1.3 Risk Management - What the organisation does to ensure information risk is measured and managed to an acceptable level. Risk within the TRE organisation is ultimately owned by the top management with risk ownership for data assets delegated to information asset owners. Risks related to operations are assessed and treated by operational teams. Risk ownership involves the understanding of risk appetite within the organisation and agreement to proceed with operations given the current or future risk landscape. The risk assessment process scores risk according to an agreed matrix usually based on likelihood and impact. Once a risk is assessed the risk treatment process is triggered applying both technical, policy and process controls to bring them within accepted tolerances. Where risks fall outside of the automatically accepted tolerances, they will be escalated to risk owners.