Risk Management Framework

1.1 Framework Objectives

This Risk Management Framework ("Framework") has been adopted by the Board of Directors of Orisium Pty Limited ("Orisium", "the Company", or "we") to establish a systematic and consistent approach to identifying, assessing, managing, monitoring, and reporting risks across all areas of the Company's operations.

The primary objectives of this Framework are to:

• Establish a common understanding of risk management principles, processes, and responsibilities across the organisation;
• Provide the Board and management with reasonable assurance that material risks are identified, assessed, and managed within acceptable levels;
• Support the achievement of the Company's strategic objectives by ensuring that risks are proactively identified and appropriately treated;
• Embed a risk-aware culture that promotes accountability, transparency, and continuous improvement in risk management practices;
• Ensure compliance with applicable laws, regulations, and corporate governance requirements; and
• Protect and enhance the Company's reputation, stakeholder value, and long-term sustainability.

1.2 Alignment with ISO 31000:2018 and COSO

This Framework has been developed in alignment with internationally recognised risk management standards and frameworks, including:

• ISO 31000:2018 Risk Management Guidelines: The International Organisation for Standardisation's risk management standard provides principles, a framework, and a process for managing risk. This Framework adopts ISO 31000:2018's core principles of integration, structured approach, customisation, inclusiveness, dynamic adaptation, best available information, human and cultural factors, and continual improvement;
• COSO Enterprise Risk Management Framework (2017): The Committee of Sponsoring Organisations of the Treadway Commission's ERM framework integrates enterprise risk management with strategy and performance. This Framework incorporates COSO's five interrelated components: Governance and Culture, Strategy and Objective Setting, Performance, Review and Revision, and Information, Communication and Reporting.

By aligning with these internationally recognised standards, the Company ensures that its risk management practices reflect current best practice and facilitate effective risk governance across all levels of the organisation.

1.3 ASX Corporate Governance Principle 7 Compliance

This Framework has been designed to satisfy the requirements of Principle 7 of the ASX Corporate Governance Council's Corporate Governance Principles and Recommendations (4th Edition), which states that "A listed entity should establish a sound risk management framework and periodically review the effectiveness of that framework."

In accordance with Recommendation 7.1, the Company has established an Audit and Risk Committee (or equivalent) with responsibility for overseeing the Company's risk management framework. In accordance with Recommendation 7.2, the Board reviews the Company's risk management framework at least annually to satisfy itself that it continues to be sound and that the Company is operating with due regard to the risk appetite set by the Board. In accordance with Recommendation 7.3, the Company discloses whether it has an internal audit function, how the function is structured, and what role it performs. In accordance with Recommendation 7.4, the Company discloses whether it has any material exposure to environmental or social risks, and if so, how it manages those risks.

2.1 Risk Appetite Statement

The Company's risk appetite represents the amount and type of risk that the Board is willing to accept in pursuit of the Company's strategic objectives. The risk appetite is set by the Board and reviewed annually, or more frequently if circumstances require.

Orisium recognises that the effective management of risk is integral to achieving its strategic objectives and creating sustainable value for shareholders. The Company adopts a balanced approach to risk, accepting that:

• Some level of risk-taking is necessary to pursue growth and innovation opportunities that are consistent with the Company's strategy;
• Risks should be identified, understood, and managed proactively rather than avoided entirely;
• The potential benefits of risk-taking must be weighed against the potential adverse consequences;
• Certain risks, particularly those relating to legal compliance, safety, and ethical conduct, are not acceptable regardless of potential benefits; and
• Risk management should be integrated into all business processes and decision-making.

2.2 Risk Tolerance Levels

Risk tolerance represents the acceptable level of variation in performance relative to the achievement of objectives. The Board has established risk tolerance levels for different categories of risk as follows:

• Zero Tolerance: Risks relating to breaches of law, regulation, or ethical standards; health and safety of employees, customers, or the public; and deliberate misrepresentation of financial information;
• Low Tolerance: Risks that could result in significant financial loss, reputational damage, or regulatory sanctions; cybersecurity and data protection risks; and business continuity risks;
• Moderate Tolerance: Risks associated with normal business operations where controls are in place and operating effectively; operational efficiency risks; and supplier and partner relationship risks;
• Higher Tolerance: Risks associated with strategic initiatives, innovation, and growth opportunities where the potential benefits justify acceptance of higher risk levels, subject to appropriate oversight and monitoring.

