AS/NZ Standard 4360:2004 Risk Management

Each risk has been rated in terms of its resulting likelihood of occurrence and the potential impact, using the rating system specified in AS/NZ STANDARD 4360:2004
Risk Management. These are explained in the tables below.

Table 1 - Types of Issues/Risks

Type

Strategic
Financial
Regulatory (Compliance)
Management
Operational (Technical)

Description

Related strategic mission and objectives.

Related to economic impact (costs, revenues, budgets).
Related to legal and contractual obligations. Political legislative impacts.
Related to decision making, resources, policies, etc.
Related to ICT delivery, support or management services.

Table 2 - Qualitative Measure of Consequences of Likelihood

Level

Descriptor

A
B
C
D
E

Almost certain
Likely
Possible
Unlikely
Rare

Description

Is expected to occur in most circumstances.

Will probably occur in most circumstances.
Might occur at some time.
Could occur at some time.
May occur in exceptional circumstances.

More than once per year

1 in 1 - 3 years
1 in 3 - 5 years
1 in 5 - 10 years
1 in 10 years

Table 3 - Qualitative Measure of Consequences of Impact

Level

Description

Example detail description

Insignificant

Minor

Moderate

Major

Catastrophic

No injuries, low financial loss, no risk to reputation.

Minor First aid treatment, on-site release
immediately contained, medium financial loss, some
customer dissatisfaction.
Medical treatment required, on-site release
contained with outside assistance, high financial
loss and public visibility.
Major Extensive injuries, loss of production
capability, invocation of disaster recovery with no
detrimental effects, major financial loss.
Death, off-site with detrimental effect, huge financial
loss.

Table 4 - Quantitative Measure of Consequences of Impact

Level

Description

1
2
3
4
5

Insignificant
Minor
Moderate
Major
Catastrophic

Example detail description

Nil Negligible
Under 500K
Between $500k - $5m
Between $5m - $20m
Above $20m

Table 5 - Qualitative Risk Analysis Matrix

Consequences
Insignificant

Minor

Moderate

Major

Likelihood:

A (almost certain)

H
M
L
L
L

H
H
M
L
L

E
H
H
M
M

E
E
E
H
H

E
E
E
E
H

B (likely)
C (possible)
D (unlikely)
E (rare)

Key

E
H
M
L

Description

Extreme Risk: Immediate action required to mitigate the risk.

High Risk: Action should be taken to compensate for the risk.
Moderate Risk: Action should be taken to monitor the risk.
Low Risk: Routine acceptance of the risk.

Table 6 - Issues/Risks status types

Type

Open
Closed
In progress
Monitoring
Resolved

Description

New item identified and awaiting action.

Item closed e.g. no longer a concern, rejected, etc.
Item undergoing treatment/mitigation activities.
Treatment/Mitigiation activities complete and being monitored.
Item resolved through treatment/mitigation actions and resolution
accepted by stakeholders.

Catastrophic