Risk Assessment SOP

LEAP -- Risk Assessment SOP

Document Number SOP-GL-COM-RISKA-V1.0
Target audience LEAP -All
Effective Date

Cover page layout

Contents

  • 1. Purpose
  • 2. Scope
  • 3. Definitions
  • 4. Roles and Responsibilities
  • 5. Risk Register
  • 6. Procedure Steps
  • 6.1. Step 1: Prepare for Risk Assessment
  • 6.2. Step 2: Conduct the Risk Assessment (ongoing)
  • 6.3. Step 3: Communicate Risk Assessment Results
  • 6.4. Step 4: Maintain Risk Assessment
  • 7. Likelihood Criteria
  • 8. Impact Criteria
  • 9. Risk Assessment Matrix
  • 10. Risk Level
  • 11. Risk Treatment
  • 12. Any References
  • 13. SOP Exceptions
  • 14. SOP Monitoring and Reporting
  • 15. Risk Communication
  • 16. Version History

Purpose

LEAP Legal Software performs information security risk assessments to identify, evaluate, and manage risks that may impact business objectives, operations, assets, individuals, customers, and regulatory obligations.

This risk assessment process is aligned with NIST Special Publication 800‑30 and establishes a consistent approach to identifying threats, vulnerabilities, impacts, and likelihoods. The outcomes of this process support risk‑based decision making, prioritisation of mitigation activities, and ongoing risk management.

Scope

This SOP applies to all information systems, business processes, services, and assets owned, operated, or managed by LEAP Legal Software, including third‑party services where LEAP has security or contractual accountability.

The risk assessment process applies to:

  • Business and technology initiatives
  • New and existing systems and applications
  • Changes to infrastructure, software, or services
  • Identified security incidents or emerging threats
  • Periodic and ad‑hoc risk assessments

This SOP applies to all LEAP Legal Software personnel involved in risk identification, assessment, decision making, and risk treatment.

Definitions

Common Terms Definitions
Risk A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Risk Assessment The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.
Risk Assessor The individual, group, or organization responsible for conducting a risk assessment.
Information Security Risk The risk to organisational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.
Risk Response Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations
Management Controls The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.
Inherent Risk Inherent risk is the level of risk before the application of any controls or mitigations
Residual Risk Portion of risk remaining after security measures have been applied.

Table 1: Key Definitions :

Roles and Responsibilities

Role Responsibility
Leadership Team Serves as Risk Approvers with authority to approve risk treatment decisions, risk acceptance, and resource allocation for risk mitigation activities. Reviews and approves enterprise-level risk strategies.
Governance, Risk and Compliance (GRC) Primary Risk Assessors responsible for conducting risk assessments, maintaining the risk register (VANTA), developing risk treatment plans, and monitoring risk mitigation activities. Communicates risk status to leadership and coordinates risk management activities across the organization.
Chief Information Officer Can approve the avoidance, remediation, transference, or acceptance of any risk cited in the Risk Register. Oversees technology-related risk management initiatives.
Engineering Team Serves as Risk Owners for technical risks related to software development, system architecture, security implementations, and technology infrastructure. Responsible for implementing technical risk controls and mitigation measures.
Operations Team Serves as Risk Owners for operational risks related to service delivery, business processes, vendor management, and day-to-day operations. Responsible for implementing operational risk controls and ensuring business continuity.
IT Security / Systems Engineer Shall be responsible for the identification and treatment plan development of all Information Security related risks. This person shall be responsible for communicating risks to top management and adopting risk treatments in accordance with executive direction.
All staff Identifying, managing and escalating (where applicable) risk in day-to-day operations.

Table 2: Roles and Responsibilities

Risk Register

Risk assessment is implemented through the LEAP Risk register in VANTA. The risk assessment process is coordinated by the Risk Owner, identification of threats and vulnerabilities is performed by asset owners or their delegated personnel, and assessment of Impact and likelihood is performed by risk owners or their delegated personnel. Each risk within the register is represented by a unique risk ID and relevant date stamps such as the date the risk was identified and the date of implementation.