2.3 Integration with Strategy

Risk management is integrated into the Company's strategic planning and decision-making processes. This integration ensures that:

• Strategic objectives are set with consideration of the risks and opportunities that may affect their achievement;
• Risk appetite and tolerance levels inform strategic choices and resource allocation;
• Material risks are considered in all significant business decisions, including mergers and acquisitions, major capital expenditure, and new market entry;
• Performance metrics include risk-adjusted measures where appropriate; and
• Risk management contributes to value creation rather than being viewed solely as a compliance function.

3.1 Board Responsibilities

The Board of Directors has ultimate responsibility for the oversight of the Company's risk management framework. The Board's responsibilities include:

• Approving the risk management framework and any material amendments thereto;
• Setting the risk appetite and risk tolerance levels for the Company;
• Ensuring that management has established and maintains an effective risk management framework;
• Reviewing and approving the Company's risk profile, including material risks and the controls in place to manage those risks;
• Monitoring the effectiveness of the risk management framework through regular reporting from management and the Audit and Risk Committee; and
• Conducting an annual review of the risk management framework to ensure it remains appropriate and effective.

3.2 Audit and Risk Committee

The Board has established an Audit and Risk Committee to assist the Board in fulfilling its oversight responsibilities for risk management. The Committee operates under a formal charter approved by the Board and comprises a majority of independent non-executive directors. The Committee's risk management responsibilities include:

• Reviewing the risk management framework and recommending changes to the Board;
• Monitoring the Company's risk profile and the status of material risks;
• Reviewing the adequacy and effectiveness of internal controls;
• Overseeing the internal audit function;
• Reviewing risk management reports from management; and
• Reporting to the Board on risk management matters and making recommendations as appropriate.

3.3 Chief Executive Officer and Executive Team

The Chief Executive Officer is responsible for implementing the risk management framework and ensuring that risk management is embedded throughout the organisation. The CEO and Executive Team are responsible for:

• Developing and maintaining the risk management framework, policies, and procedures;
• Identifying, assessing, and managing risks within their areas of responsibility;
• Allocating resources for risk management activities;
• Ensuring that risk management is integrated into business processes and decision-making;
• Promoting a risk-aware culture throughout the organisation; and
• Reporting on risk management to the Audit and Risk Committee and the Board.

3.4 Risk Owners

Each material risk identified by the Company is assigned to a Risk Owner, who is a senior executive or manager with the authority and accountability to manage that risk. Risk Owners are responsible for:

• Understanding the nature and extent of the risks for which they are responsible;
• Implementing and maintaining appropriate controls to manage those risks;
• Monitoring the effectiveness of controls and the status of risks;
• Escalating risks that exceed tolerance levels or require additional management attention; and
• Reporting on the status of their assigned risks as required.

3.5 Three Lines of Defence Model

The Company has adopted the Three Lines of Defence model to structure its risk management and assurance activities:

• First Line of Defence: Business Operations

  Operational management and staff own and manage risks as part of their day-to-day activities. They are responsible for identifying and assessing risks, implementing controls, and monitoring their effectiveness. The first line provides primary assurance that risks are being managed appropriately.

• Second Line of Defence: Risk Oversight and Compliance

  Specialist risk management, compliance, and control functions provide oversight, guidance, and challenge to the first line. These functions establish policies and frameworks, monitor compliance, and provide consolidated reporting on risk and control matters to management and the Board.

• Third Line of Defence: Independent Assurance

  Internal and external audit functions provide independent and objective assurance on the effectiveness of governance, risk management, and internal control processes. The third line reports directly to the Audit and Risk Committee and has unrestricted access to information necessary to perform its role.

4.1 Strategic Risk

Strategic risks are those that may affect the Company's ability to achieve its strategic objectives. These include:

• Market Changes: Shifts in customer preferences, market demand, industry structure, or economic conditions that may affect the Company's competitive position or growth prospects;
• Competitive Dynamics: Actions by existing competitors or new market entrants, including pricing pressures, product innovations, or changes in competitive strategy; and
• Technology Disruption: Emergence of new technologies or business models that may disrupt the Company's existing products, services, or market position.

