Risk Management Framework

Last updated: January 15, 2026

Enterprise Risk Management Policy

Document owner: Chief Information Security Officer (CISO), with CFO as co-owner Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual comprehensive review; quarterly risk register updates Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions and Key Terms

Term	Definition
Risk	The effect of uncertainty on objectives, measured as a combination of the probability of occurrence and the magnitude of impact
Enterprise Risk Management (ERM)	A process applied across the enterprise designed to identify, assess, manage, and monitor potential events that may affect the organization
Risk Appetite	The broad-based amount of risk an organization is willing to accept in pursuit of its mission and strategic objectives
Risk Tolerance	The specific maximum risk level acceptable for individual risk categories or activities
Risk Register	A centralized repository documenting identified risks, their assessments, controls, and treatment status
Inherent Risk	The level of risk that exists before any risk treatment or control measures are applied
Residual Risk	The level of risk remaining after risk treatment measures have been applied
Control	A measure that modifies risk, including policies, procedures, guidelines, practices, or organizational structures
Risk Treatment	The selection and implementation of options for addressing risk (accept, avoid, transfer, mitigate)
Risk Owner	An individual or entity with accountability and authority to manage a specific risk
Control Owner	An individual responsible for implementing and maintaining a specific control
Key Risk Indicator (KRI)	A metric used to provide an early signal of increasing risk exposures in various areas of the enterprise
Risk Assessment	The overall process of risk identification, risk analysis, and risk evaluation
Threat	A potential cause of an unwanted incident that may result in harm to a system, organization, or asset
Vulnerability	A weakness in an asset or control that can be exploited by one or more threats
Impact	The result or effect of a risk event occurring
Likelihood	The chance of a risk event occurring, expressed qualitatively or quantitatively
Business Impact Analysis (BIA)	Process of analyzing business functions and the effect a disruption might have upon them
Control Self-Assessment	A management tool to assess and monitor the adequacy and effectiveness of internal controls
Three Lines Model	A model for organizing risk governance: first line (operational), second line (risk/compliance), third line (audit)
Risk Heat Map	A visual representation of risks plotted by likelihood and impact to facilitate prioritization

Scope and Purpose

This Enterprise Risk Management Policy establishes Acme Cloud, Inc.'s framework for systematically identifying, assessing, treating, monitoring, and reporting risks across all business operations, technology systems, and strategic initiatives. The policy scope encompasses all risk categories affecting the organization including strategic, operational, financial, compliance, security, privacy, and reputational risks. The purpose is to enable informed risk-taking aligned with the organization's risk appetite, protect stakeholder value, ensure regulatory compliance, and support achievement of business objectives while maintaining appropriate controls.

Policy Applicability

Scope Element	Included	Examples
Business Operations	Yes	Revenue operations, customer success, marketing, sales
Technology & Security	Yes	Infrastructure, applications, data, security controls
Financial	Yes	Revenue, expenses, treasury, accounting, tax
Legal & Compliance	Yes	Regulatory compliance, contracts, litigation
Human Resources	Yes	Employment, workplace safety, talent management
Strategic	Yes	Market position, competition, M&A, partnerships
Third-Party	Yes	Vendors, suppliers, business partners, customers
Reputational	Yes	Brand, public relations, stakeholder perception

Risk Governance Structure

Three Lines Model Implementation

Line	Function	Responsibilities	Key Personnel
First Line	Operational Management	Day-to-day risk identification and control execution; process ownership; operational risk management	Department heads, team leads, individual contributors
Second Line	Risk & Compliance Functions	Risk framework development; policy oversight; compliance monitoring; risk aggregation and reporting	CISO, General Counsel, Compliance team
Third Line	Internal Audit	Independent assurance; control effectiveness testing; audit findings and recommendations	Internal Audit (outsourced), external auditors

Risk Governance Bodies

Body	Composition	Risk Responsibilities	Meeting Frequency
Board of Directors	5 directors (3 independent)	Risk oversight; risk appetite approval; strategic risk review	Quarterly
Audit Committee	3 independent directors	Risk management oversight; internal control assessment; audit coordination	Quarterly
Executive Risk Committee	CEO, CFO, CISO, General Counsel	Risk appetite implementation; risk treatment decisions; escalation resolution	Monthly
Security Risk Committee	CISO, VP Engineering, SRE Lead, Privacy Officer	Security and privacy risk assessment; control prioritization; incident review	Bi-weekly
Third-Party Risk Committee	CISO, CFO, General Counsel, VP Operations	Vendor risk assessment; contract risk review; supplier management	Monthly

