodically due to their low probability and/or limited impact

Change management

We apply a defined change management procedure for changes impacting information security or privacy, covering planning, assessment, review, approval, communication, implementation, documentation, and evaluation.

Changes may originate from processes such as incidents, audits, risk assessments, or supplier changes, and are explicitly categorized into three types: ISMS changes, system/configuration changes, and product or service changes.

ISMS changes are registered and tracked in an Improvement List (Jira), including planning, responsibilities, and where applicable, impact analysis. System and configuration changes include impact analysis, approval, implementation, testing, and evaluation, with the four-eyes principle applied for production environment changes. Product and service changes follow defined processes with authorization and review depending on the type of change (e.g. support, bug fix, or feature development).

Emergency changes and changes causing issues are reviewed at least quarterly to support continuous improvement.

Classification of information as part of risk management 

Information classification is an integral part of our risk management approach within the ISMS. As part of the BIA, information/data, systems and related suppliers are assessed based on availability, integrity, confidentiality, and privacy impact. This results in a structured classification and impact rating that supports the identification of critical information and systems.

Standardized classification categories and handling guidelines ensure that risks are appropriately managed and that information is processed in a consistent and controlled manner.

In section "Context and regulatory compliance" more