Common use of Risk Management Clause in Contracts

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicable) shall, co- operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious Breach.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicable) shall, co- operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious BreachMaterial Breach entitling the Authority to exercise its rights under Ending (termination) clause.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicable) shall, co- co-operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious Breach.Material Breach entitling the Authority to exercise its rights under clause F5.2A.

Risk Management. 5.1 The Contractor Supplier shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the AuthorityBuyer’s Security Requirements are met (the Risk Assessment). The Contractor Supplier shall provide the Risk Management Policy to the Authority Buyer upon request within 10 Working Days of such request. The Authority Buyer may, at its absolute discretion, require changes to the Risk Management Policy to comply with the AuthorityBuyer’s Security Requirements. The Contractor Supplier shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority Buyer within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor Supplier shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the ContractorSupplier’s System systems environment or in the threat landscape or (iii) at the request of the AuthorityBuyer. The Contractor Supplier shall provide the report of the Risk Assessment to the AuthorityBuyer, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor Supplier shall notify the Authority Buyer within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority Buyer decides, at its absolute discretion, that any Risk Assessment does not meet the AuthorityBuyer’s Security Requirements, the Contractor Supplier shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor Supplier shall, and and, shall procure that any Sub-contractor Subcontractor (as applicable) shall, co- co-operate with the Authority Buyer in relation to the AuthorityBuyer’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor Supplier shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor Supplier to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious BreachMaterial Breach entitling the Buyer to exercise its rights under clause 18.5.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If 5.2.1 In the event that the Authority decidesreasonably believes that there has been a Default of the Contract by the Contractor, irrespective of whether the Default is a Material Breach, then the Authority may at no additional cost to the Authority and at the Contractor’s own cost, without prejudice to its absolute discretion, rights and remedies under the Contract or otherwise do any of the following: request in writing that any Risk Assessment does not meet the Contractor remedies the Default within a period specified by the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request ; or as agreed by the Parties. 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicable) shall, co- operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by require the Contractor to comply submit a Performance Improvement Plan in accordance with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious Breachclause 5.2.2.

Risk Management. 5.1 The Contractor Supplier shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor Supplier shall provide the Risk Management Policy to the Authority upon request within 10 ten (10) Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor Supplier shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor Supplier shall carry out a Risk Assessment Assessment: (i) at least annually, ; (ii) in the event of a material change in the Contractor’s Supplier System or in the threat landscape or landscape; or (iii) at the request of the Authority. The Contractor Supplier shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 five (5) Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor Supplier shall notify the Authority within 5 five (5) Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor Supplier shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor Supplier shall, and shall procure that any Sub-contractor (as applicable) shall, co- operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor Supplier shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious Breach.

Risk Management. 5.1 4.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 4.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 4.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 4.4 The Contractor shall, shall and shall procure that any Sub-contractor (as applicable) shall, co- co-operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 4.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Error! Reference source not found.. Any failure by the Contractor to comply with any requirement of this paragraph 5 Error! Reference source not found. (regardless of whether such failure is capable of remedy), shall constitute a Serious BreachMaterial Breach entitling the Authority to exercise its rights under clause 18.5.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicable) shall, co- operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious BreachMaterial Breach entitling the Authority to exercise its rights under clause 18.5.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicable) shall, co- operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Error! Reference source not found.. Any failure by the Contractor to comply with any requirement of this paragraph 5 Error! Reference source not found. (regardless of whether such failure is capable of remedy), shall constitute a Serious BreachMaterial Breach entitling the Authority to exercise its rights under clause 18.5.

Risk Management. 5.1 The Contractor Supplier shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the AuthorityBuyer’s Security Requirements are met (the Risk Assessment). The Contractor Supplier shall provide the Risk Management Policy to the Authority Buyer upon request within 10 Working Days of such request. The Authority Buyer may, at its absolute discretion, require changes to the Risk Management Policy to comply with the AuthorityBuyer’s Security Requirements. The Contractor Supplier shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority Buyer within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor Supplier shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the ContractorSupplier’s System systems environment or in the threat landscape or (iii) at the request of the AuthorityBuyer. The Contractor Supplier shall provide the report of the Risk Assessment to the AuthorityBuyer, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor Supplier shall notify the Authority Buyer within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority Buyer decides, at its absolute discretion, that any Risk Assessment does not meet the AuthorityBuyer’s Security Requirements, the Contractor Supplier shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, Supplier shall and shall procure that any Sub-contractor Subcontractor (as applicable) shall, co- co-operate with the Authority Buyer in relation to the AuthorityBuyer’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor Supplier shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor Supplier to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious BreachMaterial Breach entitling the Buyer to exercise its rights under clause 18.5.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If 5.2.1 In the event that the Authority decidesreasonably believes that there has been a Default of the Contract by the Contractor, irrespective of whether the Default is a Material Breach, then the Authority may at no additional cost to the Authority and at the Contractor’s own cost, without prejudice to its absolute discretion, rights and remedies under the Contract or otherwise do any of the following: a) request in writing that any Risk Assessment does not meet the Contractor remedies the Default within a period specified by the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties.; or 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicableb) shall, co- operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by require the Contractor to comply submit a Performance Improvement Plan in accordance with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious Breachclause 5.2.2.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicable) shall, co- co-operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Error! Reference source not found.. Any failure by the Contractor to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious Breach.Error! Reference source not