4.2 Operational Risk

Operational risks are those arising from inadequate or failed internal processes, people, and systems, or from external events. These include:

• Business Continuity: Events that may disrupt the Company's operations, including natural disasters, pandemics, infrastructure failures, or other events that affect the availability of critical systems or facilities;
• Service Delivery: Failures in the delivery of products or services to customers, including quality issues, delays, or failure to meet contractual obligations; and
• Supply Chain: Disruptions in the supply of goods or services from suppliers, including supplier failure, capacity constraints, or quality issues.

4.3 Financial Risk

Financial risks are those relating to the Company's financial position and performance. These include:

• Liquidity Risk: The risk that the Company may not have sufficient cash or access to funding to meet its financial obligations as they fall due;
• Credit Risk: The risk of financial loss arising from a counterparty failing to meet its contractual obligations, including customer defaults and debtor collections;
• Currency Risk: The risk of financial loss arising from fluctuations in foreign exchange rates affecting the value of foreign currency denominated assets, liabilities, revenues, or expenses; and
• Investment Risk: The risk of financial loss arising from the performance of investments or capital allocation decisions.

4.4 Compliance and Regulatory Risk

Compliance and regulatory risks are those arising from failure to comply with applicable laws, regulations, standards, or contractual obligations. This includes risks relating to changes in the regulatory environment, regulatory investigations or enforcement actions, and the adequacy of compliance programs and controls.

4.5 Technology and Cybersecurity Risk

Technology and cybersecurity risks are those relating to the Company's technology infrastructure, systems, and data. This includes risks relating to cyber attacks, data breaches, system failures, technology obsolescence, and the adequacy of technology controls and security measures.

4.6 Environmental and Climate Risk

Environmental and climate risks are those arising from the Company's impact on the environment and the impact of environmental factors on the Company. This includes physical risks from climate change (such as extreme weather events), transition risks from the shift to a lower-carbon economy, and regulatory risks from evolving environmental standards and disclosure requirements.

4.7 Reputational Risk

Reputational risks are those that may damage the Company's reputation, brand, or stakeholder relationships. This includes risks arising from negative publicity, product or service failures, ethical lapses, or association with controversial issues or parties.

4.8 People and Culture Risk

People and culture risks are those relating to the Company's workforce and organisational culture. This includes risks relating to talent attraction and retention, workforce capability and capacity, workplace health and safety, employee conduct and behaviour, and the alignment of culture with the Company's values and strategic objectives.

5.1 Risk Identification

Risk identification is the process of finding, recognising, and describing risks. The Company uses a variety of techniques to identify risks, including:

• Brainstorming and Workshops: Facilitated sessions with management and staff to identify risks through structured discussion and collective knowledge;
• Scenario Analysis: Examination of potential future events and their possible impacts on the Company, including "what if" analysis and stress testing;
• Incident Analysis: Review of past incidents, near-misses, and control failures to identify underlying risks and opportunities for improvement;
• Environmental Scanning: Monitoring of external factors including industry trends, regulatory developments, and emerging risks; and
• Process Analysis: Systematic review of business processes to identify risks at each stage.

5.2 Risk Assessment

Risk assessment involves analysing each identified risk to understand its nature, causes, and potential consequences. The assessment considers both the likelihood of the risk occurring and the potential impact if it does occur. The Company uses a standardised likelihood and consequence matrix to ensure consistency in risk assessment across the organisation. The methodology for this assessment is set out in Section 6 of this Framework.

5.3 Risk Evaluation

Risk evaluation is the process of comparing the assessed level of risk against the Company's risk appetite and tolerance levels to determine whether the risk is acceptable or requires treatment. Risks are prioritised based on their assessed level, with higher-rated risks receiving greater management attention and resources.

5.4 Risk Treatment

Risk treatment involves selecting and implementing options to modify the risk. The Company considers the following treatment options:

• Avoid: Eliminate the risk by discontinuing the activity that gives rise to the risk, where this is feasible and consistent with business objectives;
• Reduce: Implement controls or other measures to reduce the likelihood or impact of the risk;
• Transfer: Share the risk with another party, typically through insurance or contractual arrangements; and
• Accept: Retain the risk without additional treatment, where the risk level is within tolerance and the cost of further treatment exceeds the potential benefit.

