Risk Assessment

Risk Likelihood Ratings

Rating risks requires an assessment of their frequency of happening. Some risks happen once in a lifetime; others can happen almost every day. Table 1-UVic Risk Likelihood Ratings provides broad descriptions to support likelihood ratings.

TABLE 1-UVic Risk Likelihood Ratings

• We are assessing the likelihood of the risk occurring within our risk timeframe (Next 12 months)
• If we are assigning likelihood to risks that are more cyclicall in nature (e.g. an earthquake) then we use the left column. We may think that an earthquake has a one in ten chance of happening during the next year (i.e.-it is likely to occur once every ten years) and we would rate it as Low
• If we are assigning likelihood to risks that are more one off occurrences (e.g. failure of an IT implementation project) then we would use the right column and choose the rating that best describes the likelihood given our knowledge. Historically we may conclude that major IT projects may have a Medium to High likelihood of going way over budget, of not meeting deadlines and/or of achieving poor quality outcomes
• We are initially rating likelihood in the absence of controls and then we will build in a rating of the controls. When we identify controls we are grouping them into 3 main groups (preventative, detective and reactive). When we are looking at the effect of controls on our likelihood rating we mainly look at preventative (and some detective), given that we are assuming that the risk has occurred. So we might say that the likelihood of a major IT project failing is High given the recent history of such projects in other institutions but then assess the excellent preventative controls (e.g. Tender selection processes, Project management) will reduce the likelihood to Low. If we talk in this manner we are constantly putting the focus on the controls and particularly on prevention, which is what is desirable.

Impacts can be described in a number of ways. A risk can have consequences in terms of:

• Financial
• Human Impact
• Interruption to Business
• Interruption to Teaching
• Interruption to Research
• Harm to the Environment
• Damage to Reputation and Image

Each impact can be rated, in terms of its severity, from VERY HIGH to VERY LOW.

The risk impact ratings in Table 2-Risk Impact Ratings provides a summary of each type of risk consequence relevant to the University as well as their severity ratings.

If more than one impact type applies to a particular risk, then the highest identified impact rating should be used.

Please click here to see Table 2 - Risk Impact Ratings.

• We are assessing the Impact of the risk assuming that it has occurred
• Think first about the main types of impacts that would accrue if the risk did occur then for each of the types selected choose the example that best equates to what you think the impact would be. We will then rate the risk impact to the highest of these choices
• As we go we may choose to augment this table with specific examples that make it easier for us to rate and also may mean more to the university proper when we socialize this document
• We are rating to the most probable worse case, which can be tricky sometimes, but we will work our way through the first examples and settle into a pattern. The most important thing is consistency
• We are initially rating impacts in the absence of controls and then we will build in a rating of the controls. When we identify controls we are grouping them into 3 main groups (preventative, detective and reactive). When we are looking at the effect of controls on our impact rating we mainly look at reactive ( and some detective), given that we are assuming the risk has occurred. So we might say that a major breach of the privacy act would result in a Medium Inherent impact ($500,000 fine) but that we have good reactive controls (e.g. insurance) that would reduce the net impact to Low or even Very Low. If we talk in this manner we are constantly putting focus on the controls, which is what is desirable.