University of Tasmania
Division/Faculty/School/Project
Risk Assessment Guide
Risk assessment date
2
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
Contents
1 Introduction .................................................................................................................. 3
2 The risk assessment process ...................................................................................... 5
Appendix A - Risk Terminology..................................................................................... 10
Appendix B – Division/Faculty/School/Project objectives ............................................. 11
Appendix C – Division/Faculty/School/Project structure and activities .......................... 12
Appendix D - Risk assessment parameters .................................................................. 13
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
3
1 Introduction
Guidance (for deletion): This guide has been developed to assist the Division/Faculty/School/Project undertake a structured risk
assessment in accordance with the University of Tasmania’s Risk Management Policy and risk measurement framework. The
document is guidance in nature only and its use in not mandatory.
The document may be tailored as required and can also be used as a basis for developing a formal Participant’s Guide to be issued
to all those involved in a risk assessment process. The document, once completed, will evidence that a formal risk assessment has
been undertaken. The preparation of a formal document may not be necessary depending on the scale of the risk assessment
project.
The matters highlighted in blue within text boxes provide instructions to participants to aid in preparing for each stage of the risk
assessment process. The matters includes in the grey text boxes are guidance in nature and should be deleted once considered.
Text in red should be tailored as appropriate.
It is envisaged that for each risk assessment there would be a central co-ordinator responsible for administering the process for the
Division/Faculty/School/Project, co-ordinating collation, dissemination and receipt of information from participants and preparation of
resulting reports and documentation.
There are also a range of other documents which have been prepared to assist with the risk assessment process and these are
located on the University Audit and Risk intranet site http://www.utas.edu.au/risk-management-audit-assurance/
These include:

Risk Management Governance Level Principle (GLP2)

Risk Management Policy (CORP 13.1)

UTAS Risk Matrix

Risk Register Template (updated November 2015)
Should you have any specific questions, please contact Alastair McDougall (x1564 Alastair.McDougall@utas.edu.au) Director Audit
and Risk.
Division/Faculty/School/Project
is preparing to undertake a risk assessment in order to identify, assess
and document key risks of the Division/Faculty/School/Project.
This risk assessment will be conducted in accordance with the approach detailed in this guidance
material which has been endorsed by the Executive/Governance Forum.
Background and context
Guidance (for deletion): Include any necessary background and context relevant to the Division/Faculty/School/Project. This may
include:

The nature of the operation or activity

The environment in which the operation or activity is being conducted – specific influencing factors

Why the risk assessment is being undertaken
Refer also Appendix C.
Risk assessment objectives
The objective of this risk assessment is to identify, assess and evaluate the key risks associated with the
Division/Faculty/School/Project and formally document outcomes.
The outputs of this process will be documented in a Summary Report to be considered initially in draft by
relevant Management with the final report to be presented to the Executive/Governance Forum.
Purpose of this document
The purpose of this document is to brief participants in respect to the process and enable them to fully
prepare for their participation. The success of the risk assessment is dependent on active participation
from all involved. As such it is important that each participant devotes time to understanding the process
and preparing for their participation.
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
4
In particular participants will be required to undertake some specific activities during the risk assessment
process. These activities are highlighted in this document and include:





2.1 - Project Preparation
2.2 - Risk Identification
2.3 - Risk Analysis
2.4 - Risk Evaluation
2.5 - Finalisation
Risk Assessment Participants
The process will be conducted through a combination of meetings and off-line activities. The meetings
are, scheduled for date and date respectively. Meeting attendees will be:

Names of those consulted or workshop attendees if risk assessment process being undertaken as a
workshop. The nature and scale of the activity being considered may mean that formal workshops
may not be necessary.
Risk assessment co-ordinator name has been nominated as the risk assessment co-ordinator and will be
responsible for:


Ensuring participants are fully briefed on the risk assessment process.

