Risk Management Framework

Status: v1.0
Tier: Tier 1 – Core Corporate & Platform Policy
Owner: Governance and Compliance Function
Approval Authority: Board of Directors
Effective Date: 5 January 2026
Next Review: 12 months from approval

1. Purpose

This Risk Management Framework establishes how Global Talent Pathway identifies, assesses, manages, monitors, and reports risk across all activities.

Its purpose is to:

  • support informed decision-making,

  • protect candidates, workers, staff, partners, and the organisation,

  • ensure legal, regulatory, and contractual compliance,

  • enable sustainable growth of platform and workforce operations, and

  • provide clear Board-level oversight of material risks.

2. Scope

This Framework applies to:

  • all Global Talent Pathway operations, platforms, and services,

  • all jurisdictions in which Global Talent Pathway operates,

  • all staff, officers, Board and Advisory Board members,

  • all suppliers, partners, and service providers where relevant.

3. Risk Management Principles

Global Talent Pathway manages risk in accordance with the following principles:

  • Risk-based: effort is proportionate to the level of risk.

  • Reasonable steps: risk controls aim to meet legal and governance expectations, not guarantee outcomes.

  • Enterprise-wide: risks are assessed across organisational silos.

  • Preventative and responsive: risks are mitigated early and managed when they materialise.

  • Accountable: clear ownership exists for each material risk.

  • Transparent: material risks are reported to the Board.

4. Risk Appetite

Global Talent Pathway has a low tolerance for risks that may result in:

  • harm to individuals,

  • serious legal or regulatory breaches,

  • loss or misuse of personal or sensitive information,

  • modern slavery, exploitation, or unethical recruitment,

  • fraud, corruption, or bribery.

Global Talent Pathway accepts measured and managed risk in pursuit of its strategic objectives, provided risks are identified, assessed, and controlled appropriately.

5. Risk Categories

Risks are assessed across the following categories:

  • Strategic risk (mission, growth, reputation)

  • Operational risk (platform availability, processes)

  • Legal and regulatory risk (privacy, employment, migration, labour)

  • Information security and data risk

  • Workforce and recruitment risk

  • Supplier and third-party risk

  • Financial risk

  • Governance and integrity risk

  • Reputational risk

6. Risk Identification

Risks may be identified through:

  • strategic planning and change initiatives,

  • platform development and deployment,

  • complaints, disclosures, and incident reports,

  • audits and reviews,

  • supplier due diligence,

  • regulatory or procurement assessments.

Risk identification is continuous.

7. Risk Assessment

Identified risks are assessed based on:

  • likelihood of occurrence,

  • potential impact (harm, financial loss, legal exposure, reputational damage),

  • existing controls.

Risks are rated and prioritised using a consistent methodology.

8. Risk Treatment

For each material risk, one or more of the following treatments is applied:

  • Avoid: discontinue the activity.

  • Mitigate: implement or strengthen controls.

  • Transfer: share risk contractually or through insurance.

  • Accept: accept residual risk within appetite.

Acceptance of high or critical risks requires executive or Board approval.

9. Risk Ownership

Each material risk has a designated Risk Owner responsible for:

  • monitoring the risk,

  • implementing controls,

  • reporting changes in risk profile.

Risk ownership does not remove accountability from management or the Board.

10. Controls and Alignment

Risk controls are implemented through:

  • policies and procedures,

  • technical and security controls,

  • training and awareness,

  • contractual safeguards,

  • monitoring and audits.

This Framework operates alongside, and is supported by:

  • Privacy Policy,

  • Information Security Policy,

  • Records Management Policy,

  • Modern Slavery & Ethical Recruitment Policies,

  • Fraud & Conflict Policies,

  • Complaints & Disclosures Gateway.

11. Incident Management and Escalation

Material incidents and near-misses are:

  • reported through the Complaints & Disclosures Gateway,

  • assessed for risk impact,

  • escalated where thresholds are met.

12. Reporting and Board Oversight

Management provides the Board with:

  • periodic risk reports,

  • updates on material risks and incidents,

  • emerging risk assessments.

The Board retains oversight of:

  • risk appetite,

  • high and critical risks,

  • effectiveness of risk management.

13. Continuous Improvement

The Risk Management Framework is reviewed and improved through:

  • lessons learned from incidents,

  • audit findings,

  • regulatory developments,

  • changes in operations or technology.

14. Responsibilities

Board of Directors

  • Approves this Framework.

  • Oversees risk appetite and material risks.

Executive Management

  • Implements the Framework.

  • Ensures risks are identified and managed.

Staff and Representatives

  • Act in accordance with controls.

  • Report risks and incidents.

15. Relationship to Other Policies

In the event of inconsistency, this Framework operates alongside Tier 1 policies and does not override specific policy obligations unless expressly stated.

16. Review

This Framework will be reviewed annually or earlier if required by material change.

Effect of This Framework

From the effective date:

  • risk management is formalised and Board-visible,

  • risk decisions are documented and defensible,

  • uncontrolled risk acceptance is prohibited.