Risk Register

Risk Likelihood Ratings

Rating risks requires an assessment of their frequency or happening.  Some risks happen once in a lifetime; others can happen almost every day.  The table below provides broad descriptions to support likelihood ratings.

View the UVic risk likelihood ratings.

How to use this Likelihood chart:

We are assessing the likelihood of the risk occurring within our risk timeframe (next 12 months).  If we are assigning likelihood to risks that are more cyclical in nature (e.g., an earthquake), then we use the left column.  We may think that an earthquake has a one in ten chance of happening during the next year (i.e., it is likely to occur once every ten years) and we would rate it as Low.  If we are assigning likelihood to risks that are more one off occurrences (e.g., failure of an IT implementation project), then we would use the right column and choose the rating that best describes the likelihood given our knowledge.  Historically we may conclude that major IT projects may have a Medium to High likelihood of going way over budget, of not meeting deadlines and/or of achieving poor quality outcomes.

We are initially rating likelihood in the absence of controls and then we will build in a rating of the controls.  When we identify controls we are grouping them into 3 main groups (preventative, detective and reactive).  When we are looking at the effect of controls on our likelihood rating, we mainly look at preventative (and some detective), given that we are assuming that the risk has occurred.  So we might say that the likelihood of a major IT project failing is High given the recent history of such projects in other institutions, but then assess the excellent preventative controls (e.g., tender selection processes, project management) will reduce the likelihood to Low.  If we talk in this manner we are constantly putting the focus on the controls and particularly on prevention, which is what is desirable.

Risk impact ratings

Impacts can be described in a number of ways.  A risk can have consequences in terms of:

• Financial
• Human impact
• Interruption to business
• Interruption to teaching
• Interruption to research
• Harm to the environment
• Damage to reputation and image

Each impact can be rated in terms of its severity, from VERY HIGH to VERY LOW.

The risk impact ratings in the table below provide a summary of each type of risk consequence relevant to the university as well as their severity ratings.

If more than one impact type applies to a particular risk, then the highest identified impact ratings should be used.

View the UVic risk impact ratings chart.

How to use this impact rating chart

We are assessing the impact of the risk assuming that it has occurred.

Think first about the main types of impacts that would accrue if the risk did occur, then for each of the types selected choose the example that best equates to what you think the impact would be.  We will then rate the risk impact to the highest of these choices.

As we go, we may choose to augment this table with specific examples that make it easier for us to rate and also may mean more to the university proper when we socialize this document.

We are rating to the most probable worst case, which can be tricky sometimes, but we will work our way through the first examples and settle into a pattern.  The most important thing is consistency.  We are initially rating impacts in the absence of controls and then we will build in a rating of the controls.  When we identify controls we are grouping them into 3 main groups (preventative, detective and reactive).  When we are looking at the effect of controls on our impact rating we mainly look at reactive (and some detective), given that we are assuming the risk has occurred.  So we might say that a major breach of the privacy act would result in a Medium Inherent Impact ($500,000 fine) but that we have good reactive controls (e.g., insurance) that would reduce the net impact to Low or even Very Low.  If we talk in this manner, we are constantly putting focus on the controls, which is what is desirable.

Risks that are not subject to effective mitigation activity may cause adverse impacts.

For each risk, you should first document the applicable list of mitigation activities.  When thinking about what risk mitigation activity is in place (or should be in place), it is useful to think of the following three things:

• Prevention - What is in place that will attempt to stop the risk happening in the first place? (e.g., security, awareness and training programs, qualified staff, planning, and/or procedures);
• Detection - What is in place that will let me know if and when the risk does happen? (e.g., staff/customer reporting mechanisms, financial reconciliation, fire alarms, audits); and
• Response - If the risk happens anyway, what measures do we have in place to lessen the impact? (e.g., contingency plans, back ups, insurance, resolution processes).

Once documented, the list of mitigation activity should be assessed as to how well the group of mitigation activities address the risk.

To assess mitigation strategy effectiveness, consideration should be given to the following questions:

• Does the group of mitigation activities address the risk effectively?
• Are the mitigation activities officially documented and communicated?
• Are the mitigation activities in operation and applied consistently?

Answers to these questions are scored and the results tallied as per the Table below.  Thought processes underpinning this decision are also summarized below.

Mitigation Table

Development/Implementation

To ensure that mitigation plans are actioned requires management of the process by relevant senior staff.  This management planning process should include:

• Allocation of risk mitigation responsibilities;
• Approval or allocation of resources required;
• Establishment of deadlines;
• Report back agreed actions and dates to the Risk Coordinators and Manager - Risk Compliance; and
• An escalation process

All risks identified as requiring further mitigation should be considered in the context of the options available.  These options should be considered, weighing the cost of implementing each option against the potential benefits.  In some cases, a cost-benefit analysis may be required to assist in the selection process.

When assessing risk mitigation options, it is important to understand that it will often be most appropriate to combine several mitigation options.  Risk responses may be specific to one risk or they might address a range of risks.

By completing a risk mitigation plan, relevant university staff can establish accountability, and ensure that risk management is seen as part of each staff member's responsibility.

Risk mitigation plans act as a reporting mechanism to the relevant user groups.  These plans are flexible, allowing for continual updating and reassessment as risks confronting the university change or the likelihood and consequences change.