Risk management
Risk management is essential to any successful and growing business. While some risk is inevitable, the ability to identify and mitigate risk, understanding its impact and likelihood is an important consideration. Our risk management program started with our Client Hosting Services and the need to build policies to protect this, particularly in the area of Information Security.
Our program has expanded as we have grown such that we can identify and manage risk across the whole organisation and this is underpinned by our management system. We have fully implemented ISO 31000 Risk Management Guidelines and use this to support the implementation of other standards.
Our systematic approach to identification, mitigation, review and measurement of risks reduces uncertainty for the future, improves learning, corrective behaviour and awareness and supports our strategic decision making.
Business continuity
Our Business Continuity program is implemented according to and certified to ISO 22301. We follow a risk assessment process for availability of our services and assets using our Risk Management processes and include a Business Impact Analysis to determine where business continuity measures and disaster recovery plans are required.
Our Business Continuity planning covers the entire organisation and includes a range of scenarios related to technological, environmental, human and reputational factors and account for different stress levels for the business and its operations.
For our Client Hosting Services, we employ specific architectural designs to ensure that we have robust and resilient applications that are scaled vertically and horizontally across multiple datacentres to eliminate single points of failure and provide scalability. In the event of datacentre disasters, we have disaster recovery plans for failover and continuity of services. These are tested and reported on annually, and those results are available to stakeholders in our Trust Centre.
Environmental and Social Governance
Kurtosys has a long history of supporting ESG initiatives and is committed to the United Nations Sustainable Development Goals (SDGs). In our ESG planning, we have identified several areas where we believe we can most positively achieve benefits and outcomes for our employees, clients, and communities.
We produce an annual ESG Report, which provides information about our ESG initiatives over the course of our fiscal year between 1 Jan and 31 Dec. In this report, we seek to address ESG topics that we believe our investors, employees, clients, vendors, and other stakeholders consider the most important. We look forward to reporting our progress as we further integrate sustainability into our operations.
The latest ESG report is available in our Trust Centre.
We also subscribe to Ecovadis who independently assess companies to provide a sustainability rating and this continues to improve year on year. Underpinning our efforts is our ISO 14001 Environmental Management System which is independently certified.
Compliance
Kurtosys is committed to best practice in all aspect of its business and operations, adopting standards to measure performance and demonstrate commitment. We have adopted the ISO Integrated Management System and used this to implement a number of standards and control sets including:
- SSAE18 SOC2 Type II Business Assurance report
- ISO 27001 Information Security
- ISO 31000 Risk Management
- ISO 22301 Business Continuity
- ISO 14001 Environmental Management
- ISO 26000 Social Responsibility
- NIST 800-53 additional security controls
- OWASP SAMM for secure software development
- CIS for measurement of AWS deployment
We also include conformance with legislation and industry monitors to demonstrate our commitment to supply chain regulation and our intent to be the responsible vendor of choice. This includes:
- CCPA and GDPR for Data Privacy
- Modern Slavery and Human Rights
- Bribery and Corruption
- Protection of Intellectual Property
- ESG and DE&I
- Ecovadis sustainability rating