General administrative support to the risk assessment process.
Supporting participant’s in preparing for relevant phases of the risk assessment process. This
includes co-ordinating collation, dissemination and receipt of information from participants and
ensuring resulting risk assessment outputs are prepared and presented to relevant forums.
Risk Assessment sponsor name has been nominated as the risk assessment sponsor and will provide
oversight throughout the process.
Should guidance be required in respect to the University’s Risk Management Policy, risk measurement
framework or in conducting risk assessments, please contact:
Alastair McDougall
Director Audit and Risk
Alastair.McDougall@utas.edu.au
Phone: 03 6226 1564
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
5
2 The risk assessment process
The process followed during this risk assessment is visually depicted on the following page. This involves
the following key elements:





Project Preparation
Risk Identification
Risk Analysis
Risk Evaluation
Finalisation.
To ensure the process is both relevant and comprehensive to the needs of
Division/Faculty/School/Project, the methodology is consistent with the University’s risk management
framework and policy and is focused on:





Presenting a formal structure of review
Recording relevant information in respect to identified key risks
Ensuring key risk issues are subject to identification, analysis, evaluation and reporting
Assessing existing control effectiveness
Assessing residual risk to enable management to consider any further action or resource
allocation/reallocation
In the balance of this section we provide further detail regarding the process. To assist in understanding
the terminology used in this project, a list of key definitions is provided in Appendix A.
Guidance (for deletion): While the process may be scaled to meet the specific needs for each circumstance, the process presented
in the graphic should be largely followed. Factors to consider in resolving an appropriate scale for the risk assessment process
include:
 The number of people involved in the Division/Faculty/School/Project. Where a broad perspective of views is required, it would
be advisable to conduct workshop or group discussions when identifying and evaluating risks.
 The extent of expected risk exposure to the University/ Division/Faculty/School/Project. The greater the expected risk exposure
the greater the rigour required in the risk assessment process.
 The target audience. In the event that the outputs are to go to parties external to the University or to a formal governance forum
or Senior Executive forum within the University then a greater degree of rigour would be advisable. In the event that only a
handful of personnel are involved, such as a research project, then while the process should remain consistent there may be
opportunity to condense the approach.
6
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
7
2.1 Project Preparation
Objective
The objective of this phase is to develop and confirm scope, context and approach for the risk
assessment.
Process
During this phase the following steps are completed:


Confirm the need to undertake a structured risk assessment process

Establish the risk assessment context – this should be the objectives of what the project, operational
unit, school, faculty or division is trying to achieve

Collate and review relevant background documentation and prepare any necessary guidance
materials to be made available to participants – this guidance is designed to provide all participants
with a clear understanding of the process. This document could be tailored to assist with this process

Discuss and confirm key risk assessment parameters, including:
- Preparing and distributing necessary Participant Guidance or relevant background information
- Scheduling meetings (if required)
- Identifying factors relevant to the risk assessment via a preparation meeting with Key
contact/Project Leader.
Identify key personnel to be involved in the risk assessment process to ensure appropriate
perspectives are fully considered
Participant action required:
The preparation carried out during this phase requires all participants to:

Review the Risk Assessment Guide to gain a broad understanding of the process, methodology and
terminology that will be used throughout the risk assessment process.

Be fully aware of the risk assessment context. These are generally the goals or objectives of the
Division/Faculty/School/Project. Refer Appendix B.
2.2 Risk Identification
Objective
The objective of this phase is to populate the standard Risk Register template with identified risks in order
to facilitate informed discussion and risk rating during the Risk Evaluation phase.
Process
During this phase:

Participants meet to ‘brainstorm’ key risk issues by reference to Division/Faculty/School/Project
objectives. These risk issues should be matters which may constrain the achievement of stated
objectives for the University or Division/Faculty/School/Project. This may result in the identification of
numerous risk issues.

There is consolidation of the brainstormed risk issues into higher level identified risks. This is to
ensure that effort is focussed on only key risks. In this regard key risk detail should be captured,
documented, appropriately described and assessed. Risks should be appropriately titled and include
some brief narrative to describe the risk exposure.

