Risk Assessment Template.

Likelihood

Medium — any API integration increases the attack surface of connected systems. Coaley Peak operates under ISO 27001:2022 controls and requires a signed DPA before any data sharing, but third-party API access is a recognised attack vector and should not be treated as low risk. Likelihood is higher where the client has poor credential hygiene, over-permissive API scopes, unpatched systems, or a complex IT estate with legacy integrations.

Impact

High — potential ICO regulatory action (fines up to 4% of global annual turnover), contractual liability, and serious reputational damage. Note: under UK GDPR, the client remains the data controller and bears primary regulatory responsibility for data it shares with Coaley Peak. Coaley Peak's liability as data processor is limited to obligations set out in the countersigned DPA.

Controls in place

ISO 27001:2022 (UKAS-accredited), AES-256 encryption at rest, TLS 1.2+ in transit, role-based access controls, MFA mandatory for all Coaley Peak staff, signed DPA required before any data sharing, 72-hour GDPR breach notification, annual third-party penetration test. Client-side: client must scope API credentials to the minimum necessary permissions; maintain its own access controls, credential hygiene, and network security throughout the engagement; and complete a DPIA before sharing sensitive data.

Risk owner

[CLIENT TO ASSIGN — IT Director or CISO] — note: client is the data controller and bears primary regulatory responsibility. Coaley Peak acts as data processor within the scope of the signed DPA only.

Likelihood

Medium — targets may not be achieved due to a range of factors, many of which are outside Coaley Peak's control. These include: inaccurate or incomplete baseline data provided by the client; restricted, delayed, or withdrawn system access; changes to client business operations, headcount, or commercial relationships during the engagement; adverse macroeconomic or market conditions; client failure to implement recommended process changes; or force majeure events. Where shortfall is attributable solely to Coaley Peak's own delivery failure, likelihood is assessed as Low.

Impact

Low — no invoice is raised in any month where targets are not independently verified as achieved. The client bears no financial cost in the event of a shortfall. Internal reputational impact will depend on the cause of the shortfall and is a matter for the client's own risk assessment.

Controls in place

Written KPI agreement countersigned before deployment, specifying targets, measurement methodology, baseline period, and exclusions; written baseline agreement independently agreed before go-live; independent third-party verification of all results before invoicing; root-cause analysis provided by Coaley Peak within 10 business days of any shortfall. £10,000 total guarantee (capped per 12-month engagement period): applies only to contracts started after 24 March 2026, only where shortfall is attributable to Coaley Peak's own performance failure, and subject to the full exclusions set out in the commercial agreement — including but not limited to client-caused data inaccuracies, access restrictions, scope changes, market conditions, and force majeure. The guarantee does not apply where the client has not fulfilled its own cooperation obligations.

Risk owner

Both parties — risk cause determines responsibility. Coaley Peak: delivery failure within agreed scope and client cooperation. Client: baseline data accuracy, system access, cooperation obligations, and internal change management. Shortfalls caused by client-side factors are not the liability of Coaley Peak.

Likelihood

Low — Owlpen integrates with client platforms via API connections established during the deployment phase. All integrations are subject to pre-integration technical review and require client IT approval before connection is made. However, any API integration carries inherent risk of temporary disruption to connected systems, particularly during initial configuration. Risk increases where the client's IT environment is complex, where change management processes are inadequate, or where relevant IT personnel are not engaged ahead of deployment.

Impact

Medium — unplanned disruption to connected platforms could affect business operations during integration windows. Coaley Peak's contractual liability for disruption caused by the client's own system configuration or inadequate change management is limited, but disruption to operations is a real client risk regardless of cause.

Controls in place

Phased rollout (six stages) with client sign-off at each gate; parallel running period before full operation; pre-integration technical review with client IT team; dedicated deployment support during integration windows; 30-day exit right. Client-side: client IT team must complete firewall and access approvals before deployment begins; client is responsible for internal change communications, stakeholder management, and rollback planning.

Risk owner

[CLIENT TO ASSIGN — Operations lead and IT Director]. Coaley Peak manages its own deployment process; client is responsible for its IT environment readiness, change management, and internal communications.

Likelihood

Low — affects both parties. Named Coaley Peak contacts have documented handover procedures and backup cover. Client-side key person dependency (e.g. loss of the internal engagement owner) can materially delay the engagement and is a separate risk the client should assess.

Impact

Medium — temporary delay to reporting or communication. No financial loss to client.

Controls in place

Coaley Peak: named account lead and technical lead with documented backup; ISO 9001 quality management system; director-level escalation. Client: [CLIENT TO COMPLETE — identify internal backup contact and document escalation path].

