Risks and challenges

Final | October 2018 | v1.0.0 | OFFICIAL-Public | QGCDG


Strategic risks are potential events or threats that affect or may result from an organisation’s business strategy and strategic objectives. The ever-increasing pace of change at which models of business and technology innovations are changing increases the need to continually identify and respond to strategic risks that threaten the achievement of strategic objectives.


A practitioner in the context of this guideline can include one or more of the following roles:

  • Digital and ICT strategic planners
  • Agency and service strategic planners
  • Workforce planners
  • Business analysts
  • Information managers.

Risk management

Each agency will have its own risk management framework and the practitioners need to consider this guideline within the context of the agency’s framework.

The practices in this guideline should be conducted in collaboration with the stakeholders identified in the Initiate workstream. The identification of strategic risks can be performed as part of workshop or as a separate risk workshop.

Strategic risks need to be considered from the perspective of what risks are associated with the strategy but also what risks are minimised or mitigated because of the strategy. A typical risk management cycle is represented in Figure 1 below:

Figure 1 - Risk management cycle

Practitioners following a formal risk management process approach like one outlined in Figure 1, should focus on the identification, analysis, evaluation and treatment steps.


When identifying risks, it may be useful to first consider categories of risk. Risks can also be either internal or external. Figure 2 describes some typical risk categories and risks.

Figure 2 - Risk categories

Once the risks have been identified the consequences and likelihood of the risk occurring should also be identified. A risk rating (typically Extreme, High, Medium or Low) can then be derived based on the consequences and likelihood scores, applying a risk assessment matrix adopted by the agency.

It may be necessary to discuss with stakeholders, which risks are both significant and strategic, as well as which risks the agency might be willing to accept. Only those risks agreed with stakeholders should be carried forward to the digital or ICT strategic document or plan.

Practitioners should also identify mitigation strategies with stakeholders. In some cases, it may acceptable to discuss some the mitigation strategies as part of the narrative in the digital or ICT strategy or plan to convey how the agency plans to respond positively to the strategic risks.

The Queensland Government Performance Management Framework also recommends the use of Strengths, Weaknesses, Opportunities and Threats (SWOT) Analysis as a method of identifying strategic risks.

When risks form part of a strategy or plan, either as a dedicated section or as part of a narrative, the Queensland Government Strategic Planning Toolkit recommends using terminology such as ‘strategic challenges and opportunities’ or ‘critical issues’.

Next steps

The methods outlined in this guideline are iterative. It might take several workshops with several diverse groups of people to articulate the final digital or ICT risks.

Practitioners should liaise with the planning sponsor to have the strategic risks formally recognised in the agency’s risk register so all strategic risk can be formally and properly monitored and managed.

It is important to ‘play back’ the outputs of workshops to participants within a short timeframe from the workshop. This will maintain interest and ensure the participants feel like their time to participate was worthwhile.

Once the digital or ICT risks have been identified, work can commence on drafting the digital or ICT strategy or plan.




Queensland Government performance management framework

Link – Managing government performance resources

Last Reviewed: 24 October 2018