Risk Management Roles

Role	Responsibilities	Accountability
Board of Directors	Approve risk appetite; provide risk oversight; ensure adequate resources	Ultimate governance accountability
CEO	Enterprise risk strategy; risk culture; resource allocation	Executive accountability
CFO	Financial risk management; insurance; business continuity funding	Financial risk ownership
CISO	Security risk management; privacy risk; technology risk; ERM coordination	Security and technology risk
General Counsel	Legal risk; regulatory risk; compliance risk; contract risk	Legal and compliance risk
Risk Owners	Individual risk assessment; control implementation; risk monitoring	Assigned risk categories
Control Owners	Control operation; control testing; gap remediation	Assigned controls
Internal Audit	Independent assurance; control testing; findings reporting	Audit assurance

Risk Appetite and Tolerance

Risk Appetite Statement

Acme Cloud, Inc. maintains a moderate overall risk appetite that supports innovation and growth while ensuring the security of customer data, compliance with regulatory obligations, and protection of organizational reputation. We accept calculated risks where the potential benefits to customers and the business justify the risk exposure and where effective controls can reduce residual risk to acceptable levels.

Risk Appetite by Category

Risk Category	Appetite Level	Appetite Description	Rationale
Strategic	Moderate-High	Accept measured strategic risks to pursue growth and market position	Growth-stage company; competitive market
Operational	Moderate	Accept operational risks with strong controls and recovery capabilities	Balanced efficiency and resilience
Security	Low	Minimal tolerance for security compromises; aggressive risk mitigation	Customer trust; regulatory requirements
Privacy	Low	Minimal tolerance for privacy violations; strong data protection	Customer trust; GDPR/CCPA compliance
Financial	Moderate	Accept financial risks within defined parameters and forecasting	Sustainable growth focus
Compliance	Very Low	Zero tolerance for intentional non-compliance; minimal residual exposure	Legal obligations; certification requirements
Reputational	Low	Limited tolerance for actions that could damage reputation	Brand value; customer relationships
Third-Party	Moderate	Accept vendor risks with appropriate due diligence and monitoring	Operational efficiency; managed outsourcing

Risk Tolerance Thresholds

Risk Level	Likelihood × Impact Score	Treatment Required	Approval Authority
Critical	>20	Immediate action required; cannot be accepted	Board Audit Committee
High	13-20	Active treatment required; senior management approval to accept	Executive Risk Committee
Medium	7-12	Treatment plan required; management monitoring	Department head
Low	1-6	Accept with monitoring; standard controls sufficient	Risk owner

Risk Assessment Methodology

Risk Identification Methods

Method	Description	Frequency	Owner
Annual Risk Assessment	Comprehensive enterprise-wide risk identification	Annual	CISO
Departmental Assessments	Function-specific risk identification by business unit	Annual	Department heads
Project Risk Reviews	Risk assessment for significant projects and initiatives	Per project	Project lead
Vendor Assessments	Third-party risk identification during onboarding and review	Per vendor + annual	Third-Party Risk Committee
Incident Analysis	Risk identification from security incidents and near-misses	Per incident	Security team
Threat Intelligence	Emerging threat identification from external sources	Continuous	Security team
Compliance Scanning	Regulatory and standards gap identification	Quarterly	Compliance team
Control Self-Assessment	First-line identification of control gaps	Annual	Control owners
External Audit	Independent risk and control identification	Annual	Internal Audit

Likelihood Assessment Scale

Rating	Score	Definition	Probability	Time Horizon
Rare	1	Extremely unlikely to occur	<5%	Would not occur within 5 years
Unlikely	2	Could occur in exceptional circumstances	5-15%	May occur once in 5 years
Possible	3	May occur at some point	16-50%	May occur once in 3 years
Likely	4	Will probably occur in most circumstances	51-85%	Will likely occur within 1 year
Almost Certain	5	Expected to occur; may have already occurred	>85%	Expected within 6 months

Impact Assessment Scale

Rating	Score	Financial Impact	Operational Impact	Reputational Impact	Compliance Impact
Negligible	1	<$10K	No service disruption	No media attention	Documentation gap
Minor	2	$10K-$100K	<1 hour disruption	Minor social media	Internal audit finding
Moderate	3	$100K-$500K	1-4 hours disruption	Industry press coverage	External audit finding
Major	4	$500K-$2M	4-24 hours disruption	National media	Regulatory notice
Severe	5	>$2M	>24 hours disruption	International media; customer loss	Regulatory action; litigation

