The risk matrix diagram below follows the guidelines set out by Queensland Treasury and Trade A Guide to Risk Management - July 2011. It combines the likelihood of the risk occurring and the consequence should such a risk occur, to result in the risk rating for treating and/or monitoring the risk.
The QGEA uses this matrix and associated rating scales in its assessment of ICT initiative and system risk and provides them here for agency reference only.

Below are presented scales for rating likelihood and consequence that can be applied to initiative risk and to system risk.
Example rating scale for risk likelihood - initiatives and systems
The following rating scale considers the likelihood that a specific risk will occur and can be used in the assessment of likelihood for both ICT initiatives and ICT systems.
Likelihood scale | Criteria | Description |
---|
Rare | 0 - 5% | Extremely unlikely or virtually impossible |
Unlikely | 6 - 25% | Unlikely to occur |
Possible | 26 - 50% | Fairly likely to occur |
Likely | 51 - 75% | More likely to occur |
Almost certain | >75% | Almost certain will occur |
Example rating scale for risk consequence - initiatives
The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT initiatives.
If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.
| Consequence scale |
---|
Type of impact | Insignificant | Minor | Moderate | Major | Critical |
---|
Impact to cost | <$150k | $150k - $500k | $500k - $1.5m | $1.5m - $5m | >$5m |
Impact to time | <10 days | 10 - 20 days | 20 - 40 days | 40 - 60 days | >60 days |
Impact to scope | Minor change in ancillary requirements | Change in ancillary requirements | Change in mulitple requirements | Change in any of the crital requirements | Major change in any of the critical requirements |
Impact to government reputation | Little to no impact; control of impact can be managed internally | Some impact to government reputation; control of impact can be managed internally | Moderate impact to government reputation; control of impact can be managed internally, but risk is high that other parties may need to get involved | Major impact to government reputation; control will require the involvement of a number of agencies | Significant impact to government reputation; media news coverage; Minister or Premier involved |
Example rating scale for risk consequence - systems
The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT systems.
If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.
| Consequence scale |
---|
Type of impact | Insignificant | Minor | Moderate | Major | Critical |
---|
Risk to individual safety | None/ negligible | | | Any risk to personal safety | Threaten life directly |
Distress caused to any party | None/ negligible | | Short term distress | Limited long term distress | Substantial long term distress |
Public order | None/ negligible | | Measurable impact | Prejudice | Seriously prejudice |
Damage to any party’s standing or reputation | None/ negligible | | Short term damage | Limited long term damage | Substantial long term damage |
Inconvenience to any party | None/ negligible | Minor inconvenience | Minor inconvenience | Significant inconvenience | Substantial inconvenience |
Inappropriate release of personally or commercially sensitive data to third parties | No or negligible release of sensitive information | Minor impact | Measurable impact, breach of regulations or commitment to confidentiality | Release of information would have significant impact | Would have major consequences to a person, agency or business |
Impact on Government finances or economic and commercial interests | No or negligible impact | | Cause financial loss or loss of earning potential | Work significantly against | Substantial damage |
Financial loss to any client of the service provider or third party | No or negligible loss | Minor loss | Moderate loss | Significant loss | Substantial loss |
Financial loss to agency/service provider | No or negligible loss | Minor (< 2% of monthly agency budget) | Moderate (2% - 5% of monthly agency budget) | Significant (5% - 10% of monthly agency budget) | Substantial (> 10% of monthly agency budget) |
Threat to government agency’s systems or capacity to conduct their business | No or negligible threat | | | Agency business or service delivery impaired in any way | Agency business halted or significantly impaired for a substantial period |
Assistance to crime or impact on its detection | Would be of no or negligible assistance or hindrance to detection of unlawful activity | | Prejudice investigation or facilitate commission of violations that will be subject to enforcement | Impede investigation or facilitate commission of serious crime | Prevent investigation or directly allow commission of serious crime |
Impact on development or operation of major government policy | No or negligible Impact | Minor impact | Impedes effective development or operation | Seriously impede | Substantially impede |
Impact on the environment | None/ negligible | Minor impact on the environment | Measurable short term damage to the environment | Limited long term damage to the environment | Substantial long term damage to the environment |
Impact on agency or Queensland Government workforce | None/ negligible | Minor impact | Measurable impact | Limited long term impact | Substantial long term impact |
Impact on risk of litigation | None/ negligible | Minor impact | Measurable impact | Significant impact | Substantial impact |