Platform Documentation
Platform Documentation
Breadcrumbs

Risk Assessment

Purpose

This document outlines RunWhen’s approach to assessing and managing information security risk across its systems, services, and internal operations. Our goal is to proactively identify and mitigate risks related to the confidentiality, integrity, and availability of enterprise data and platform services, while maintaining alignment with operational goals and service reliability.

Ownership and Oversight

The Information Security Risk Assessment process is led by Engineering leadership. Individual service or process owners are responsible for participating in risk reviews, providing context on business-critical functions, and validating the risk profile of the systems they oversee.

Methodology

Risk assessments are conducted using a structured, qualitative approach taking into account industry best practices. Each risk is evaluated along the following dimensions:

  • Likelihood of occurrence

  • Potential business impact

  • Existing controls and mitigations

  • Residual risk level

Risk scoring is used to prioritize mitigation plans and inform the security roadmap.

Assessments occur as part of other processes:

  • Design review for new feature development

  • Platform change review process for changes that involve including new third party / OSS microservices

  • During product development, as part of RunWhen’s Secure Software Development Lifecycle (SSDLC)

Integration with Product and Infrastructure Decisions

Security risk assessments are embedded in the early planning stages of infrastructure and product changes. For example:

  • New services or public-facing endpoints require risk evaluation before deployment

  • Vendor and third-party tool assessments include review of data access and integration risks

  • Workspace-specific feature flags are used to limit exposure while risk is being evaluated

Involvement of Process and Information Owners

Each system, service, or data flow reviewed is accompanied by input from its respective owner. These owners provide:

  • A description of the service/data function

  • Known risks

  • Context for evaluating business impact

This ensures that all risk assessments reflects both technical realities and business context.

Continuous Improvement and Monitoring

The risk assessment process is iterative. Identified risks are tracked, and residual risks are periodically re-evaluated. Outputs are used to guide:

  • Control improvements

  • Incident preparedness

  • Documentation updates

  • Third-party audit readiness

Contact and Questions

For more information about RunWhen’s information security risk assessment process, or to request a risk review, please email security@runwhen.com or contact a member of the Engineering leadership team.