ICT risk matrix

The risk matrix diagram below follows the guidelines set out by Queensland Treasury and Trade A Guide to Risk Management - July 2011. It combines the likelihood of the risk occurring and the consequence should such a risk occur, to result in the risk rating for treating and/or monitoring the risk.

The QGCIO uses this matrix and associated rating scales in its assessment of ICT initiative and system risk and provides them here for agency reference only.

Below are presented scales for rating likelihood and consequence that can be applied to initiative risk and to system risk.

Example rating scale for risk likelihood - initiatives and systems

The following rating scale considers the likelihood that a specific risk will occur and can be used in the assessment of likelihood for both ICT initiatives and ICT systems.

Likelihood scaleCriteriaDescription
Rare0 - 5%Extremely unlikely or virtually impossible
Unlikely6 - 25%Unlikely to occur
Possible26 - 50%Fairly likely to occur
Likely51 - 75%More likely to occur
Almost certain>75%Almost certain will occur

Example rating scale for risk consequence - initiatives

The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT initiatives.

If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.

 Consequence scale
Type of impactInsignificantMinorModerateMajorCritical
Impact to cost<$150k$150k - $500k$500k - $1.5m$1.5m - $5m>$5m
Impact to time<10 days10 - 20 days20 - 40 days40 - 60 days>60 days
Impact to scopeMinor change in ancillary requirementsChange in ancillary requirementsChange in mulitple requirementsChange in any of the crital requirementsMajor change in any of the critical requirements
Impact to government reputationLittle to no impact; control of impact can be managed internallySome impact to government reputation; control of impact can be managed internallyModerate impact to government reputation; control of impact can be managed internally, but risk is high that other parties may need to get involvedMajor impact to government reputation; control will require the involvement of a number of agenciesSignificant impact to government reputation; media news coverage; Minister or Premier involved

Example rating scale for risk consequence - systems

The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT systems.

If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.

 Consequence scale
Type of impactInsignificantMinorModerateMajorCritical
Risk to individual safetyNone/ negligible  Any risk to personal safetyThreaten life directly
Distress caused to any partyNone/ negligible Short term distressLimited long term distressSubstantial long term distress
Public orderNone/ negligible Measurable impactPrejudiceSeriously prejudice
Damage to any party’s standing or reputationNone/ negligible Short term damageLimited long term damageSubstantial long term damage
Inconvenience to any partyNone/ negligibleMinor inconvenienceMinor inconvenienceSignificant inconvenienceSubstantial inconvenience
Inappropriate release of personally or commercially sensitive data to third partiesNo or negligible release of sensitive informationMinor impactMeasurable impact, breach of regulations or commitment to confidentialityRelease of information would have significant impactWould have major consequences to a person, agency or business
Impact on Government finances or economic and commercial interestsNo or negligible impact Cause financial loss or loss of earning potentialWork significantly againstSubstantial damage
Financial loss to any client of the service provider or third partyNo or negligible lossMinor lossModerate lossSignificant lossSubstantial loss
Financial loss to agency/service providerNo or negligible lossMinor
(< 2% of monthly agency budget)
Moderate
(2% - 5% of monthly agency budget)
Significant
(5% - 10% of monthly agency budget)
Substantial
(> 10% of monthly agency budget)
Threat to government agency’s systems or capacity to conduct their businessNo or negligible threat  Agency business or service delivery impaired in any wayAgency business halted or significantly impaired for a substantial period
Assistance to crime or impact on its detectionWould be of no or negligible assistance or hindrance to detection of unlawful activity Prejudice investigation or facilitate commission of violations that will be subject to enforcementImpede investigation or facilitate commission of serious crimePrevent investigation or directly allow commission of serious crime
Impact on development or operation of major government policyNo or negligible ImpactMinor impactImpedes effective development or operationSeriously impedeSubstantially impede
Impact on the environmentNone/ negligibleMinor impact on the environmentMeasurable short term damage to the environmentLimited long term damage to the environmentSubstantial long term damage to the environment
Impact on agency or Queensland Government workforceNone/ negligibleMinor impactMeasurable impactLimited long term impactSubstantial long term impact
Impact on risk of litigationNone/ negligibleMinor impactMeasurable impactSignificant impactSubstantial impact

Last Reviewed: 22 March 2018

Related

Documents

  • There are currently no related items.

Events

  • There are currently no related items.

News

  • There are currently no related items.