ICT risk management

  • PDF

The following table provides information on the range of risk management related tools and techniques that are currently available to the Queensland Government.

Interested in ICT risk management? Do you know of additional resources that would be useful? Do you think additional material is needed? Join us on the QGCIO collaboration forum to share ideas and be involved in discussions.

Please note some of the links below are only available to Queensland Government employees.

 

Category

Document

Scope

Generic risk management

A Guide to Risk Management – Queensland Treasury

(July 2011)

Based on ISO31000:2009 Risk Management: Principles and guidelines.

Contains the minimum principles and procedures of a basic risk management process. Separates risk into two types – strategic risk and operational risk. Provides information on generic risk management process:

  • context
  • risk identification
  • risk analysis
  • risk evaluation
  • risk treatment
  • communication and consultation
  • monitoring and review.

In addition an example risk matrix and example potential sources of risk are also provided.

Management of Risk – UK Office of Government Commerce (OCG)

 

The Queensland Government has access to the Management of risk: Guideline for Practioners through the AXELOS website.

 For general information please visit the M_o_R website.

Services risk management

None currently identified

Currently no information identified in this area – if you would like to discuss this area of risk, please join us on the collaboration forum at https://portal.qgcio.qld.gov.au/forum/ict-risk-management.

Business process risk management

Queensland Government Business Process Improvement methodology

(Queensland Government only)

Provides techniques to assess the current risk of each business process to the business based on the business impact and condition of the business process. The business impact can be used to indicate the consequences to the business should the process fail or not be available. Detailed assessment criteria are available to individually calculate the business impact and condition of business processes.

Information, application and technology asset risk management

 

Queensland Government ICT Planning Methodology

(Queensland Government only)

Provides techniques to assess the current risk of each asset to the business based on the business impact and technical condition of the asset. The business impact can be used to indicate the consequences to the business should the asset fail or not be available. Detailed assessment criteria are available to individually calculate the business impact and technical condition of information, application and technology assets.

Example rating scales for risk likelihood and risk consequences for systems (application and technology assets) can be found here.

ICT sourcing and procurement risk management

ICT-as-a-service Decision Making Framework

 

Provides criteria and guidance to help an agency to determine via a risk assessment whether an ICT workload (system/application/data) is suitable for cloud delivery.

Procurement process and risk matrix - QGCPO

Helps departments select the appropriate method for procurement depending on the level of risk and expenditure.

Portfolio risk management (initiative prioritisation)

Portfolio Management Methodology

(Queensland Government only)

Based on ISO31000:2009 Risk Management: Principles and guidelines.

Provides achievability and attractiveness criteria which considers key risks to initiatives delivering organisation strategic objectives and provides and indication of the order of priority in which initiatives should be implemented.

Example rating scales for risk likelihood and risk consequences for intiatives can be found here.

Information risk management best practice guidelines This guideline details a risk management process to prioritise and plan for implementation of QGEA policies and information standards. 

Queensland Government ICT Planning Methodology

(Queensland Government only)

 

Provides some additional attractiveness and achievability criteria to extend on that provided in the Portfolio Management Methodology. In addition a technique to rank initiatives is also provided using a mathematical formula to calculate a linear distance along a diagonal from the optimum score of 5 for attractiveness and 5 for achievability to zero on the priority grid model.

QGEA policy implementation prioritisation

QGEA implementation prioritisation technique guideline

Provides a technique using assessments of attractiveness and achievability to prioritise implementation of QGEA policies. The attractiveness assessment examines the contribution the policy makes to current whole-of-government and departmental business direction, benefits realisation and risk mitigation. Achievability examines the likelihood of successful implementation based on the department’s current capability and capacity.

Project and program risk management

Project  Management Methodology

(Queensland Government only)

Based on ISO31000:2009 Risk Management: Principles and guidelines. Provides information on managing risks throughout a project lifecycle, based on the 'continued business justification' principle.

 

Program Management Methodology

(Queensland Government only)

Provides information on managing risks relating to programs and is based on nine principles that should underpin successful risk management within a program.

ICT project and program assurance

 

Establishes a consistent assurance process to manage risk and improve confidence in information regarding programs and projects.  Provides nine criteria techniques to calculate an initiatives assurance profile level to uncover areas of risk for further analysis.

Privacy impact assessment process

The Office of the Information Commissioner has issued a number of useful process and guideline for conducting privacy impact assessments for projects:

Queensland Government Program Evaluation Guidelines

The Queensland Government Program Evaluation Guidelines outline a set of broad principles to underpin the planning and implementation of evaluations for programs funded by the Queensland Government. For further information please contact This email address is being protected from spambots. You need JavaScript enabled to view it..

Information security risk management

Queensland Government Information Security Classification Framework (QGISCF)

Provides techniques for agencies to undertake a security impact assessment for information assets based on standard criteria.

The assessment results in a determination of the most appropriate security classification (either national or non-national classifications) for the information assessed.

Queensland Government Authentication Framework (QGAF)

Provides a process which allows agencies to evaluate the risk associated with a service a determine the appropriate level of authentication assurance required.

HB231:2004 Information Security risk management guidelines

Provides a generic guide for the establishment and implementation of a risk management process for information security risks.

Workforce planning risk management

Workforce planning methodology

Provides information about the risks associated with not undertaking workforce planning, and gaps in workforce competencies.

Risk management capability

None currently identified

Currently no information identified in this area – if you would like to discuss this area of risk, please join us on the collaboration forum at https://portal.qgcio.qld.gov.au/forum/ict-risk-management.

Cloud solution

Cloud solution risk framework 

(Queensland Government only)

Provides a template to conduct a risk assessment for providing a cloud solution in your organisation.