Risk Management Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Risk Management Policy
Framework Reference: Secure Controls Framework – Risk Management (RSK)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Risk Management requirements established by Summit Technology Holdings, LLC (STH). It documents FRHC’s risk management program, processes, and governance structures for identifying, assessing, ranking, remediating, and monitoring risks to FRHC’s information systems and data, including ePHI and other regulated information.
2. Applicability
Section titled “2. Applicability”This standard applies to all FRHC systems, applications, business processes, and third-party relationships. It covers risks to confidentiality, integrity, and availability of FRHC information assets, as well as operational, regulatory, and reputational risks.
3. Standard
Section titled “3. Standard”3.1 Risk Management Program
Section titled “3.1 Risk Management Program”FRHC maintains a documented risk management program that defines roles and responsibilities, governance structures, and processes for ongoing risk identification and management. The program is overseen by the CIO and integrates with STH’s enterprise risk management oversight. The program is reviewed annually and updated to reflect changes in FRHC’s risk environment or regulatory requirements.
- Parent Policy Mapping: STH Risk Management Policy, Section 3.1
- SCF Mapping: RSK-01 (Risk Management Program)
3.2 Risk Identification
Section titled “3.2 Risk Identification”FRHC actively identifies risks across its technology environments, operational processes, and vendor relationships. Risk identification incorporates inputs from vulnerability assessments, audit findings, threat intelligence, and staff observations. Identified risks are documented to support further analysis and prioritization.
- Parent Policy Mapping: STH Risk Management Policy, Section 3.2
- SCF Mapping: RSK-03 (Risk Identification)
3.3 Risk Assessment
Section titled “3.3 Risk Assessment”FRHC conducts a formal risk assessment at least annually and following significant changes to systems, processes, or the regulatory environment. The assessment evaluates the likelihood and impact of identified risks, documents existing mitigating controls, and captures results in FRHC’s risk register. The annual HIPAA Security Rule risk analysis requirement is fulfilled through this process.
- Parent Policy Mapping: STH Risk Management Policy, Section 3.3
- SCF Mapping: RSK-04 (Risk Assessment)
3.4 Risk Ranking
Section titled “3.4 Risk Ranking”Identified risks are ranked by severity, considering likelihood, potential impact, regulatory significance, and business criticality. Risk rankings are used to prioritize remediation efforts and resource allocation. High and critical risks are reported to FRHC executive leadership and shared with STH management for enterprise-level oversight.
- Parent Policy Mapping: STH Risk Management Policy, Section 3.4
- SCF Mapping: RSK-05 (Risk Ranking)
3.5 Risk Remediation
Section titled “3.5 Risk Remediation”FRHC develops and tracks remediation plans for identified risks. Each remediation item is assigned an owner and target completion date. Completed remediation is validated to confirm the risk has been adequately treated. Where risks cannot be fully remediated, compensating controls or documented risk acceptance decisions are recorded in the risk register.
- Parent Policy Mapping: STH Risk Management Policy, Section 3.5
- SCF Mapping: RSK-06 (Risk Remediation)
3.6 Risk Assessment Updates
Section titled “3.6 Risk Assessment Updates”FRHC updates its risk assessment when new systems or services are introduced, significant operational or regulatory changes occur, or new threat intelligence warrants reassessment. Ad hoc updates supplement the annual formal assessment to ensure FRHC maintains an accurate and current understanding of its risk environment.
- Parent Policy Mapping: STH Risk Management Policy, Section 3.6
- SCF Mapping: RSK-07 (Risk Assessment Update)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains a risk register documenting identified risks, assessments, rankings, remediation plans, and outcomes. The risk register is reviewed by the CIO at least quarterly and formally updated during the annual risk assessment cycle. Evidence of risk management activities is retained to support SOC 2 Type II audits and HIPAA Security Rule compliance assessments.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Risk Management Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
- AICPA SOC 2 Trust Services Criteria:
- Security (CC3.2, CC3.3)
- Availability (A1.2)
Framework Alignment:
- RSK-01 – Risk Management Program
- RSK-03 – Risk Identification
- RSK-04 – Risk Assessment
- RSK-05 – Risk Ranking
- RSK-06 – Risk Remediation
- RSK-07 – Risk Assessment Update
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | July 2021 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