5.5 Risk Monitoring and Review

Risk monitoring and review is an ongoing process to ensure that risks remain within acceptable levels and that controls are operating effectively. This includes:

• Regular review of the risk register and risk assessments;
• Monitoring of key risk indicators (KRIs) and early warning signs;
• Testing of controls to verify their effectiveness;
• Review of incidents and near-misses; and
• Periodic reassessment of the risk environment.

5.6 Communication and Reporting

Effective communication and reporting are essential to ensure that relevant stakeholders are informed about risks and their management. This includes internal reporting to management, the Audit and Risk Committee, and the Board, as well as external reporting to regulators and other stakeholders as required. The reporting framework is set out in Section 8 of this Framework.

6.1 Likelihood Scale

The likelihood of a risk occurring is assessed using the following five-point scale:

6.2 Consequence Scale

The consequence of a risk, if it were to occur, is assessed using the following five-point scale. Consequences are assessed across multiple dimensions, including financial, operational, regulatory, and reputational impacts:

6.3 Risk Matrix

The overall risk rating is determined by combining the likelihood and consequence ratings using the following risk matrix:

The risk rating determines the level of management attention and action required:

• Extreme: Immediate action required; Board and CEO oversight; detailed risk treatment plan with ongoing monitoring
• High: Senior management attention required; treatment plan with defined actions and timeframes; regular monitoring
• Medium: Management responsibility specified; treatment through existing procedures or specific action; periodic monitoring
• Low: Manage through routine procedures; monitor for changes in risk level

6.4 Inherent vs Residual Risk

Risk assessment considers both the inherent risk and the residual risk:

• Inherent Risk: The level of risk before any controls or mitigation measures are applied. This represents the "raw" exposure to the risk.
• Residual Risk: The level of risk remaining after controls and mitigation measures have been applied. This represents the current exposure to the risk given existing controls.

The difference between inherent and residual risk indicates the effectiveness of existing controls. Risks are managed to ensure that residual risk remains within the Company's risk tolerance levels.

7.1 Definition

Key Risk Indicators (KRIs) are quantitative measures that provide early warning signals of increasing risk exposure. KRIs are leading indicators that enable the Company to anticipate and proactively manage risks before they materialise or escalate beyond acceptable levels.

Each material risk identified in the Company's risk register is assigned one or more KRIs, with defined thresholds that indicate when management attention or action is required. KRIs are designed to be specific, measurable, and actionable, enabling timely risk-informed decision-making.

7.2 Examples Across Risk Categories

The following are examples of KRIs that the Company monitors across its risk categories:

• Strategic Risk

  Customer concentration ratios; market share trends; competitive win/loss rates; customer satisfaction scores

• Operational Risk

  System uptime and availability; incident response times; service level agreement compliance; project delivery performance

• Financial Risk

  Cash flow forecasts; debtor days outstanding; covenant compliance ratios; revenue concentration by customer

• Compliance Risk

  Regulatory breach incidents; audit findings; policy exception requests; compliance training completion rates

• Cybersecurity Risk

  Security incident frequency and severity; vulnerability remediation times; phishing simulation results; access control reviews

• People Risk

  Employee turnover rates; time to fill critical roles; safety incident rates; employee engagement scores

7.3 Monitoring Frequency

KRIs are monitored at frequencies appropriate to the nature and volatility of the risk:

• Real-time or Daily: Critical operational and cybersecurity metrics where immediate awareness is essential;
• Weekly: Key operational performance indicators and project status metrics;
• Monthly: Financial performance metrics, compliance indicators, and operational efficiency measures; and
• Quarterly: Strategic indicators, trend analysis, and comprehensive risk profile reviews.

Threshold breaches are escalated in accordance with defined escalation protocols, ensuring timely management response.

8.1 Management Reporting (Monthly)

The Executive Team receives monthly risk reporting that includes:

• Summary of key risks and their current status;
• Key risk indicator dashboard with threshold status;
• Progress on risk treatment actions;
• Incident and near-miss summary; and
• Emerging risks and issues requiring attention.

8.2 Committee Reporting (Quarterly)

The Audit and Risk Committee receives quarterly risk reporting that includes:

• Comprehensive risk profile with movement analysis;
• Material risk deep-dives as required;
• Control effectiveness assessments;
• Internal audit findings and management responses;
• Compliance status reporting; and
• Emerging risk assessment.