Risk Scoring Matrix

	Negligible (1)	Minor (2)	Moderate (3)	Major (4)	Severe (5)
Almost Certain (5)	5 (Medium)	10 (Medium)	15 (High)	20 (High)	25 (Critical)
Likely (4)	4 (Low)	8 (Medium)	12 (Medium)	16 (High)	20 (High)
Possible (3)	3 (Low)	6 (Low)	9 (Medium)	12 (Medium)	15 (High)
Unlikely (2)	2 (Low)	4 (Low)	6 (Low)	8 (Medium)	10 (Medium)
Rare (1)	1 (Low)	2 (Low)	3 (Low)	4 (Low)	5 (Medium)

Risk Register

Enterprise Risk Register Summary (FY2025)

Risk ID	Risk Description	Category	Inherent Risk	Controls	Residual Risk	Owner	Treatment
R-001	Data breach exposing customer PII	Security	Critical (25)	Encryption, access controls, monitoring, DLP	High (12)	CISO	Mitigate
R-002	Ransomware attack disrupting operations	Security	Critical (20)	Endpoint protection, backups, segmentation, training	Medium (8)	CISO	Mitigate
R-003	Third-party vendor breach affecting our data	Third-Party	High (16)	Vendor assessment, contractual controls, monitoring	Medium (9)	CISO	Mitigate
R-004	Regulatory compliance violation (GDPR/CCPA)	Compliance	High (15)	Privacy program, DPIAs, consent management	Medium (6)	General Counsel	Mitigate
R-005	Service availability failure (>SLA)	Operational	High (16)	Redundancy, DR plan, monitoring, auto-scaling	Medium (8)	VP Engineering	Mitigate
R-006	Key personnel departure	Operational	Medium (12)	Documentation, cross-training, succession planning	Medium (8)	CPO	Mitigate
R-007	Cloud provider outage or failure	Third-Party	Medium (12)	Multi-region deployment, DR plan, vendor SLA	Low (6)	VP Engineering	Accept
R-008	Insider threat (malicious or negligent)	Security	High (15)	Access controls, monitoring, background checks, training	Medium (9)	CISO	Mitigate
R-009	Economic downturn affecting revenue	Financial	Medium (12)	Diversified customer base, cost management	Medium (9)	CFO	Accept
R-010	Competitor disruption	Strategic	Medium (9)	Product innovation, customer success focus	Medium (9)	CEO	Accept

Top 10 Risks by Residual Score

Rank	Risk ID	Risk Description	Residual Score	Trend	Primary Control
1	R-001	Customer data breach	12 (High)	Stable	Defense-in-depth security
2	R-008	Insider threat	9 (Medium)	Stable	Least privilege access
3	R-003	Vendor data breach	9 (Medium)	Improving	Third-party risk management
4	R-009	Economic downturn	9 (Medium)	Worsening	Financial planning
5	R-010	Competitor disruption	9 (Medium)	Stable	Product innovation
6	R-002	Ransomware attack	8 (Medium)	Improving	Endpoint protection
7	R-005	Service availability	8 (Medium)	Stable	Multi-region redundancy
8	R-006	Key personnel loss	8 (Medium)	Stable	Succession planning
9	R-004	Compliance violation	6 (Low)	Improving	Privacy program
10	R-007	Cloud provider failure	6 (Low)	Stable	Multi-region architecture

Risk Treatment

Treatment Options

Treatment	Description	When to Apply	Example
Accept	Acknowledge and retain the risk without additional action	Risk within tolerance; treatment cost exceeds benefit	Minor operational inefficiencies
Avoid	Eliminate the risk by not engaging in the activity	Risk exceeds appetite; no viable mitigation	Declining high-risk business opportunities
Transfer	Shift risk impact to third party	Insurance available; contractual indemnification possible	Cyber insurance; vendor SLAs
Mitigate	Reduce likelihood or impact through controls	Risk above tolerance; effective controls available	Security controls; redundancy

Control Categories

Category	Description	Examples
Preventive	Controls that prevent risk events from occurring	Access controls, input validation, approval workflows
Detective	Controls that identify risk events when they occur	Monitoring, alerting, anomaly detection, log analysis
Corrective	Controls that address the effects of risk events	Incident response, backup restoration, disaster recovery
Compensating	Alternative controls when primary controls are infeasible	Manual review when automation unavailable