Procedure Steps

Step 1: Prepare for Risk Assessment

  1. Identify the purpose of the risk assessment
  • Define the objectives of the risk assessment.
  • Determine the information the assessment is expected to produce.
  • Identify the business or technology decisions the assessment will support.
  1. Identify the scope of the risk assessment
  • Determine the organisational function, system, process, or service being assessed.
  • Define the applicable timeframe.
  • Identify any architectural, infrastructure, or technology considerations.
  1. Identify any assumptions and constraints
  • Document key assumptions that may influence the assessment, including:
    • Organisational priorities
    • Business objectives
    • Resource availability
    • Skills, experience, and capacity of the assessment team
  • Identify any known constraints that may impact assessment accuracy or completeness.
  1. Identify the source of Information
  • Architectural and technical diagrams
  • Management review meetings
  • System configurations
  • Legal and regulatory requirements
  • Threat sources
  • Threat events
  • Known vulnerabilities and influencing conditions
  • Potential business and operational impacts
  • Existing security controls and safeguards
  • Learning from previous risk assessments

In addition, Risk Assessment takes references from security and compliance frameworks like ISO 27001:2022, SOC 2 Type 2, GDPR and GDPR.

Step 2: Conduct the Risk Assessment (ongoing)

The purpose of this step is to identify and evaluate information security risks to LEAP Legal Software and to prioritise them based on risk level.

  1. Identify the threat sources
  • Identify and characterise relevant threat sources, including:
  • Human (intentional or unintentional, internal or external)
  • Environmental
  • Natural
  • System or equipment-related
  1. Identify threat events
  • Determine threat events that could be initiated by identified threat sources.
  • Evaluate the relevance and plausibility of each event.
  • Identify the conditions under which threat events may occur.
  1. Identify Vulnerabilities
  • Identify vulnerabilities in people, processes, and technology that could be exploited.
  • Consider influencing conditions that may increase the likelihood of exploitation.
  1. Determine likelihood
  • Assess the likelihood that a threat source could initiate a threat event and successfully exploit a vulnerability.
  • Consider:
    • Threat source capability, motive, and opportunity
    • Identified vulnerabilities and influencing conditions
    • Existing safeguards and controls that may reduce likelihood
  1. Determine Impact
  • Evaluate the potential impact of each threat event on:
    • Business and operational objectives
    • Financial position
    • Reputation and brand
    • Legal and regulatory obligations
  • Consider the effectiveness of existing or planned controls in reducing impact.
  1. Determine Risk
  • Determine overall risk by combining likelihood and impact ratings.
  • Risks with higher likelihood and higher impact represent higher priority risks.
  • Risks with lower likelihood and minimal impact may be accepted or monitored.

Step 3: Communicate Risk Assessment Results

  1. Communicate Results
  • Provide risk assessment results to relevant decision makers and executive leadership.
  • Clearly present identified risks, risk ratings, and recommended risk treatments.
  1. Share Risk Information
  • Distribute appropriate risk information to operational and technical teams.
  • Ensure risk ownership and accountability are clearly defined.

Step 4: Maintain Risk Assessment

  1. Monitor risk factors
  • Monitor changes to threat landscape, business operations, technology, and regulatory requirements.
  • Identify emerging risks or changes to existing risks.
  1. Update Risk assessment
  • Update risk assessments based on monitoring outcomes.
  • Conduct formal reassessments at least annually or following significant changes.
  • Ensure risk treatment actions remain appropriate and effective.

Likelihood Criteria

Likelihood: is the frequency with which a risk may occur. The definitions of the categories for likelihood are set out below. This is a qualitative measure and generally uses subjective assessment of the occurrence of the risk.

LIKELIHOOD LEVEL LIKELIHOOD DESCRIPTION RATING (NUMERICAL)
Very unlikely (1) A threat event is so unlikely that it can be assumed that its occurrence may not be experienced.

A threat source is not motivated or has no capability, or controls are in place to prevent or significantly impede the vulnerability from being exploited.
1
Unlikely (2) A threat event is unlikely, but there is a slight possibility that its occurrence may be experienced.

A threat source lacks sufficient motivation or capability, or controls are in place to prevent or impede the vulnerability from being exploited.
2
Somewhat likely (3) A threat event is likely, and it can be assumed that its occurrence may be experienced.

A threat source is motivated or poses the capability, but controls are in place that may significantly reduce or impeded the successful exploitation of the vulnerability.
3
Likely (4) A threat event is likely, and it can be assumed that its occurrence will be experienced.

A threat source is highly motivated or poses sufficient capability and resources, but some controls are in place that may reduce or impede the successful exploitation of the vulnerability.
4
Very likely (5) A threat event is highly likely, and it can be assumed that its occurrence will be experienced.