8.3 Board Reporting (Quarterly and Annually)

The Board receives quarterly risk updates from the Audit and Risk Committee, including highlights of material risks, significant changes in the risk profile, and matters requiring Board attention or decision.

Annually, the Board receives a comprehensive risk management report that includes:

• Assessment of the effectiveness of the risk management framework;
• Review of risk appetite and tolerance settings;
• Year-on-year risk profile comparison;
• Summary of risk management activities and achievements; and
• Priorities for the coming year.

8.4 External Reporting Requirements

The Company discloses information about its risk management framework and material risks in accordance with applicable requirements, including:

• Annual Report disclosures on risk management practices and material risks;
• Corporate Governance Statement disclosures regarding Principle 7 compliance;
• Continuous disclosure obligations for material risks that could affect the Company's share price; and
• Climate-related and sustainability disclosures as required.

9.1 Independence

The Company has established an internal audit function to provide independent and objective assurance on the effectiveness of governance, risk management, and internal control processes. The internal audit function operates independently from management and reports functionally to the Audit and Risk Committee and administratively to the Chief Executive Officer.

The internal audit function has unrestricted access to all records, personnel, and physical properties relevant to the performance of its duties. The head of internal audit has direct and unrestricted access to the Chair of the Audit and Risk Committee.

9.2 Scope

The scope of the internal audit function encompasses:

• Evaluation of the design and operating effectiveness of internal controls;
• Assessment of compliance with policies, procedures, laws, and regulations;
• Review of the reliability and integrity of financial and operational information;
• Evaluation of the effectiveness of risk management processes;
• Assessment of the safeguarding of Company assets; and
• Review of the economy, efficiency, and effectiveness of operations.

The internal audit function develops a risk-based annual audit plan that is approved by the Audit and Risk Committee. The plan is designed to provide assurance coverage across the Company's material risks over a rolling multi-year period.

9.3 Coordination with External Audit

The internal audit function coordinates its activities with the external auditors to ensure comprehensive assurance coverage and avoid unnecessary duplication of effort. This coordination includes:

• Sharing of audit plans and risk assessments;
• Sharing of audit findings and recommendations;
• Regular communication on matters of mutual interest; and
• Consideration of external audit's reliance on internal audit work where appropriate.

10.1 BCM Program Overview

The Company has established a Business Continuity Management (BCM) program to ensure that it can continue to deliver critical products and services during and after a disruptive incident. The BCM program is aligned with ISO 22301 Business Continuity Management Systems and includes:

• Business Impact Analysis (BIA) to identify critical business functions and their recovery requirements;
• Risk assessment of potential disruption scenarios;
• Business Continuity Plans (BCPs) for maintaining critical operations during disruption;
• Recovery strategies and resource requirements; and
• Communication plans for internal and external stakeholders.

10.2 Crisis Management

The Company has established a Crisis Management Team (CMT) to provide leadership and coordination during significant disruptive events. The CMT is responsible for:

• Assessing the nature and severity of incidents;
• Activating appropriate response and recovery plans;
• Coordinating response activities across the organisation;
• Managing communications with stakeholders, media, and regulators; and
• Overseeing recovery and return to normal operations.

10.3 Disaster Recovery

The Company maintains Disaster Recovery (DR) capabilities to restore critical technology systems and data following a disruptive event. DR capabilities include:

• Geographically redundant infrastructure for critical systems;
• Regular data backups with off-site storage;
• Defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems; and
• Documented disaster recovery procedures.

10.4 Testing Requirements

The Company regularly tests its business continuity and disaster recovery capabilities to ensure they remain effective. Testing activities include:

• Annual: Full business continuity exercise involving the Crisis Management Team;
• Semi-annual: Disaster recovery tests for critical systems;
• Quarterly: Backup restoration tests; and
• As required: Targeted testing following significant changes to systems or processes.

Test results are documented and reviewed to identify opportunities for improvement. Lessons learned are incorporated into updated plans and procedures.

11.1 Environmental Scanning

The Company monitors its external environment to identify trends, developments, and events that may give rise to emerging risks. Environmental scanning activities include monitoring of economic indicators, geopolitical developments, social trends, and sector-specific developments.

11.2 Technology Trends

The Company monitors technology trends to identify both opportunities and risks arising from technological change. This includes developments in artificial intelligence, cybersecurity threats, cloud computing, data analytics, and other technologies relevant to the Company's operations and competitive position.