There is assignment of risk owners to individual identified risks. Risk owners will be responsible for
ensuring the offline population of the standard University Risk Register template for their allocated
identified risks.
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
8
Participant action required:
The preparation carried out during this phase requires participants to:

Brainstorm risk issues to be used as a basis for consolidating like themes into identified key risks
for inclusion in the standard Risk Register template. In this regard it is noted that:
o The number of risks, while not limited, should be manageable in number. By way of guidance
any more than approximately 15 may be too many
o The focus needs to be on the key risk exposures

Assign identified risks to nominated relevant personnel for further detailed analysis and population
of the standard University Risk Register template.
2.3 Risk Analysis
Objective
The objective of the Risk Analysis phase is to populate the Risk Register with relevant risk information.
Process
During this phase:

Nominated risk owners populate the standard Risk Register template with relevant risk information for
each identified risk assigned to them

Once completed, the draft Risk Register is circulated to all participants for review prior to the Risk
Evaluation phase.
Participant action required:
The preparation carried out during this phase requires:
 Nominated risk owners are responsible for ensuring that the risk register is populated with the
following detail for assigned identified risks:
o Potential causes (Hazards) and consequences (Impacts). No more than 5-6 brief issues in dot
point form. Potential causes could include both internal and external factors. Potential
consequences could include – financial, legal and regulatory, health and safety, reputational,
management effort, lost productivity
o Consequence and likelihood of inherent and residual risk exposures
o Key existing internal controls and mitigations
o Any additional internal controls which may be required to reduce risk exposures to acceptable
levels – this should form the basis of action planning and resource allocation to reduce risk
exposures to acceptable levels
 All participants to review the populated draft Risk Register and provide feedback to the risk
assessment co-ordinator.
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
9
2.4 Risk Evaluation
Objective
The objective of the Risk Evaluation phase is a draft Risk Register which includes risk ratings which have
been agreed by participants.
Process
During this phase:

Risk assessment participants meet with nominated risk owners leading a brief group discussion on
each identified risk and the preliminary risk ratings

Participants collectively agree individual ratings for each identified risk. Each risk should be assessed
at both ‘inherent; and ‘residual’ levels and in this regard the risk ratings assigned should be based on
a ‘typical’ scenario for the Division/Faculty/School/Project. An assessment of desired ‘Target Risk’
should also be assigned. Refer Appendix D for guidance on each of these terms.

Ratings should also be assigned for ‘Controllability’, ‘Control Effectiveness’ and ‘Trending/Outlook’.
Refer Appendix D for guidance on each of these terms.

Final draft Risk Register is prepared based on the feedback from Participants.
Participant action required:
The preparation carried out during this phase requires:
 All participants to review draft Risk Register prior to group discussion
 Participants meet with nominated risk owners leading a brief group discussion on each identified
key risk and the preliminary risk ratings
 Participants collectively agree individual ratings for each identified key risk
 Final draft risk register is prepared.
2.5 Finalisation
Objective
The objective of this phase of the project is a final Summary Report supported by a Risk Register which
have been considered by the relevant governance forum.
Process
The finalisation process is comprised of:

Preparing a Summary Report and Risk Register, initially in draft for consideration by the Governance
Forum. The Summary Report should provide an overview of key contextual matters, a summary of
key risk exposures and heat maps for identified and assessed risks.
Guidance (for deletion): The standard University Risk Register template (and excel file available on the Risk Management intranet)
will generate some high level output for incorporation into a Summary Report (a standard reporting template is yet to be developed).
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
10
Appendix A - Risk Terminology
The following risk terminology will be used:
Risk
Risk is defined as the effect of uncertainty on objectives.
Risk assessment
Risk assessment is a process that is, in turn, made up of three processes: risk
identification, risk analysis, and risk evaluation:

Risk identification is a process that is used to find, recognise, and
describe the risks that could affect the achievement of objectives

Risk analysis is a process that is used to understand the nature, sources,
and causes of the risks that you have identified and to estimate the level of
risk. It is also used to study impacts and consequences and to examine
the controls that currently exist

