Information Security Risk Management Policy

1. Purpose

This policy defines Flowbird Ltd’s approach to identifying, analysing, assessing, and managing information security risks in a consistent and proportionate manner.

2. Scope

This policy applies to all information assets, systems, services, and processes operated or managed by Flowbird Ltd, including third-party and cloud services.

3. Risk Management Approach

Flowbird Ltd follows a simple risk management lifecycle:

Risk Identification – Identifying threats and vulnerabilities that could impact information confidentiality, integrity, or availability.
Risk Analysis – Assessing the likelihood and potential impact of identified risks.
Risk Assessment – Determining risk levels and prioritising them based on business impact.
Risk Treatment – Selecting and implementing appropriate controls to mitigate, transfer, accept, or avoid risks.
Review and Monitoring – Periodic review of risks and controls, and reassessment following significant changes or incidents.

4. Risk Ownership and Responsibilities

Senior management is accountable for overall information security risk management.
Identified risks are assigned an owner responsible for monitoring and treatment.
All staff are responsible for reporting new or emerging risks.

5. Risk Treatment Options

Information security risks may be:

Mitigated through technical or organisational controls
Accepted where risks are low or proportionate to business needs
Transferred (e.g. via contractual or insurance arrangements)
Avoided by changing business processes

6. Integration with Business Processes

Risk management is integrated into:

Supplier selection and contract management
System changes and new technology adoption
Incident and data breach management

7. Review and Maintenance

This policy and associated risk assessments are reviewed periodically and following material changes to systems, services, or threat landscape.

Approved by: Senior Management
Organisation: Flowbird Ltd
Review cycle: Annual or upon significant change