A threat source is highly motivated or poses sufficient capability or resources, but no controls are in place or controls that are in place are ineffective and do not prevent or impede the successful exploitation of the vulnerability.
5

Table 3: Likelihood Criteria

  1. Impact
IMPACT LEVEL IMPACT DESCRIPTION RATING (NUMERICAL)
Very low impact (1) A threat event could be expected to have almost no adverse effect on organizational operations, mission capabilities, assets, individuals, customers other or organizations 1
Low impact (2) A threat event could be expected to have a limited adverse effect, meaning: degradation of mission capability yet primary functions can still be performed; minor damage; minor financial loss; or range of effects is limited to some cyber resources but no critical resources. 2
Medium impact (3) A threat event could be expected to have a serious adverse effect, meaning: significant degradation of mission capability yet primary functions can still be performed at a reduced capacity; minor damage; minor financial loss; or range of effects is significant to some cyber resources and some critical resources. 3
High impact (4) A threat event could be expected to have a severe or catastrophic adverse effect, meaning: severe degradation or loss of mission capability and one or more primary functions cannot be performed; major damage; major financial loss; or range of effects is extensive to most cyber resources and most critical resources. 4
Very high impact (5) A threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, assets, individuals, other organizations, or the Nation. Range of effects is sweeping, involving almost all cyber resources. 5

Table 4: Impact Creteria

Risk Assessment Matrix

By entering the values of Impact and likelihood into the Risk Assessment register, the level of risk is calculated automatically by multiplying the two values. The resultant is analysed based on the following 5 X 5 matrix.

RISK= LIKELIHOOD X IMPACT LIKELIHOOD
IMPACT Very unlikely: 1 Unlikely: 2 Somewhat likely: 3 Likely: 4 Very likely: 5
Very high impact: 5 5 10 15 20 25
High impact: 4 4 8 12 16 20
Medium impact: 3 3 6 9 12 15
Low impact: 2 2 4 6 8 10
Very low impact: 1 1 2 3 4 5

Table 5: Risk Matrix

Risk Level

RISK LEVEL RISK DESCRIPTION
Low (1-4) A threat event could be expected to have a limited adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations.
Medium (5-12) A threat event could be expected to have a serious adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations
High (15-25) A threat event could be expected to have a severe adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations.

Table 6: Risk Level

Risk Treatment

According to the above tables, and with the consultation of the stakeholders, each risk is mitigated with controls relevant to the business needs and constraints. The controls decided for each risk and the details of their implementation are recorded in the risk treatment plan.

The responses to risk will utilize some or all of the following risk treatment options:

  • Accept -- Accept the risk with the management's approval.
  • Treat - Reduce the likelihood and/or the impact of the risk.
  • Transfer - Transfer the risk by moving the risk to third-party (full transfer or sharing some parts of the risk at a cost).
  • Terminate -- Avoid the risk by terminating the activity.

Any References

  • ATI Risk Management Framework
  • VANTA Risk Register
  • 6.1 -- Actions to address risks and opportunities
  • 6.1.2 -- Information security risk assessment
  • 6.1.3 -- Information security risk treatment

SOP Exceptions

Exceptions in this SOP will be risk-assessed by LEAP's CISO or relevant Executive, with valid business justification and SOP Owner's approval. Exceptions will be time bound.

SOP Monitoring and Reporting

On-going monitoring of the risks is a critical factor in the LEAP Risk Management SOP. This is to ensure on results achieved at each step, re-assess the risk if necessary, and the priorities adjusted, if required.

Ongoing review is essential to ensure that the Risk Treatment Plan remains relevant. Thus, it is necessary to review the risk assessment annually and in the event that severe changes occur to the organisation.

The Manager of Governance, Risk, and Compliance will own the document and present the results of risk assessment and risk treatment, and all of the subsequent reviews to the leadership.

Risk Communication

Communication is an important consideration at each step of the risk assessment process. Effective communication between stakeholders is essential to ensure that risks are understood and decisions about risk response selection are appropriate.

The Manager of Governance, Risk, and Compliance will facilitate communication between all stakeholders identified for a particular risk as deemed appropriate by the Leadership.

Version History

Version Number Date Section Changes Author Approver
1.0 20/4/2026 Initial Release Manager of GRC CISO