Risk evaluation is a process that is used to compare risk analysis results
with risk criteria in order to determine whether or not a specified level of
risk is acceptable or tolerable.
Consequence
The outcome of an event and the impact on objectives. A single event can
generate a range of consequences which can have both positive and negative
effects on objectives. Initial consequences can also escalate through knock-on
effects.
Likelihood
The chance that something might happen. Likelihood can be defined,
determined, or measured objectively or subjectively and can be expressed
either qualitatively or quantitatively.
Inherent risk
Risk rating assessment – a function of the ‘Consequence’ and ‘Likelihood’
ratings. This is an assessment of the risk exposure without reference to
specific mitigation strategies or actions.
Controllability
An assessment to be applied to each identified risk to understand the capacity
to influence residual risk exposure. The value of this information is that it
assists in informing the nature and extent of mitigations or controls to be
implemented.
Trending / Outlook
An assessment as to how the risk exposure has changed in recent times and
how it is expected to change in the immediate future with reference to the
prevailing operating environment.
Control Effectiveness
Is based on a relative assessment of the actual level of control that is currently
present and effective compared with that reasonably achievable for an
identified risk. This will provide an indicator of whether the University is doing
all that it could or should to manage the risk issue.
Residual risk is the risk left over after implementation of mitigations or controls.
It’s the risk remaining following either; removal of the risk source, modification
of consequences, change in probabilities, transferral of the risk, or acceptance
of the risk.
Residual risk
Target risk
Target risk is the desired risk exposure after taking into account such matters
as:

Capacity to influence risk exposure

Costs required to implement risk mitigations with reference to anticipated
benefits of implementation
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
11
Appendix B – Division/Faculty/School/Project
objectives
As defined in Appendix A, risk is simply the effect of uncertainty on objectives. It is therefore imperative
that the Division/Faculty/School/Project objectives are known and understood in order to identify relevant
risks.
Risk assessment context
The objectives of the Division/Faculty/School/Project are to:




XXXXX
XXXXX
XXXXX
XXXXX
Guidance (for deletion): In practice consideration should be given to those matters which may constrain or prevent from achieving
the stated objectives or where opportunity to maximise benefits are forgone or not optimised.
12
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
Appendix C – Division/Faculty/School/Project
structure and activities
Guidance (for deletion): This section is optional but if completed could include any necessary documentation which may assist with
the identification and assessment of key risks. This may include:

Business model detail/graphic

Organisational/project structure

Key internal / external influencing factors
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
Appendix D - Risk assessment parameters
Assessing the likelihood ranking
The likelihood that the business will be exposed to each specific risk is determined considering factors
such as:





