Risk Management Policy

Authoritative document

Link to PDF or official URL: TBD

Ownership

Field	Value
Owner	Takayuki KIKUCHI
Last reviewed	2026-4-11

Purpose

To define actions to address Rendering Consulting Inc information security risks and opportunities. To define a plan for the achievement of information security and privacy objectives.

Scope

All Rendering Consulting Inc IT systems that process, store or transmit confidential, private, or business-critical data.
Risks that could affect the medium to long-term goals of Rendering Consulting Inc should be considered as well as risks that will be encountered in the day-to-day delivery of services.
Rendering Consulting Inc risk management systems and processes will be targeted to achieve maximum benefit without increasing the bureaucratic burden and ultimately affecting core service delivery to the organization.
Rendering Consulting Inc will therefore consider the materiality of risk in developing systems and processes to manage risk.
This Policy applies to all employees of Rendering Consulting Inc and to all external parties, including but not limited to Rendering Consulting Inc consultants and contractors, business partners, vendors, suppliers, outsource service providers, and other third party entities with access to Rendering Consulting Inc networks and system resources.

Risk management statement

Inadequate IT risk management exposes Rendering Consulting Inc to risks including compromise of Rendering Consulting Inc or customer network systems, services and information, cyber-attacks, contractual, or legal issues. Rendering Consulting Inc will ensure that risk management plays an integral part in the governance and management of the organization at a strategic and operational level. The purpose of a risk management policy is designed to ensure that it achieves its stated business plan aims and objectives.

Risk management strategy

Rendering Consulting Inc has developed processes to identify those risks that will hinder the achievement of its strategic and operational objectives. Rendering Consulting Inc will therefore ensure that it has in place the means to identify, analyze, control and monitor the strategic and operational risks it faces using this risk management policy based on best practices. Rendering Consulting Inc will ensure the risk management strategy and policy are reviewed regularly and that internal audit functions are responsible for ensuring:

The risk management policy is applied to all applicable areas of Rendering Consulting Inc
The risk management policy and its operational application are regularly reviewed
Non-compliance is reported to appropriate company officers and authorities

Practical application of risk management

Rendering Consulting Inc has adopted a standard format for use in the identification of risks, their classification, and evaluation. The format is based on the following NIST and ISO standards and frameworks:

ISO 27005
NIST 800-30
NIST 800-37 Risks are assessed and ranked according to their impact and their likelihood of occurrence. A formal Risk Assessment will be performed at least annually. Vulnerability assessments and/or penetration tests will be performed periodically based on risk and resource availability.

Risk categories

Rendering Consulting Inc will consider and assess risks across the organization. Risk categories that are considered for evaluation include:

Access control
Artificial intelligence
Asset management
Business continuity and disaster recovery
Communications security
Compliance
Cryptography
Environmental, social, and governance
Fraud
Incident response management
Information security operations
Information security policies
Operations security
People operations
Physical and environmental security
Privacy
Software development and acquisition
Trustworthiness
Vendor relationships Each risk will be assessed as to its Likelihood and Impact. Likelihood can range from 1 ("Very unlikely") to 5 ("Very likely"). Impact can range from 1 ("Very low impact") to 5 ("Very high impact").

Risk criteria

The criteria for determining risk is the combined likelihood and impact of an event adversely affecting the confidentiality, availability, integrity, or privacy of organizational and customer information, personally identifiable information (PII), or business information systems. For all risk inputs such as risk assessments, vulnerability scans, penetration test, bug bounty programs, etc., Rendering Consulting Inc management shall reserve the right to modify risk rankings based on its assessment of the nature and criticality of the system processing, as well as the nature, criticality and exploitability (or other relevant factors and considerations) of the identified vulnerability.

Risk response, treatment, and tracking

Risk will be prioritized and maintained in a risk register where they will be prioritized and mapped using the approach contained in this policy. The following responses to risk should be employed:

Mitigate:

Rendering Consulting Inc may take actions or employ strategies to reduce the risk.

Accept:

Rendering Consulting Inc may decide to accept and monitor the risk at the present time. This may be necessary for some risks that arise from external events.

Transfer:

Rendering Consulting Inc may decide to pass the risk on to another party. For example contractual terms may be agreed to ensure that the risk is not borne by Rendering Consulting Inc or insurance may be appropriate for protection against financial loss.

Avoid:

the risk may be such that Rendering Consulting Inc could decide to cease the activity or to change it in such a way as to end the risk. Where Rendering Consulting Inc chooses a risk response other than "Accept" or "Avoid" it shall develop a Risk Treatment Plan.

Risk management procedures

The procedure for managing risk will meet the following criteria

Rendering Consulting Inc will maintain a Risk Register and Treatment Plan.
Risks are ranked by ‘likelihood' and ‘severity/impact' as critical, high, medium, low, and negligible.
Overall risk shall be determined through a combination of likelihood and impact.
Risks may be evaluated to estimate potential monetary loss where possible.
Rendering Consulting Inc will respond to risks in a prioritized fashion. Remediation priority will

consider the risk likelihood and impact, cost, work effort, and availability of resources. Multiple remediations may be undertaken simultaneously 6. Regular reports will be made to the senior leadership of Rendering Consulting Inc to ensure risks are being mitigated appropriately, and in accordance with business priorities and objectives.

Information security in project management

Rendering Consulting Inc shall consider information security risk as a part of all projects that are technical in nature or which can pose a risk to the company, regardless of size, duration, or domain. From the initial planning, through completion of a project, appropriate assessment and mitigation of information security risks is essential, involving:

initial information security risk assessments,
early identification and addressing of information security requirements, and
ongoing assessment and management of risks, especially concerning internal and external project communications.

Roles and responsibilities

Current Organizational Structure Note:

Rendering Consulting Inc. currently operates as a singlemember organization with CEO Takayuki Kikuchi fulfilling all primary security roles. As the organization grows, these roles will be delegated to appropriate personnel and this policy will be updated accordingly.

Role

Responsibility

CEO / Chief Executive Officer(Currently:TakayukiKikuchi)

Ultimately responsible for the acceptance and/or treatment of any risks to the organization. Approves the avoidance, remediation, transference, or acceptance of anyrisk cited in the Risk Register. Responsible for the identification and treatment plan development of all Information Security related risks, communicating risks to stakeholders, and adopting risk treatments in accordance with business objectives.