ICT Risk matrix
The risk matrix diagram below follows the guidelines set out by Queensland Treasury and Trade A Guide to Risk Management—July 2011. It combines the likelihood of the risk occurring and the consequence should such a risk occur, to result in the risk rating for treating and/or monitoring the risk.
The QGEA uses this matrix and associated rating scales in its assessment of ICT initiative and system risk and provides them here for agency reference only.
| Consequence | |||||
|---|---|---|---|---|---|
| Likelihood | Insignificant | Minor | Moderate | Major | Critical |
| Rare |
LOW
Accept the risk Routine management |
LOW
Accept the risk Routine management |
LOW
Accept the risk Routine management |
MEDIUM
Specific responsibility and treatment |
HIGH
Quarterly senior management review |
| Unlikely |
LOW
Accept the risk Routine management |
LOW
Accept the risk Routine management |
MEDIUM Specific responsibility and treatment |
MEDIUM
Specific responsibility and treatment |
HIGH
Quarterly senior management review |
| Possible |
LOW
Accept the risk Routine management |
MEDIUM
Specific responsibility and treatment |
MEDIUM
Specific responsibility and treatment |
HIGH
Quarterly senior management review |
HIGH
Quarterly senior management review |
| Likely |
MEDIUM
Specific responsibility and treatment |
MEDIUM
Specific responsibility and treatment |
HIGH
Quarterly senior management review |
HIGH
Quarterly senior management review |
EXTREME
Monthly senior management review |
| Almost certain |
MEDIUM Specific responsibility and treatment |
MEDIUM Specific responsibility and treatment |
HIGH
Quarterly senior management review |
EXTREME
Monthly senior management review |
EXTREME
Monthly senior management review |
Below are presented scales for rating likelihood and consequence that can be applied to initiative risk and to system risk.
Example rating scale for risk likelihood—initiatives and systems
The following rating scale considers the likelihood that a specific risk will occur and can be used in the assessment of likelihood for both ICT initiatives and ICT systems.
| Likelihood scale | Criteria | Description |
|---|---|---|
| Rare | 0–5% | Extremely unlikely or virtually impossible |
| Unlikely | 6–25% | Unlikely to occur |
| Possible | 26–50% | Fairly likely to occur |
| Likely | 51–75% | More likely to occur |
| Almost certain | More than 75% | Almost certain will occur |
Example rating scale for risk consequence (initiatives)
The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT initiatives.
If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.
| Consequence scale | |||||
|---|---|---|---|---|---|
| Type of impact | Insignificant | Minor | Moderate | Major | Critical |
| Impact to cost | <$150k | $150k–$500k | $500k–$1.5m | $1.5m–$5m | >$5m |
| Impact to time | <10 days | 10–20 days | 20–40 days | 40–60 days | >60 days |
| Impact to scope | Minor change to ancillary requirements | Change to ancillary requirements | Change to multiple requirements | Change to any critical requirements | Major change to any critical requirements |
| Impact to government reputation | Little to no impact; control of impact can be managed internally | Some impact to government reputation; control of impact can be managed internally | Moderate impact to government reputation; control of impact can be managed internally, but risk is high that other parties may need to be involved | Major impact to government reputation; control will involve a number of agencies | Significant impact to government reputation; media news coverage; involves the Minister or Premier |
Example rating scale for risk consequence (systems)
The following rating scale considers the resultant impact on the business should a risk occur and can be used in the assessment of consequence for ICT systems.
If multiple impacts could occur with different consequence ratings then the most critical impact should be selected as the overall rating to ensure appropriate management of the risk.
| Consequence scale | |||||
|---|---|---|---|---|---|
| Type of impact | Insignificant | Minor | Moderate | Major | Critical |
| Risk to individual safety | None or negligible | N/a | N/a | Any risk to personal safety | Directly threatens life |
| Distress caused to any party | None or negligible | N/a | Short term distress | Limited long term distress | Substantial long term distress |
| Public order | None or negligible | N/a | Measurable impact | Prejudice | Seriously prejudice |
| Damage to any partys standing or reputation | None or negligible | N/a | Short term damage | Limited long term damage | Substantial long term damage |
| Inconvenience to any party | None or negligible | Minor inconvenience | Minor inconvenience | Significant inconvenience | Substantial inconvenience |
| Inappropriate release of personally or commercially sensitive data to third parties | There is no release or negligible release of sensitive information | Minor impact | Measurable impact, breach of regulations or commitment to confidentiality | Release of information would have significant impact | Would have major consequences to a person, agency or business |
| Impact on Government finances or economic and commercial interests | No or negligible impact | N/a | Cause financial loss or loss of earning potential | Work significantly against | Substantial damage |
| Financial loss to any client of the service provider or third party | None or negligible | Minor loss | Moderate loss | Significant loss | Substantial loss |
| Financial loss to agency or service provider | None or negligible | < 2% of monthly agency budget | 2%– 5% of monthly agency budget | 5%–10% of monthly agency budget | > 10% of monthly agency budget |
| Threat to government agency systems or capacity to conduct their business | None or negligible | N/a | N/a | Agency business or service delivery impaired in any way | Agency business halted or significantly impaired for a substantial period |
| Assistance to crime or impact on its detection | Would not assist or would cause only negligible hindrance to detection of unlawful activity | N/a | Prejudice investigation or facilitate commission of violations that will be subject to enforcement | Impede investigation or facilitate commission of serious crime | Prevent investigation or directly allow commission of serious crime |
| Impact on development or operation of major government policy | No or negligible Impact | Minor impact | Impedes effective development or operation | Seriously impede | Substantially impede |
| Impact on the environment | None or negligible | Minor impact on the environment | Measurable short term damage to the environment | Limited long term damage to the environment | Substantial long term damage to the environment |
| Impact on agency or Queensland Government workforce | None or negligible | Minor impact | Measurable impact | Limited long term impact | Substantial long term impact |
| Impact on risk of litigation | None or negligible | Minor impact | Measurable impact | Significant impact | Substantial impact |