anticipated frequency
the external environment
the procedures, tools, skills currently in place
staff commitment, morale, attitude
history of previous events
For the purposes of assessing likelihood the following scale will be used:
Likelihood rating
Scale
Almost certain
The event is expected to occur:
 in most circumstances
 or commonly repeating
 or occurs weekly
The event will probably occur:
 in most circumstances
 or known to occur
 or occurs monthly
The event might occur:
 say yearly
 or has a 1 in 20 chance of occurring
The event could occur at some time, say:
 once in every 10 years
 or 1 in 100 chance of occurring
Event may only occur:
 in only exceptional circumstances
 or less than a 1% chance of occurring
Likely
Possible
Unlikely
Rare
13
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
14
Assessing the consequence ranking
Risks are assessed in terms of the consequence of their impact on business objectives. Indirect financial consequences such as reputation, management effort and
productivity are also key considerations. The following table is used to guide the assessment of consequences of each identified risk.
HR, OHS
Service Quality, Operations, Business
Interruption and Infrastructure
Political, Reputation
and Image
Environmental and
Community
Up to $5000 for Faculties, Institutes,
Schools, Centres, Divisions and
Sections (Up to $500K for a UTAS
wide corporate governance risk) or
0.5% of budget.
Unlikely to result in adverse
regulatory response or action.
Injury report
and/or first aid
only, and/or may
include
substantial
stress event
reducing work
effectiveness
without lost
time.
An event the impact of which can easily be
absorbed through normal activity.
Repeat theme complaints at a school level and
/or one or more registered formal complaints.
Up to 10 recommendations from accreditation/
licensing body.
Loss of <1 days lectures or research or other
operational activity or work from such activity.
Negligible impact business interruption, brief
loss of service.
Issue resolved promptly
by day to day
management
processes/little or no
stakeholder interest.
Brief pollution - no
discernable impact or
measurable impairment - for
example, not exceeding
published guideline values
for normal or background
levels. Internally reported.
Environmental liability or
remediation cost < $A5,000.
Small potential for cost impacts 0.5% of budget, no time impact,
no quality impact. There may
issues that impact on the ability
of the University to fully operate
services or activities proposed
for the building at time of
delivery.
$5,001 to $50,000 for Faculties,
Institutes, Schools, Centres,
Divisions and Sections, ($.5m to
$2.5m for a UTAS wide corporate
governance risk) or 0.5-1% of
budget.
Minor non-compliances and
breaches of Acts, regulations or
consent conditions.
Not likely to result in regulatory
action, may result in infringement
notice. Incident reportable to
regulatory authorities.
Medical
Treatment Injury
and/or
may include
substantial
stress event
requiring
professional
clinical support.
An event, the consequences of which can be
absorbed but management effort is required to
minimise impact. Minor delivery delays.
Service issue causing/contributing to loss of up
to 10 EFSLs or loss of research or consultancy
project < $10,000.
Up to 2 non-compliance recommendations but
accreditation/licence not immediately
threatened.
Loss of 1-5 days lectures or research or other
operational activity or work from such activity
Local interruption only, service loss for
minimum period.
Issue raised by students
and/or local press/
minor, adverse local
public or media attention
and complaints.
Reputation is adversely
affected with a small
number of affected
people.
Transient harm - minor
effects on biological or
physical environment. Minor
short- medium term damage
to a localised area or that
ceases once the event is
over. Environmental liability
or remediation cost $A5,000
- 50,000.
Small potential for cost impacts 0.5-1% of budget, no time
impact, no quality impact. There
may issues that impact on the
ability of the University to fully
operate services or activities
proposed for the building at time
of delivery.
Minor
Insignificant
Financial, Legal, Commercial
Project
Catastrophic
Major
Moderate
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
Service Quality, Operations, Business
Interruption and Infrastructure
15
Political, Reputation
and Image
Environmental and
Community
Financial, Legal, Commercial
HR, OHS
Project
$50K-$0.5m for Faculties,
Institutes, Schools, Centres,
Divisions and Sections, ($2.5m to
$10m for a UTAS wide corporate
governance risk) or 1-5% of budget.
Serious breach of Act, regulation or
consent conditions with potential for
regulatory action such as issuance
of a formal notice, a fine or
prosecution.
Hospital
treatment injury
less than 3
days/lost time/
serious
temporary
disability/minor
permanent
disability.
Significant event, which can be managed under
special circumstances.
Service issue causing/contributing to loss of 10
- 100 EFSLs, or loss of research or consultancy
project ($10,000 - $500,000).
More than 2 non-compliance recommendations
and /or ongoing accreditation and licensing
under immediate threat.
Loss of 5 days - 6 weeks lectures or research
or other operational activity or work from such
activity.
Critical service interruption not back in agreed
time.
Student and or
community concern,
heavy local media
coverage/criticism by
NGOs. Reputation
impacted with some
stakeholders.
Moderate harm measurable impairment on
biological or physical
environment but not
affecting ecosystem
function. Short-medium term
impacts, where the
ecosystem will recover
quickly and without
intervention. Environmental
liability or remediation cost
$A50,000- 500,000.
Medium potential for cost or time
impact. 1 - 5% of budget,
manageable impact on time,
cost, resources and quality.
Minimal impact on operation of
services or activities proposed
for the building.
$0.5m to $5m for Faculties,
Institutes, Schools, Centres,
Divisions and Sections ($10m to
$20m for a UTAS wide corporate
governance risk) or 5 - 10% of
budget.
