ICT risk matrix

  • PDF

The risk matrix diagram below follows the guidelines set out by Queensland Treasury and Trade A Guide to Risk Management - July 2011. It combines the likelihood of the risk occurring and the consequence should such a risk occur, to result in the risk rating for treating and/or monitoring the risk.

The QGCIO uses this matrix and associated rating scales in its assessment of ICT initiative and system risk and provides them here for agency reference only.

  Consequence
Likelihood Insignificant Minor Moderate Major Critical
Rare LOW
Accept the risk
Routine management
LOW
Accept the risk
Routine management
LOW
Accept the risk
Routine management
MEDIUM
Specific responsibility and treatment
HIGH
Quarterly senior management review
Unlikely LOW
Accept the risk
Routine management
LOW
Accept the risk
Routine management
MEDIUM
Specific responsibility and treatment
MEDIUM
Specific responsibility and treatment
HIGH 
Quarterly senior management review
Possible LOW
Accept the risk
Routine management
MEDIUM
Specific responsibility and treatment
MEDIUM
Specific responsibility and treatment
HIGH 
Quartely senior management review
HIGH 
Quarterly senior management review
Likely MEDIUM
Specific responsibility and treatment
MEDIUM
Specific responsibility and treatment
HIGH 
Quarterly senior management review
HIGH 
Quarterly senior management review
EXTREME
Monthly senior management review
Almost certain MEDIUM
Specific responsibility and treatment
MEDIUM
Specific responsibility and treatment
HIGH 
Quarterly senior management review
EXTREME
Monthly senior management review
EXTREME
Monthly senior management review

Below are presented scales for rating likelihood and consequence that can be applied to initiative risk and to system risk.

Example rating scale for risk likelihood - initiatives and systems

The following rating scale considers the likelihood that a specific risk will occur and can be used in the assessment of likelihood for both ICT initiatives and ICT systems.

Likelihood scale Criteria Description
Rare 0 - 5% Extremely unlikely or virtually impossible
Unlikely 6 - 25% Unlikely to occur
Possible 26 - 50% Fairly likely to occur
Likely 51 - 75% More likely to occur
Almost certain >75% Almost certain will occur

Example rating scale for risk consequence - initiatives

The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT initiatives.

If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.

  Consequence scale
Type of impact Insignificant Minor Moderate Major Critical
Impact to cost <$150k $150k - $500k $500k - $1.5m $1.5m - $5m >$5m
Impact to time <10 days 10 - 20 days 20 - 40 days 40 - 60 days >60 days
Impact to scope Minor change in ancillary requirements Change in ancillary requirements Change in mulitple requirements Change in any of the crital requirements Major change in any of the critical requirements
Impact to government reputation Little to no impact; control of impact can be managed internally Some impact to government reputation; control of impact can be managed internally Moderate impact to government reputation; control of impact can be managed internally, but risk is high that other parties may need to get involved Major impact to government reputation; control will require the involvement of a number of agencies Significant impact to government reputation; media news coverage; Minister or Premier involved

 

Example rating scale for risk consequence - systems

The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT systems.

If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.

  Consequence scale
Type of impact Insignificant Minor Moderate Major Critical
Risk to individual safety None/ negligible     Any risk to personal safety Threaten life directly
Distress caused to any party None/ negligible   Short term distress Limited long term distress Substantial long term distress
Public order None/ negligible   Measurable impact Prejudice Seriously prejudice
Damage to any party’s standing or reputation None/ negligible   Short term damage Limited long term damage Substantial long term damage
Inconvenience to any party None/ negligible Minor inconvenience Minor inconvenience Significant inconvenience Substantial inconvenience
Inappropriate release of personally or commercially sensitive data to third parties No or negligible release of sensitive information Minor impact Measurable impact, breach of regulations or commitment to confidentiality Release of information would have significant impact Would have major consequences to a person, agency or business
Impact on Government finances or economic and commercial interests No or negligible impact   Cause financial loss or loss of earning potential Work significantly against Substantial damage
Financial loss to any client of the service provider or third party No or negligible loss Minor loss Moderate loss Significant loss Substantial loss
Financial loss to agency/service provider No or negligible loss Minor
(< 2% of monthly agency budget)
Moderate
(2% - 5% of monthly agency budget)
Significant
(5% - 10% of monthly agency budget)
Substantial
(> 10% of monthly agency budget)
Threat to government agency’s systems or capacity to conduct their business No or negligible threat     Agency business or service delivery impaired in any way Agency business halted or significantly impaired for a substantial period
Assistance to crime or impact on its detection Would be of no or negligible assistance or hindrance to detection of unlawful activity   Prejudice investigation or facilitate commission of violations that will be subject to enforcement Impede investigation or facilitate commission of serious crime Prevent investigation or directly allow commission of serious crime
Impact on development or operation of major government policy No or negligible Impact Minor impact Impedes effective development or operation Seriously impede Substantially impede
Impact on the environment None/ negligible Minor impact on the environment Measurable short term damage to the environment Limited long term damage to the environment Substantial long term damage to the environment
Impact on agency or Queensland Government workforce None/ negligible Minor impact Measurable impact Limited long term impact Substantial long term impact
Impact on risk of litigation None/ negligible Minor impact Measurable impact Significant impact Substantial impact