Skip links and keyboard navigation

Risks and challenges

Within the Digital and ICT planning framework, this guideline describes how to identify and define potential risks as part of a digital and ICT planning engagement process.

Defining strategic risks is an integral part of any strategic planning process. This guideline helps practitioners work with the planning sponsor and participants in the planning process to define and assess the strategic risks directly related to proposed digital and ICT vision, objectives and strategies.

Strategic risks are potential events or threats that affect or may result from an organisation’s business strategy and strategic objectives. The ever-increasing pace of change at which models of business and technology innovations are evolving increases the need to continually identify and respond to strategic risks that threaten the achievement of strategic objectives.

Audience

A practitioner in the context of this guideline can include one or more of the following roles:

  • Digital and ICT strategic planners
  • Agency and service strategic planners
  • Workforce planners
  • Business analysts
  • Information managers.

Strategic risks need to be considered from the perspective of what risks are associated with the strategy but also what risks are minimised or mitigated because of the strategy. A typical risk management cycle is outlined below.

Risk management cycle

Practitioners should follow a formal risk management process cycle approach. Typical risk management cycles repeat the using the following steps.

  1. Identify risk—identify possible risk events and their causes that may impact on the strategy.
  2. Analyse risk—analyse the consequence and likelihood according to a risk matrix and derive the overall risk rating
  3. Evaluate risk—make decisions based on the outcomes of risk analysis about which risks are acceptable, which risks need treatment, and the treatment priorities
  4. Treat risk —develop appropriate actions to ensure that risks considered to be unacceptable are treated   appropriately to reduce the risk to an acceptable level.
  5. Monitor and review—regularly review and monitor risks to ensure a proactive approach to managing risks as new risks emerge and existing risks change.

This cycle can be re-applied regularly to ensure emerging risks are captured before they can impact digital or ICT strategy or objectives.

When identifying risks, it’s helpful to first consider categories of risk. Risks can also be either internal or external. Each agency will have its own risk management framework and practitioners need to consider this activity within the context of any existing frameworks.

Once risks have been identified, you should also identify the consequences and likelihood of the risk occurring. A risk rating (typically extreme, high, medium or low) can then be derived based on the consequences and likelihood scores, and a risk assessment matrix adopted by the agency can be applied.

Refer to ICT Risk management for more information and an ICT risk matrix and see the internal and external risk category tables below to help you identify potential risks.

External risks

Risk categories Potential risks
Demand
  • Effective response to demand for services
  • Changes in customer or public expectation
Regulatory or legislative
  • Changes in legislation
  • Compliance with legislation
Economical
  • Changes in economic landscape
Socio-political
  • Changing social or political factors
Environment
  • Changes in environmental factors or threats from natural events

Internal risks

Within internal risks there are three risk category types; strategic, operational and enablers.

Strategic risks

Risk categories Potential risks
Governance
  • Management responsibility
Strategic planning
  • Alignment of strategic planning to client needs.
Stakeholder relations
  • Relationship with elected officials
  • Stakeholder relationship management
Ethics and values
  • Ethical behaviour and values
Results
  • Ability to achieve long-term outcomes

Operational risks

Risk categories Potential risks
Access to services
  • Accessibility of services from available channels
Processes
  • Service delivery and operational processes
Information for decision making
  • Relevant, accurate and integrated information
Emergency response
  • Ability to mobilise and deal with emergency situations
Business interruption
  • Business continuity management and disaster recovery

Enablers

Risk categories Potential risks
People
  • Appropriately skilled staff
  • Retention of staff
  • Succession planning
  • Knowledge management
Financial
  • Sustainability of financial resources
  • Cost over runs or the cost of borrowing money
Technology
  • ICT infrastructure and support to meet future needs
Infrastructure
  • Quality or state of infrastructure

The practices in this guideline should be conducted in collaboration with the stakeholders identified in the Sponsorship, scope and stakeholders guideline. The identification of strategic risks can be performed as part of workshop or as a separate risk workshop.

It may be necessary to discuss with stakeholders, which risks are both significant and strategic, as well as which risks the agency might be willing to accept. Only those risks agreed with stakeholders should be carried forward to the digital or ICT strategic document or plan.

Practitioners should identify mitigation strategies with stakeholders. In some cases, it may acceptable to discuss some the mitigation strategies as part of the narrative in the digital or ICT strategy or plan to convey how the agency plans to respond positively to the strategic risks.

The Queensland Government Performance Management Framework also recommends the use of Strengths, Weaknesses, Opportunities and Threats (SWOT) Analysis as a method of identifying strategic risks. Refer to the Vision guideline for more detail on SWOT.

When risks form part of a strategy or plan, either as a dedicated section or as part of a narrative, the Queensland Government Strategic Planning Toolkit recommends using terminology such as ‘strategic challenges and opportunities’ or ‘critical issues’.

The methods outlined in this guideline are iterative. It might take several workshops with several diverse groups of people to articulate the final digital or ICT risks.

Practitioners should liaise with the planning sponsor to have strategic risks formally recognised in the agency’s risk register so all strategic risk can be formally monitored and managed.

It is important to ‘play back’ the outputs of workshops to participants within a short time after the workshop. This will maintain interest and ensure the participants feel like their time and contribution was worthwhile.

Once risks have been identified, the next step is to create the digital or ICT strategy or plan.