← All Projects

Risk & Governance Frameworks

Live

Risk as a living system, not paperwork

Role Governance Lead
Timeline 2022-Present
Risk ManagementGDPRPower BIDocumentationAudit Frameworks

What This Covers

The governance and risk work that makes enterprise IT sustainable and auditable. This isn’t exciting, but it’s essential.

IT Risk Management

Risk Registers Structured tracking of IT risks — what they are, how severe, how likely, what we’re doing about them.

Severity and Likelihood Modelling Consistent assessment so we can prioritise. Not everything is critical. Not everything is urgent. Understanding which is which.

Mitigation Tracking Risks need owners, actions, and deadlines. Visibility into whether mitigations are actually happening.

Risk Acceptance Sometimes you accept a risk rather than mitigate it. That’s fine — as long as it’s documented and approved at the right level.

Escalation Paths When risks exceed certain thresholds, the right people need to know. Clear escalation rather than hoping someone notices.

Data Protection & GDPR

Practical implementation of data protection in IT systems:

DPIA Support Data Protection Impact Assessments for new systems. Understanding what data flows where before things go live.

Data Flow Mapping Documenting what data exists, where it goes, who processes it.

Minimisation and Retention Don’t collect what you don’t need. Don’t keep what you don’t need to keep.

Staff Guidance Privacy isn’t just a legal team problem. IT systems and IT people need to understand it too.

Coordination Working with the DPO, auditors, and regulators. IT is where much of the data lives — we’re always part of these conversations.

Go-Live Assurance

Formal processes for systems going live or returning to service:

Vendor Remediation Verification When vendors fix things, verifying they actually fixed them. Not just taking their word for it.

Security Questionnaires Structured assessment of security readiness. Evidence-based, not checkbox-based.

Approval Workflows Clear sign-off before things go live. Documented decisions, accountable people.

Audit-Ready Documentation When auditors ask “how did you decide this was safe to turn on,” the answer exists and is findable.

Why This Matters

None of this is glamorous. But public-sector IT requires it. Auditors require it. Regulators require it. And honestly, it’s how you avoid disasters.

Risk and governance done properly is what lets you move quickly on other things with confidence.