Skip links and keyboard navigation

ICT Risk matrix

The risk matrix diagram below follows the guidelines set out by Queensland Treasury and Trade A Guide to Risk Management—July 2011. It combines the likelihood of the risk occurring and the consequence should such a risk occur, to result in the risk rating for treating and/or monitoring the risk.

The QGEA uses this matrix and associated rating scales in its assessment of ICT initiative and system risk and provides them here for agency reference only.

 Consequence
LikelihoodInsignificantMinorModerateMajorCritical
Rare LOW
Accept the risk
Routine management
LOW
Accept the risk Routine management
LOW
Accept the risk
Routine management
MEDIUM
Specific responsibility and treatment
HIGH
Quarterly senior management review
Unlikely LOW
Accept the risk Routine management
LOW
Accept the risk Routine management
MEDIUM
Specific responsibility and treatment
MEDIUM
Specific responsibility and treatment
HIGH
Quarterly senior management review
Possible LOW
Accept the risk Routine management
MEDIUM
Specific responsibility and treatment
MEDIUM
Specific responsibility and treatment
HIGH
Quarterly senior management review
HIGH
Quarterly senior management review
Likely MEDIUM
Specific responsibility and treatment
MEDIUM
Specific responsibility and treatment
HIGH
Quarterly senior management review
HIGH
Quarterly senior management review
EXTREME
Monthly senior management review
Almost certain MEDIUM
Specific responsibility and treatment
MEDIUM
Specific responsibility and treatment
HIGH
Quarterly senior management review
EXTREME
Monthly senior management review
EXTREME
Monthly senior management review

Below are presented scales for rating likelihood and consequence that can be applied to initiative risk and to system risk.

Example rating scale for risk likelihood—initiatives and systems

The following rating scale considers the likelihood that a specific risk will occur and can be used in the assessment of likelihood for both ICT initiatives and ICT systems.

Likelihood scaleCriteriaDescription
Rare 0–5% Extremely unlikely or virtually impossible
Unlikely 6–25% Unlikely to occur
Possible 26–50% Fairly likely to occur
Likely 51–75% More likely to occur
Almost certain More than 75% Almost certain will occur

Example rating scale for risk consequence (initiatives)

The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT initiatives.

If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.

 Consequence scale
Type of impactInsignificantMinorModerateMajorCritical
Impact to cost <$150k $150k–$500k $500k–$1.5m $1.5m–$5m >$5m
Impact to time <10 days 10–20 days 20–40 days 40–60 days >60 days
Impact to scope Minor change to ancillary requirements Change to ancillary requirements Change to multiple requirements Change to any critical requirements Major change to any critical requirements
Impact to government reputation Little to no impact; control of impact can be managed internally Some impact to government reputation; control of impact can be managed internally Moderate impact to government reputation; control of impact can be managed internally, but risk is high that other parties may need to be involved Major impact to government reputation; control will involve a number of agencies Significant impact to government reputation; media news coverage; involves the Minister or Premier

Example rating scale for risk consequence (systems)

The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT systems.

If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.

 Consequence scale
Type of impactInsignificantMinorModerateMajorCritical
Risk to individual safety None or negligible N/aN/a Any risk to personal safety Directly threatens life
Distress caused to any party None or negligible N/a Short term distress Limited long term distress Substantial long term distress
Public order None or negligible N/a Measurable impact Prejudice Seriously prejudice
Damage to any partys standing or reputation None or negligible N/a Short term damage Limited long term damage Substantial long term damage
Inconvenience to any party None or negligible Minor inconvenience Minor inconvenience Significant inconvenience Substantial inconvenience
Inappropriate release of personally or commercially sensitive data to third parties There is no release or negligible release of sensitive information Minor impact Measurable impact, breach of regulations or commitment to confidentiality Release of information would have significant impact Would have major consequences to a person, agency or business
Impact on Government finances or economic and commercial interests No or negligible impact N/a Cause financial loss or loss of earning potential Work significantly against Substantial damage
Financial loss to any client of the service provider or third party None or negligible Minor loss Moderate loss Significant loss Substantial loss
Financial loss to agency or service provider None or negligible < 2% of monthly agency budget2%– 5% of monthly agency budget5%–10% of monthly agency budget> 10% of monthly agency budget
Threat to government agency systems or capacity to conduct their business None or negligible N/aN/a Agency business or service delivery impaired in any way Agency business halted or significantly impaired for a substantial period
Assistance to crime or impact on its detection Would not assist or would cause only negligible hindrance to detection of unlawful activity N/a Prejudice investigation or facilitate commission of violations that will be subject to enforcement Impede investigation or facilitate commission of serious crime Prevent investigation or directly allow commission of serious crime
Impact on development or operation of major government policy No or negligible Impact Minor impact Impedes effective development or operation Seriously impede Substantially impede
Impact on the environmentNone or negligible Minor impact on the environment Measurable short term damage to the environment Limited long term damage to the environment Substantial long term damage to the environment
Impact on agency or Queensland Government workforceNone or negligible Minor impact Measurable impact Limited long term impact Substantial long term impact
Impact on risk of litigationNone or negligible Minor impact Measurable impact Significant impact Substantial impact