Risk Management. 5.1 The Contractor Supplier shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the AuthorityBuyer’s Security Requirements are met (the Risk Assessment). The Contractor Supplier shall provide the Risk Management Policy to the Authority Buyer upon request within 10 Working Days of such request. The Authority Buyer may, at its absolute discretion, require changes to the Risk Management Policy to comply with the AuthorityBuyer’s Security Requirements. The Contractor Supplier shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority Buyer within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor Supplier shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the ContractorSupplier’s System Systems Environment or in the threat landscape or (iii) at the request of the AuthorityBuyer. The Contractor Supplier shall provide the report of the Risk Assessment to the AuthorityBuyer, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor Supplier shall notify the Authority Buyer within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority Buyer decides, at its absolute discretion, that any Risk Assessment does not meet the AuthorityBuyer’s Security Requirements, the Contractor Supplier shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, Supplier shall and shall procure that any Sub-contractor (as applicable) shall, co- operate with the Authority Buyer in relation to the AuthorityBuyer’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor Supplier shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor Supplier to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious Breach.Material Breach entitling the Buyer to exercise its rights under clause F5.2A.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if within 5.2.1 In the Risk Profile in relation event that the Authority reasonably believes that there has been a Default of the Contract by the Contractor, irrespective of whether the Default is a Material Breach, then the Authority may at no additional cost to the Services has changed materiallyAuthority and at the Contractor’s own cost, for example, but not limited to, from one risk rating without prejudice to another risk rating.its rights and remedies under the Contract or otherwise do any of the following: 5.3 If a) request in writing that the Authority decides, at its absolute discretion, that any Risk Assessment does not meet Contractor remedies the Default within a period specified by the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties.; or 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicableb) shall, co- operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by require the Contractor to comply submit a Performance Improvement Plan in accordance with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious Breachclause 5.2.2.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicable) shall, co- operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious Breach.

Risk Management. 5.1 The Contractor Supplier shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the AuthorityBuyer’s Security Requirements are met (the Risk Assessment). The Contractor Supplier shall provide the Risk Management Policy to the Authority Buyer upon request within 10 Working Days of such request. The Authority Buyer may, at its absolute discretion, require changes to the Risk Management Policy to comply with the AuthorityBuyer’s Security Requirements. The Contractor Supplier shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority Buyer within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor Supplier shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the ContractorSupplier’s System systems environment or in the threat landscape or (iii) at the request of the AuthorityBuyer. The Contractor Supplier shall provide the report of the Risk Assessment to the AuthorityBuyer, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor Supplier shall notify the Authority Buyer within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority Buyer decides, at its absolute discretion, that any Risk Assessment does not meet the AuthorityBuyer’s Security Requirements, the Contractor Supplier shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor Supplier shall, and shall procure that any Sub-contractor Subcontractor (as applicable) shall, co- co-operate with the Authority Buyer in relation to the AuthorityBuyer’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor Supplier shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Any failure by the Contractor Supplier to comply with any requirement of this paragraph 5 (regardless of whether such failure is capable of remedy), shall constitute a Serious BreachMaterial Breach entitling the Buyer to exercise its rights under clause 18.5.

Risk Management. 5.1 The Contractor shall operate and maintain policies and processes for risk management (the Risk Management Policy) during the Term Contract Period which includes standards and processes for the assessment of any potential risks in relation to the Services and processes to ensure that the Authority’s Security Requirements are met (the Risk Assessment). The Contractor shall provide the Risk Management Policy to the Authority upon request within 10 Working Days of such request. The Authority may, at its absolute discretion, require changes to the Risk Management Policy to comply with the Authority’s Security Requirements. The Contractor shall, at its own expense, undertake those actions required in order to implement the changes required by the Authority within one calendar month of such request or on a date as agreed by the Parties. 5.2 The Contractor shall carry out a Risk Assessment (i) at least annually, (ii) in the event of a material change in the Contractor’s System Systems Environment or in the threat landscape or (iii) at the request of the Authority. The Contractor shall provide the report of the Risk Assessment to the Authority, in the case of at least annual Risk Assessments, within 5 Working Days of completion of the Risk Assessment or, in the case of all other Risk Assessments, within one calendar month after completion of the Risk Assessment or on a date as agreed by the Parties. The Contractor shall notify the Authority within 5 Working Days if the Risk Profile in relation to the Services has changed materially, for example, but not limited to, from one risk rating to another risk rating. 5.3 If the Authority decides, at its absolute discretion, that any Risk Assessment does not meet the Authority’s Security Requirements, the Contractor shall repeat the Risk Assessment within one calendar month of such request or as agreed by the Parties. 5.4 The Contractor shall, and shall procure that any Sub-contractor (as applicable) shall, co- co-operate with the Authority in relation to the Authority’s own risk management processes regarding the Services. 5.5 For the avoidance of doubt, the Contractor shall pay all costs in relation to undertaking any action required to meet the requirements stipulated in this paragraph 5. Error! Reference source not found.. Any failure by the Contractor to comply with any a ny requirement of this paragraph 5 Error! Reference source not found. (regardless of whether such failure is capable of remedy), shall constitute a Serious Breach.Material Breach entitling the Authority to exercise its rights under clause F5.2A.