11.3 Regulatory Changes

The Company maintains awareness of proposed and pending regulatory changes that may affect its operations. This includes monitoring of legislative developments, regulatory guidance, and enforcement trends across the jurisdictions in which the Company operates.

11.4 Industry Developments

The Company monitors developments within its industry and adjacent industries to identify emerging risks and opportunities. This includes tracking of competitor activities, market structure changes, supply chain developments, and evolving customer expectations.

Emerging risks identified through these processes are evaluated using the Company's risk assessment methodology and, where material, are incorporated into the Company's risk register and reported to the Board.

12.1 Tone from the Top

The Board and senior management set the tone for risk culture by:

• Demonstrating commitment to risk management through words and actions;
• Communicating the importance of risk management to achieving strategic objectives;
• Integrating risk considerations into strategic and operational decision-making; and
• Holding themselves and others accountable for risk management responsibilities.

12.2 Accountability

The Company establishes clear accountability for risk management through:

• Defined roles and responsibilities for risk management;
• Inclusion of risk management in position descriptions and performance objectives;
• Consideration of risk management performance in remuneration decisions; and
• Recognition of individuals who demonstrate exemplary risk management behaviour.

12.3 Training and Awareness

The Company provides training and awareness programs to ensure that all employees understand their risk management responsibilities. This includes:

• Induction training on the risk management framework for new employees;
• Role-specific training for employees with significant risk management responsibilities;
• Regular awareness communications on risk topics; and
• Periodic refresher training on risk management principles and practices.

12.4 Open Reporting Environment

The Company encourages an open reporting environment in which employees feel safe to identify, report, and escalate risks and concerns without fear of retaliation. This is supported by:

• Multiple channels for reporting risks and concerns;
• Protection for employees who report concerns in good faith;
• A Whistleblower Policy that protects those who report wrongdoing; and
• A culture that treats reported issues as opportunities for improvement rather than occasions for blame.

13.1 Risk Profile Update

The Company conducts an annual comprehensive review of its risk profile. This review includes:

• Reassessment of all material risks in the risk register;
• Identification of new risks and removal of risks that are no longer relevant;
• Review of risk ratings and control effectiveness assessments;
• Consideration of changes in the external environment; and
• Alignment of the risk profile with the Company's strategic plan.

13.2 Framework Effectiveness Review

The Board, with input from the Audit and Risk Committee, conducts an annual review of the effectiveness of the risk management framework. This review assesses:

• Whether the framework remains appropriate for the Company's size, complexity, and risk profile;
• The quality of risk identification, assessment, and treatment processes;
• The effectiveness of risk reporting and communication;
• The integration of risk management into business processes and decision-making;
• The effectiveness of internal controls; and
• The strength of the risk culture.

13.3 Board Attestation

Following the annual review, the Board, with appropriate input from the Audit and Risk Committee and management, makes an attestation regarding the risk management framework. This attestation confirms that:

• The risk management framework has been reviewed and continues to be sound;
• The Company is operating with due regard to the risk appetite set by the Board; and
• Material risks are being managed appropriately.

The Board attestation is disclosed in the Company's Corporate Governance Statement in accordance with ASX Recommendation 7.2.

14.1 Framework Owner

The Chief Risk Officer (or, where a Chief Risk Officer has not been appointed, the Chief Financial Officer) is the owner of this Framework and is responsible for:

• Maintaining and updating the Framework as required;
• Ensuring the Framework remains aligned with best practice and regulatory requirements;
• Coordinating the annual Framework review;
• Providing guidance and support to management and staff on Framework implementation; and
• Reporting on Framework matters to the Audit and Risk Committee and the Board.

14.2 Annual Review Cycle

This Framework is reviewed annually by the Framework Owner and the Audit and Risk Committee, and approved by the Board. The review considers:

• Changes in the Company's operations, strategy, or risk profile;
• Changes in applicable laws, regulations, or governance requirements;
• Developments in risk management best practice;
• Feedback from internal and external stakeholders; and
• Lessons learned from risk incidents and near-misses.

14.3 Amendment Process

Material amendments to this Framework require approval by the Board, on the recommendation of the Audit and Risk Committee. Minor amendments of an administrative nature may be approved by the Framework Owner.

All amendments are documented in the Framework version history, which includes the nature of the amendment, the date of approval, and the approving authority.