Register Owner: CISO
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review and on each annual risk assessment
Frameworks: SOC 2 CC3.1/CC3.2 (RSK-1/RSK-2); ISO 27001 cl. 6.1. Visualizes the register behind the Annual Risk Assessment and Risk Management Policy.
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review and on each annual risk assessment
Frameworks: SOC 2 CC3.1/CC3.2 (RSK-1/RSK-2); ISO 27001 cl. 6.1. Visualizes the register behind the Annual Risk Assessment and Risk Management Policy.
Residual risk heat map
| Likelihood → | |||||
| Impact ↓ | 1 | 2 | 3 | 4 | 5 |
| 5 | 0 | 0 | 0 | 0 | 0 |
| 4 | 4 | 3 | 1 | 0 | 0 |
| 3 | 29 | 36 | 4 | 0 | 0 |
| 2 | 3 | 8 | 0 | 0 | 0 |
| 1 | 0 | 0 | 0 | 0 | 0 |
Summary
| Residual band | Count | Share |
|---|---|---|
| Low (1–4) | 44 | 50% |
| Medium (5–12) | 44 | 50% |
| High (15–25) | 0 | 0% |
| Total | 88 | 100% |
- No risks remain at a High residual score — all High/Medium inherent risks have been treated to Low or Medium residual via mapped controls.
- The highest residual position is impact 4 × likelihood 3 = 12 (one risk: R-061, AI candidate sourcing/ranking producing biased or disparate-impact outcomes — see the Annual Risk Assessment §5). R-049 (EU Art. 27 representative) sits at Low (residual 3) — Art. 27 is not triggered under the NA-only scope.
- Risk acceptance for any High residual would require CEO approval; none currently exists.
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial residual risk heat map (60-scenario register). | Cameron Wolfe | Ishan Jadhwani |
| 1.1 | June 16, 2026 | Refreshed to the current 88-scenario register (44 Low / 44 Medium / 0 High); corrected the highest-residual position to R-061 (R-049 re-scored to Low — Art. 27 not triggered under NA-only scope). | Cameron Wolfe | Ishan Jadhwani |