ICT risk management

The following table provides information on the range of risk management related tools and techniques that are currently available to the Queensland Government.

Interested in ICT risk management? Do you know of additional resources that would be useful? Do you think additional material is needed? Join us on the QGCIO discussion forum to share ideas and be involved in discussions.

Please note some of the links below are only available to Queensland Government employees.

Category	Document	Scope
Generic risk management	A Guide to Risk Management – Queensland Treasury (July 2011)	Based on ISO31000:2009 Risk Management: Principles and guidelines. Contains the minimum principles and procedures of a basic risk management process. Separates risk into two types – strategic risk and operational risk. Provides information on generic risk management process: context risk identification risk analysis risk evaluation risk treatment communication and consultation monitoring and review. In addition an example risk matrix and example potential sources of risk are also provided.
Generic risk management	Management of Risk – UK Office of Government Commerce (OCG)	The Queensland Government has access to the Management of risk: Guideline for Practioners through the AXELOS website. For general information please visit the M_o_R website.
Services risk management	None currently identified	Currently no information identified in this area – if you would like to discuss this area of risk, please join us on the discussion forum.
Business process risk management	Queensland Government Business Process Improvement methodology (Queensland Government only)	Provides techniques to assess the current risk of each business process to the business based on the business impact and condition of the business process. The business impact can be used to indicate the consequences to the business should the process fail or not be available. Detailed assessment criteria are available to individually calculate the business impact and condition of business processes.
Information, application and technology asset risk management	Queensland Government ICT Planning Methodology (Queensland Government only)	Provides techniques to assess the current risk of each asset to the business based on the business impact and technical condition of the asset. The business impact can be used to indicate the consequences to the business should the asset fail or not be available. Detailed assessment criteria are available to individually calculate the business impact and technical condition of information, application and technology assets. Example rating scales for risk likelihood and risk consequences for systems (application and technology assets) can be found here.
ICT sourcing and procurement risk management	ICT-as-a-service Decision Making Framework	Provides criteria and guidance to help an agency to determine via a risk assessment whether an ICT workload (system/application/data) is suitable for cloud delivery.
ICT sourcing and procurement risk management	Procurement process and risk matrix - QGCPO	Helps departments select the appropriate method for procurement depending on the level of risk and expenditure.
Portfolio risk management (initiative prioritisation)	Portfolio Management Methodology (Queensland Government only)	Based on ISO31000:2009 Risk Management: Principles and guidelines. Provides achievability and attractiveness criteria which considers key risks to initiatives delivering organisation strategic objectives and provides and indication of the order of priority in which initiatives should be implemented. Example rating scales for risk likelihood and risk consequences for intiatives can be found here.
	Information risk management best practice guidelines (PDF, 134.07 KB)	This guideline details a risk management process to prioritise and plan for implementation of QGEA policies and information standards.
	Queensland Government ICT Planning Methodology (Queensland Government only)	Provides some additional attractiveness and achievability criteria to extend on that provided in the Portfolio Management Methodology. In addition a technique to rank initiatives is also provided using a mathematical formula to calculate a linear distance along a diagonal from the optimum score of 5 for attractiveness and 5 for achievability to zero on the priority grid model.
QGEA policy implementation prioritisation	QGEA implementation prioritisation technique guideline	Provides a technique using assessments of attractiveness and achievability to prioritise implementation of QGEA policies. The attractiveness assessment examines the contribution the policy makes to current whole-of-government and departmental business direction, benefits realisation and risk mitigation. Achievability examines the likelihood of successful implementation based on the department’s current capability and capacity.
Project and program risk management	Project Management Methodology (Queensland Government only)	Based on ISO31000:2009 Risk Management: Principles and guidelines. Provides information on managing risks throughout a project lifecycle, based on the 'continued business justification' principle.
	Program Management Methodology (Queensland Government only)	Provides information on managing risks relating to programs and is based on nine principles that should underpin successful risk management within a program.
	ICT project and program assurance	Establishes a consistent assurance process to manage risk and improve confidence in information regarding programs and projects. Provides nine criteria techniques to calculate an initiatives assurance profile level to uncover areas of risk for further analysis.
	Privacy impact assessment process	The Office of the Information Commissioner has issued a number of useful process and guideline for conducting privacy impact assessments for projects: Privacy impact assessment (PIA) guideline Overview of the privacy impact assessment process
	Queensland Government Program Evaluation Guidelines	The Queensland Government Program Evaluation Guidelines outline a set of broad principles to underpin the planning and implementation of evaluations for programs funded by the Queensland Government. For further information please contact PEG@treasury.qld.gov.au.
Information security risk management	Queensland Government Information Security Classification Framework (QGISCF)	Provides techniques for agencies to undertake a security impact assessment for information assets based on standard criteria. The assessment results in a determination of the most appropriate security classification (either national or non-national classifications) for the information assessed.
	Queensland Government Authentication Framework (QGAF)	Provides a process which allows agencies to evaluate the risk associated with a service a determine the appropriate level of authentication assurance required.
	AS/NZS ISO/IEC 27005:2012 Information technology - Security techniques - Information security risk management (ISO/IEC 27005:2011, MOD)	Provides guidance on information security risk management.
Workforce planning risk management	Workforce planning methodology	Provides information about the risks associated with not undertaking workforce planning, and gaps in workforce competencies.
Risk management capability	None currently identified	Currently no information identified in this area – if you would like to discuss this area of risk, please join us on the discussion forum.
Cloud solution	Cloud solution risk framework template (Queensland Government only)	Provides a template to conduct a risk assessment for providing a cloud solution in your organisation.