Key Controls Summary

Control ID	Control Description	Risk Addressed	Type	Owner	Testing Frequency
C-001	Multi-factor authentication	R-001, R-008	Preventive	Security	Quarterly
C-002	Data encryption (at-rest and in-transit)	R-001	Preventive	Security	Annual
C-003	Endpoint detection and response	R-002	Preventive/Detective	Security	Continuous
C-004	Security monitoring and SIEM	R-001, R-002, R-008	Detective	Security	Continuous
C-005	Backup and disaster recovery	R-002, R-005	Corrective	SRE	Quarterly
C-006	Vendor security assessment	R-003	Preventive	Security	Annual per vendor
C-007	Privacy impact assessments	R-004	Preventive	Privacy	Per project
C-008	Security awareness training	R-001, R-002, R-008	Preventive	Security	Annual
C-009	Access reviews	R-001, R-008	Detective	Security	Quarterly
C-010	Incident response plan	R-001, R-002, R-003	Corrective	Security	Annual

Key Risk Indicators

Security KRIs

KRI	Description	Target	Alert Threshold	FY2025 Q4 Actual
KRI-S01	Security incidents (SEV1-2)	0 per quarter	>1	0
KRI-S02	Mean time to detect (MTTD)	<1 hour	>4 hours	47 minutes
KRI-S03	Mean time to contain (MTTC)	<4 hours	>8 hours	2.3 hours
KRI-S04	Phishing click rate	<5%	>10%	4.2%
KRI-S05	Critical vulnerabilities (unpatched >30 days)	0	>5	0
KRI-S06	Security training completion	>95%	<90%	98.2%
KRI-S07	Privileged access reviews current	100%	<95%	100%

Operational KRIs

KRI	Description	Target	Alert Threshold	FY2025 Q4 Actual
KRI-O01	Service availability	99.9%	<99.5%	99.95%
KRI-O02	Change success rate	>98%	<95%	99.2%
KRI-O03	Backup success rate	100%	<99%	100%
KRI-O04	DR test success	Pass	Fail	Pass
KRI-O05	Critical on-call response time	<15 min	>30 min	8 minutes

Compliance KRIs

KRI	Description	Target	Alert Threshold	FY2025 Q4 Actual
KRI-C01	Open audit findings (critical)	0	>0	0
KRI-C02	Policy attestation completion	100%	<95%	100%
KRI-C03	DSR response within SLA	100%	<95%	100%
KRI-C04	Vendor assessments current	100%	<90%	97%

Third-Party KRIs

KRI	Description	Target	Alert Threshold	FY2025 Q4 Actual
KRI-T01	Critical vendor SLA compliance	100%	<99%	99.8%
KRI-T02	Vendor security incidents	0	>1	0
KRI-T03	Vendor risk assessments overdue	0	>5	2

Risk Monitoring and Reporting

Reporting Cadence

Report	Audience	Frequency	Content	Owner
KRI Dashboard	Executive Risk Committee	Real-time	KRI status, alerts, trends	CISO
Risk Register Update	Executive Risk Committee	Monthly	Risk changes, new risks, treatment progress	CISO
Executive Risk Summary	Board Audit Committee	Quarterly	Top risks, KRI trends, significant events	CEO/CISO
Detailed Risk Assessment	Board of Directors	Annual	Comprehensive risk landscape, strategic risks	CEO
Third-Party Risk Report	Third-Party Risk Committee	Monthly	Vendor risks, assessment status, incidents	CISO
Compliance Risk Report	Executive Risk Committee	Quarterly	Regulatory risks, audit findings, compliance gaps	General Counsel

Risk Dashboard Metrics

Metric Category	Metrics Displayed	Update Frequency
Overall Risk Posture	Risk score trend, critical/high count, risk appetite adherence	Daily
Top Risks	Top 10 by residual score with trend indicators	Weekly
Control Effectiveness	Control testing results, failure rates, remediation status	Monthly
KRI Status	All KRIs with RAG status and trend	Real-time where automated
Incident Correlation	Security incidents linked to risk register	Per incident
Treatment Progress	Open treatments by status and due date	Weekly

