Risk management - codemagic-ci-cd/company-handbook GitHub Wiki

Overview

Codemagic performs regular risk assessments in order to stay ahead of the threat landscape, both from security-focused risks as well as mundane risks. This policy establishes the procedures and standard that risk assessments are held to at Codemagic.

Codemagic maintains a business continuity plan and disaster recovery plan. We also have our vendor management policy. Apart from these, once a year, as part of Threat Management and Security Assurance, the management team completes a risk assessment on the inventory.

Risk assessment of Inventory shall be asset-based and follow these procedures and policies:

  • Inventory all assets.
  • Evaluate the effectiveness of existing controls.
  • Identify the threats and vulnerabilities of each asset.
  • Assess each risk’s potential impact.

  1. As part of the risk assessment process, identified risks are logged in a risk register. Each risk is evaluated based on likelihood (probability of occurrence) and impact (potential severity), then rated as High, Medium, or Low.

  2. Each risk must have a risk treatment plan established.

  3. Risks are treated according to the following options:

    Treatment Description
    Mitigation Implementing controls to reduce the risk's likelihood or impact
    Avoidance Modifying business activities or processes to eliminate the risk entirely
    Transfer Shifting the risk to a third party (e.g., insurance, outsourcing)
    Acceptance Recognizing and accepting the risk if within tolerance levels

  4. Risk tolerance is based on residual risk level:

    • High residual risks (e.g., regulatory non-compliance, major financial loss): Treated with highest priority and immediate action.
    • Medium residual risks (e.g., operational disruptions): Actively managed with contingency plans.
    • Low residual risks (e.g., minor process inefficiencies): May be tolerated but monitored to prevent escalation.

  5. Risk monitoring occurs continuously, with annual reviews of control effectiveness. Significant changes are updated in the risk register and communicated to senior management.