Major breach of Act, regulations, or
consent conditions that is expected
to attract regulatory attention.
Investigation prosecution and/or
major fine possible.
Single death/
longer term
hospitalisation/
permanent
disabilities
multiple
persons.
Major event that - with prioritised and focused
management - will be endured.
Service issue causing/contributing to loss of
more than 100 EFSLs/subject viability
threatened or loss of some research and
consultancy clients.
Limited accreditation of Faculty or School with
conditions of accreditation and limitations
applied.
Loss of 6 -13 weeks lectures or research or
other operational activity or work from such
activity.
Critical infrastructure service loss for <1 month.
Embarrassment for the
University, including
adverse media
coverage/significant
adverse national media/
public coverage/
reputation impacted with
a significant number of
stakeholders/
breakdown in strategic
and/or business
partnership.
Significant harm - serious
environmental effects with
some impairment of
ecosystem function.
Relatively widespread
medium - long term impacts,
requiring remediation, where
ecosystem will recover over
time once clean-up has
been completed.
Environmental liability or
remediation cost $A0.5m $A5m.
Major potential for cost or time
impact. 5 - 10% of budget, will
impact on time, cost, resources
or quality. Potential impact on
multiple work streams, projects
or stakeholders. University will
need to operate service or
activity in another location for an
extended period of time or delay
commencement of service or
activity for >3 months or
Practical Completion Date
increased by >25%.
Above $5m for Faculties, Institutes,
Schools, Centres, Divisions and
Sections (or above $20m for a
UTAS wide corporate governance
type risk) or 10% of budget
may be considered wilful or
negligent by regulator. Significant
prosecution and fines likely. May
result in significant litigation,
including class actions. May
jeopardise future approvals,
registration, licensing and funding.
Multiple deaths/
permanent
disability 5 plus
persons
Extreme event with potential to lead to failure of
most objectives or collapse of part of the
business.
School viability threatened by loss /lack of
students or loss of a significant number of
research or consultancy clients (more than
10% of budget or 5 clients).
Non accreditation of Faculty or School.
Loss of 13+ weeks lectures or research or
other operational activity or work from such
activity.
Critical infrastructure service loss for >1 month.
Reputation and standing
of the University
affected nationally and
internationally/serious
public or media outcry
(International coverage)/
Reputation impacted
with majority of key
stakeholders/ Significant
breakdown in strategic
and/or business
partnerships.
Long term harm - Very
serious environmental
effects with significant
impairment of ecosystem
function. Long term,
widespread effects.
Remediation required.
Environmental liability or
remediation cost >$A5m
Major potential for cost or time
impact - >10% of budget. Will
have an unmanageable impact
on time, cost, resources and
quality. Potential impact on
multiple work streams, projects
or stakeholders. University
cannot operate service or
activity proposed in
new/refurbished building.
Potential showstopper.
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
16
Assessing the risk rating
Through this analysis of likelihood and consequence the risk rating for each of the identified risks is then
calculated using the product of these rankings. The relationship of these factors and the resultant risk rating is
demonstrated in the table below:
Consequence
Likelihood
Negligible
Minor
Moderate
Major
Severe
Almost certain
Mod 11
High 13
Ext 20
Ext 23
Ext 25
Likely
Mod 7
High 12
High 17
Ext 21
Ext 24
Moderate
Low 4
Mod 8
High 16
Ext 18
Ext 22
Unlikely
Low 2
Low 5
Mod 9
High 15
Ext 19
Rare
Low 1
Low 3
Mod 6
Mod 10
High 14
Controllability
The following three levels are used to rate the capacity of the University to influence the risk:
Controllable
Organisation has the capacity to significantly influence the risk rating.
Partially controllable
Not controllable
Organisation has some capacity to influence the risk rating.
Organisation has limited or no capacity to influence the risk rating.
Control Effectiveness
Control (or mitigation) is understood to mean:
A control is any measure or action that modifies risk. Controls include any policy, procedure, practice,
process, technology, technique, method, or device that modifies or manages risk. Risk treatments
become controls, or modify existing controls, once they have been implemented.
A three tiered self-assessment to be applied to each key risk to understand management’s view of the strength
of mitigating actions currently in operation.
Satisfactory
Controls are strong and operating properly, providing a reasonable level of
assurance that objectives are being achieved.
Some weakness
Some control weaknesses/inefficiencies have been identified. Although these
are not considered to present a serious risk exposure, improvements are
required to provide a reasonable assurance that objectives will be achieved.
Weak
Controls do not meet an acceptable standard, as many
weaknesses/inefficiencies exist. Controls do not provide reasonable assurance
that objectives will be achieved.
University of Tasmania
Risk Assessment Guide
Division/Faculty/School/Project Risk Assessment Month Year
Trending / Outlook
A three tiered assessment to be applied to each identified risk to understand the trend in risk exposure, in light
of recent history and the prevailing environment. Consideration should be given to both internal (Strength and
Weakness) and external factors (Opportunity and Threat).
Up
Recent history and the prevailing environment is tending to increase risk
exposure for the organisational unit (i.e. unfavourable for the organisation).
Down
Recent history and the prevailing environment is tending to decrease risk
exposure for the organisational unit (i.e. favourable for the organisation).
Stable
Recent history and the prevailing environment is not impacting risk exposure to
any great extent.