Numbered Policy Statements

Risk Management Mandate: Acme Cloud, Inc. shall maintain a comprehensive enterprise risk management program that identifies, assesses, treats, monitors, and reports risks across all business functions.
Board Oversight: The Board of Directors, through the Audit Committee, shall provide oversight of the enterprise risk management program and approve the organizational risk appetite statement.
Risk Appetite Compliance: All business decisions with material risk implications shall be evaluated against the approved risk appetite and tolerance thresholds.
Risk Assessment Requirement: Formal risk assessments shall be conducted annually for the enterprise, for each significant project, and for each third-party relationship.
Risk Register Maintenance: A centralized risk register shall be maintained documenting all identified risks, assessments, controls, and treatment status, with updates at least quarterly.
Risk Ownership: Every identified risk shall have an assigned risk owner accountable for monitoring the risk and implementing approved treatments.
Control Effectiveness: Controls shall be tested for effectiveness at frequencies appropriate to the risk level they address, with results documented and reported.
KRI Monitoring: Key risk indicators shall be defined for critical risk categories and monitored continuously or at frequencies that enable timely detection of increasing risk exposure.
Escalation Requirement: Risks exceeding tolerance thresholds shall be escalated to the appropriate governance body within 24 hours of identification.
Treatment Accountability: Risk treatment plans shall include specific actions, responsible owners, target dates, and success criteria, with progress tracked and reported.
Third-Party Risk: Third-party risks shall be assessed during vendor selection, at contract renewal, and when material changes occur, with findings integrated into the enterprise risk register.
Incident Integration: Security and operational incidents shall be analyzed for risk register implications, with new risks added and existing risk assessments updated as appropriate.
Training Requirement: Personnel with risk management responsibilities shall receive training appropriate to their role at onboarding and annually thereafter.
Continuous Improvement: The risk management program shall be reviewed annually for effectiveness, with improvements implemented based on lessons learned, industry developments, and regulatory changes.

Framework Appendix

Compliance and Standards Mapping

Requirement	SOC 2 Criteria	ISO 27001 Control	NIST CSF	Implementation
Risk assessment	CC3.1, CC3.2	6.1.2, A.5.1	ID.RA	Annual enterprise assessment
Risk treatment	CC3.3	6.1.3	ID.RM	Treatment planning process
Risk monitoring	CC4.1	9.1	ID.RA-5	KRI program
Risk reporting	CC4.2	9.3	ID.RM-2	Governance reporting
Control assessment	CC4.1	9.2	DE.DP	Control testing program
Management review	CC1.2	9.3	ID.GV	Governance meetings

ISO 27001 Risk Management Alignment

ISO 27001 Clause	Requirement	Policy Implementation
6.1.1	Actions to address risks and opportunities	Risk identification methods
6.1.2	Information security risk assessment	Risk assessment methodology
6.1.3	Information security risk treatment	Treatment options and plans
8.2	Information security risk assessment	Periodic assessments
8.3	Information security risk treatment	Treatment implementation
A.5.1	Policies for information security	This policy document

NIST Cybersecurity Framework Mapping

CSF Function	Category	Policy Implementation
Identify	ID.GV	Governance structure
Identify	ID.RA	Risk assessment methodology
Identify	ID.RM	Risk management strategy
Identify	ID.SC	Supply chain risk
Protect	PR	Control implementation
Detect	DE	KRI monitoring
Respond	RS	Incident integration
Recover	RC	Business continuity

Document revision history

Version	Date	Author	Summary of changes
1.0	2024-06-01	Legal & Compliance	Initial Trust Center publication
2.0	2025-03-15	GRC Program	SOC 2 Type II alignment refresh; expanded subprocessors
2.5	2025-09-01	Security Engineering	Encryption standards update; ISO 27001 mapping
3.0	2026-01-15	Trust Center Program	Full procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

Channel	Email	Use case
Trust & procurement	trust@acmecloud.com	Security questionnaires, trust reviews
Security	security@acmecloud.com	Incidents, vulnerabilities, control questions
Privacy	privacy@acmecloud.com	DSRs, privacy assessments
Legal	legal@acmecloud.com	Contractual, DPA, legal notices

Risk Management Program Contacts

Contact	Role	Responsibility
security@acmecloud.com	CISO Office	ERM program coordination; risk questions
trust@acmecloud.com	Trust Team	Customer risk inquiries; audit support
legal@acmecloud.com	Legal Department	Compliance risk; contract risk
risk@acmecloud.com	Risk Team	Risk register; assessment support

Appendix: Risk Management Calendar

Activity	Frequency	Q1	Q2	Q3	Q4
Enterprise Risk Assessment	Annual			●
Departmental Assessments	Annual	●
Risk Register Update	Quarterly	●	●	●	●
Board Risk Report	Quarterly	●	●	●	●
KRI Review	Monthly	●	●	●	●
Control Testing	Per schedule	Ongoing	Ongoing	Ongoing	Ongoing
Third-Party Assessments	Annual per vendor	Ongoing	Ongoing	Ongoing	Ongoing
Policy Review	Annual				●

Document Version: 3.0 Last Updated: January 15, 2026