Hmmm. "[...] the deployer shall develop a risk management policy after deploying the system [...]".

I wonder why it is after rather than before?