Department of Education




PoliciesCorporate managementPolicy, accountability and evaluation ‹ Risk and Business Continuity Management

Risk and Business Continuity Management


Appendix A Establishing, identifying and assessing risks

Risk management involves the identification, evaluation, treatment and ongoing monitoring of a broad range of risks associated with all strategic, operational and project activities.

A.1 Context

For each individual risk assessment exercise it is important to:

  • Set the parameters – what is the specific subject of the assessment?
  • Identify the essential stakeholders who need to be involved.
  • Ensure all participants are clear about the purpose of the assessment.

A.2 Key activity

Identify the key services/activities for your business unit. For example, processing payments on the Oracle system (see Appendix B).

A.3 Critical success factors (CSF)

For each of your key business activity/s, determine what elements are essential to ensure successful outcome/s. For example to process payments on the Oracle system, the following is needed:

  • Trained staff to match orders to invoices.
  • Working system.

A.4 Risk identification

Write down the possible risk or risks associated with each of your key activities’ Critical Success Factors (CSF).
Look at your risks in terms of what can go wrong in relation to the specified CSF. Identify what will cause that risk to occur.
Please note: Some activities may have many associated risks. Each risk should be treated separately and given its own risk rating. For example,

  • Activity - Providing advice to client.
  • CSF - Accuracy of information.
  • Risk - Incomplete or inaccurate information.
  • Cause - Lack of trained staff.

A.5 Risk controls

At the time of the risk assessment identify what control measures are currently in place that reduces the likelihood and/or consequences of the risk. For example, relevant Department policies can be identified as existing controls.

A.6 Control rating

Rate your controls in terms of are you doing what is reasonable under the circumstances to prevent or minimise the risk, i.e. Excellent, Adequate or Inadequate.

A.7 Consequence

For each of your risks - what is the consequence if it does go wrong? The consequence may be of financial, time and people costs or a combination of all three.
Following the same example (Appendix B) in regards to processing of payments in the Oracle system, the risk of ‘lack of trained staff’ can affect ‘Operational Efficiency’ (see Appendix C.2 Consequence Table) and can be rated as Minor (Level 2) ‘Inconvenient delays’.

A.8 Likelihood

For each of your risks determine how likely it is that the risk will occur in your business unit. For example, “Lack of trained staff” may be rated as “Almost Certain” (Level 5) – the event is expected to occur in most circumstances and is likely to happen more than once a year (see Appendix C.3 Likelihood Table).

A.9 Rating

To determine risk rating, multiply the values in the Consequence and Likelihood columns to gain the rating.
In the same example, the Consequence of the risk was rated as a Level 2 and Likelihood of the risk was rated as a Level 5. Multiplying 5 x 2, results in the rating of a Level 10. Therefore, the risk rating is a Level 10 – Moderate (see Appendix C.4 Risk Rating Table).

A.10 Category of consequence

For each risk, select the relevant consequence category (see Appendix C.2). In relation to the same example, the Category of Consequence is Operational Efficiency and Governance.

A.11 Risk acceptance

Yes or No. Ultimately, the process gets you to a point of deciding whether the risk is acceptable or requires further action.

Risks will always occur in any business environment. This process is not about removing risks, rather we aim to manage the risk to an acceptable level.

In our example the impact of the risk was rated a Level 10. The Risk Acceptance Table (see Appendix C.5) states that such a risk requires ‘Urgent Management Attention’ and may only be accepted by a Senior Manager when the existing controls are rated as ‘Excellent’.

A.12 Responsible officer

Enter the name or position of the person who is responsible for ensuring the key activity is successfully completed.

A.13 Risk treatment

Risk Treatment involves identifying a range of options to reduce the consequences and/or likelihood of a risk, or improve the controls ratings, evaluating those options, preparing treatment plans and implementing them.

Risk and Business Continuity Management

All contents copyright Government of Western Australia, unless otherwise stated.

Aboriginal and Torres Strait Islander people are advised that this site may contain images of people who are deceased.

Copyright material available on this website is licensed under a Creative Commons Attribution 4.0 International (CC BY 4.0) licence
Exclusions may apply: