Atlassian announces end of life for OpsGenie. Looking to switch? We're here to help -- Learn More ➡️
Menu

Risk Management Policy

1. Introduction

PagerTree is committed to identifying, assessing, and managing risks that could impact the confidentiality, integrity, and availability of our systems and services.

Risk management is integrated into PagerTree’s decision-making processes to ensure our platform remains secure, resilient, and reliable for our customers.

This Risk Management Policy outlines PagerTree’s approach to evaluating technology, security, and operational risks and implementing appropriate controls to mitigate them.

2. Purpose

The purpose of this policy is to:

  • Establish a consistent framework for identifying and evaluating risks
  • Ensure risks are prioritized and addressed based on severity and potential impact
  • Support informed decision-making across the organization
  • Demonstrate PagerTree’s commitment to maintaining a secure operating environment

3. Scope

This policy applies to:

  • All systems, processes, and services operated or managed by PagerTree
  • All employees, contractors, and third parties involved in PagerTree’s operations
  • All environments supporting the PagerTree platform (development, staging, and production)

This policy covers security, operational, technical, vendor, and compliance-related risks.

4. Risk Management Framework

4.1 Risk Identification

PagerTree identifies risks through:

  • Security assessments and vulnerability scans
  • Architecture reviews and design discussions
  • Analysis of incidents, outages, and near-misses
  • Third-party and vendor evaluations
  • Threat intelligence and industry reports
  • Internal audits and compliance reviews

Both technical and non-technical risks (e.g., operational, legal, regulatory) are included.

4.2 Risk Assessment

Each identified risk is evaluated based on:

  • Likelihood of occurrence
  • Impact on PagerTree systems, customer data, or business operations
  • Scope of affected systems or users
  • Ability to detect or prevent the issue

Risks are assigned a severity rating (e.g., Critical, High, Medium, Low) to guide prioritization and response.

4.3 Risk Treatment

PagerTree may respond to a risk using one or more strategies:

  • Mitigation: Apply security controls or process improvements to reduce the risk
  • Remediation: Fix the underlying issue (e.g., patching vulnerabilities, redesigning components)
  • Acceptance: Allow the risk, provided it meets defined tolerance thresholds and is approved by authorized personnel
  • Avoidance: Discontinue or modify activities that introduce unacceptable risk
  • Transfer: Shift risk externally (e.g., insurance, vendor agreements)

Risks exceeding PagerTree’s tolerance are escalated to appropriate leadership for action.

4.4 Documentation & Tracking

PagerTree maintains artifacts for:

  • Identified risks
  • Assessment outcomes
  • Planned remediations or compensating controls
  • Ownership and status
  • Closure evidence

Security and engineering teams track and monitor risks through internal systems and workflows.

5. Vendor & Third-Party Risk

PagerTree evaluates the security posture of vendors and service providers who access, store, or process PagerTree data.
Vendor risk management includes:

  • Pre-engagement risk assessments
  • Review of compliance certifications (e.g., SOC2, ISO 27001)
  • Ongoing monitoring of service reliability and security advisories

PagerTree ensures third-party risks are identified and managed throughout the vendor lifecycle.

6. Integration with Security & Compliance Processes

Risk management is closely aligned with:

  • Vulnerability Management
  • Incident Response
  • Business Continuity & Disaster Recovery
  • Secure Development practices
  • Access Control and Change Management

Information from these processes feeds into ongoing risk evaluations and remediation decisions.

7. Continuous Monitoring

Risk management is not a one-time activity. PagerTree continuously monitors for new and emerging risks by:

  • Tracking industry threat intelligence
  • Reviewing cloud provider advisories
  • Monitoring security logs and alerts
  • Responding to new vulnerabilities and zero-day disclosures
  • Reassessing risks after significant system changes

This ensures that risk posture evolves with changes in technology and the threat landscape.

8. Roles & Responsibilities

8.1 Executive Management

  • Provides oversight and strategic direction for risk management
  • Approves risk tolerance levels and treatment decisions for major risks

8.2 Information Security Officer (ISO)

  • Leads the risk management process
  • Ensures risks are identified, documented, assessed, and addressed
  • Reports significant risks and trends to leadership

8.3 Engineering & Operations Teams

  • Participate in identifying and mitigating technical risks
  • Implement corrective actions and security controls

8.4 All Personnel

  • Report potential risks or concerns
  • Follow established security and risk management practices

9. Enforcement

Employees, contractors, and third parties must comply with this policy.
Non-compliance may result in:

  • Revocation of system access
  • Disciplinary action
  • Contract termination for third parties

10. Review and Maintenance

This Risk Management Policy is reviewed at least annually, or whenever significant changes occur in business operations, technology, or threat landscape.

Changes must be approved by PagerTree Executive Management.

For questions regarding this Risk Management Policy or PagerTree’s security program, please contact security@pagertree.com.