Risk owner

Both parties — Coaley Peak manages its own continuity. Client is responsible for identifying and maintaining an internal engagement owner and backup contact.

Likelihood

Low — publicly filed accounts available at Companies House (No. 11783676). Client bears zero upfront financial exposure at any point.

Impact

Low — if the engagement is wound down, the client's cost exposure is nil (pay-on-results). The client receives its data back within 10 business days and has 30 days' notice. Any invoiced and verified savings remain the client's to retain.

Controls in place

Pay-on-results model: no client capital is at risk at any stage. Publicly filed accounts (Companies House No. 11783676). 30-day exit notice. Data return obligation on termination. Client has no financial lock-in of any kind.

Risk owner

[CLIENT TO MONITOR — annual review of public Companies House accounts is recommended as part of standard supplier due diligence.]

Likelihood

Low for Coaley Peak in its capacity as data processor, given DPA, ISO 27001, and ICO registration. Risk is higher for the client in its capacity as data controller — the client determines what data is shared, on what legal basis, and bears primary regulatory accountability.

Impact

High — ICO enforcement action, regulatory fines (up to 4% of global annual turnover under UK GDPR), and reputational damage. The client, as data controller, faces the primary regulatory risk. Coaley Peak's liability as data processor is limited to obligations within the signed DPA.

Controls in place

ICO registration ZA505303; ISO 27001:2022 (UKAS); UK GDPR-compliant DPA countersigned before data sharing; 72-hour breach notification; sub-processor register maintained and available on request. Client-side: client must establish the lawful basis for sharing data with Coaley Peak, complete its own DPIA where required, and ensure it does not share data beyond the agreed scope.

Risk owner

Client (data controller — primary regulatory responsibility). Coaley Peak (data processor — limited to obligations in the signed DPA). [CLIENT TO COMPLETE: document lawful basis for sharing, confirm DPIA completed if required.]

Likelihood

Very Low — all measurement methodology and baseline data are agreed in writing before deployment. Independent verification by a qualified third party is the sole basis for invoicing.

Impact

Low–Medium — delay to invoice settlement; potential relationship strain. The independent verifier's confirmed figure is contractually binding as the basis for invoicing. Coaley Peak does not invoice on disputed figures.

Controls in place

Written baseline agreement countersigned before go-live; written KPI and methodology agreement before deployment; independent third-party verification of every result before invoicing; dispute resolution process set out in commercial agreement. Note: Coaley Peak relies entirely on data provided by the client. If the client's data proves inaccurate, incomplete, or manipulated after the baseline is agreed, Coaley Peak accepts no liability for resulting measurement errors — this is a client data-quality risk.

Risk owner

Both parties (methodology agreement). Independent verifier (verification confirmation). Client: data accuracy and completeness of information provided to Coaley Peak and the verifier.

Likelihood

Very Low — contractual protections prevent both parties from adding scope without written agreement.

Impact

Low — no activity-based charges exist; all fees are tied to verified results within agreed scope. Any attempt to add scope without written agreement is unenforceable.

Controls in place

All scope changes require a written change request countersigned by both parties before implementation; no verbal scope changes; no activity-based or time-and-materials charges; billing only on independently verified results within the agreed scope. Coaley Peak does not invoice for work outside the agreed KPI framework.

Risk owner

Both parties — neither party may alter scope without written mutual agreement.

Likelihood

Very Low — exit rights and data return obligations are explicit and time-bound in the commercial agreement.

Impact

Low — client receives data within 10 business days. No ongoing liability after data return is confirmed.

Controls in place

30 days' written notice from either party; data returned in machine-readable format (CSV/JSON or equivalent) within 10 business days of termination; deletion certificate provided on request; no proprietary format lock-in; Owlpen access revoked on termination date.

Risk owner

Coaley Peak (data return and deletion obligations within the agreed timescales). Client: [CLIENT TO COMPLETE — nominate a contact to receive returned data and confirm deletion certificate requirements.]

Likelihood

Low — mutual NDA in place before any information exchange. Risk increases if client personnel disclose the engagement without authorisation.

Impact

Low–Medium — depends on client's sector, stakeholder sensitivities, and competitive environment. Coaley Peak's reputational risk from unauthorised disclosure by the client is noted but is the client's contractual liability under the NDA.

Controls in place

Mutual NDA countersigned before any commercial discussions; client controls all external communications about the engagement; Coaley Peak does not reference client engagements in marketing, case studies, or public materials without explicit written consent. Breach of NDA by either party is actionable under English law.

Risk owner

Both parties under the mutual NDA. [CLIENT TO ASSIGN — nominate an internal communications lead responsible for controlling disclosure. Ensure all relevant personnel are aware of NDA obligations.]