Risk Assessment

Process
Report Template

All-of-Government Risk Assessment Process: Report Template February 2014 1

 Crown copyright ©. This copyright work is licensed under the Creative Commons Attribution 3.0 New Zealand licence. In

essence, you are free to copy, distribute and adapt the work, as long as you attribute the work to the Department of Internal

Affairs and abide by the other licence terms. To view a copy of this licence, visit http://creativecommons.org/licenses/by/3.0/nz/. Please note that

neither the Department of Internal Affairs emblem nor the New Zealand Government logo may be used in any way which infringes any provision
of the Flags, Emblems, and Names Protection Act 1981 or would infringe such provision if the relevant use occurred within New Zealand.

Attribution to the Department of Internal Affairs should be in written form and not by reproduction of the Department of Internal Affairs emblem or

New Zealand Government logo.

All-of-Government Risk Assessment Process: Report Template February 2014 2

 Glossary of Terms
Availability Ensuring that authorised users have timely and reliable
access to information.
Confidentiality Ensuring that only authorised users can access information.
Consequence The outcome of an event. The outcome can be positive or
negative. However, in the context of information security it is
usually negative.
Control A risk treatment implemented to reduce the likelihood and/or
impact of a risk.
Gross Risk The risk without any risk treatment applied.
Impact See Consequence.
Information Security Ensures that information is protected against unauthorised
access or disclosure users (confidentiality), unauthorised or
improper modification (integrity) and can be accessed when
required (availability).
Integrity Ensuring the accuracy and completeness of information and
information processing methods.
Likelihood See Probability.
Probability The chance of an event occurring.
Residual Risk The risk remaining after the risk treatment has been applied.
Risk The effect of uncertainty on the business objectives. The
effect can be positive or negative. However, in the context of
information security it is usually negative.
Risk Appetite The amount of risk that the organisation is willing to accept in
pursuit of its objectives.
Risk Owner A person or entity with the accountability and authority to
manage a risk. Usually the business owner of the information
system or service.
Stakeholder A person or organisation that can affect, be affected by, or
perceive themselves to be affected by a risk eventuating.
Threat A potential cause of a risk.
Vulnerability A weakness in an information system or service that can be
exploited by a threat.
Recovery Point The earliest point time that is acceptable to recover data from.
Objective (RPO) The RPO effectively specifies the amount of data loss that is
acceptable to the business.
Recovery Time The amount of time allowed for the recovery of an information
Objective (RTO) system or service after a disaster event has occurred. The
RTO effectively specifies the amount of time that is
acceptable to the business to be without the system.
Acceptable Interruption The maximum period of time that an information system or
Window (AIW) service can be unavailable before compromising the
achievement of the agency's business objectives.

All-of-Government Risk Assessment Process: Report Template February 2014 3

Contents

Glossary of Terms 3

1 Executive Summary 5

2 Business Context 7

3 Detailed Findings 9

4 Controls Catalogue 10

5 Controls to Risks Mapping 11

Appendix A – Risk Assessment Guidelines 12

Impact (Consequences) Assessment 12
Likelihood (Probability) Assessment 14
Risk Matrix 15
Escalation of Risk 15

Table of tables
Table 1 – Gross Risks 3
Table 2 – Residual Risks 3
Table 3 – Risk Details 3
Table 4 – Controls Catalogue 3
Table 5 – Controls to Risk Mapping 3
Table 6 – Impact Scale 3
Table 7 – Likelihood Scale 3
Table 8 – Risk Matrix 3
Table 9 – Risk Escalation and Reporting 3

All-of-Government Risk Assessment Process: Report Template February 2014 4

1 Executive Summary
Introduction
This report presents the findings of an information security risk assessment of the <information
system or project name>. The risk assessment followed the <agency name> Risk assessment
process which is based on the AS/NZS ISO 31000:2009 and ISO/IEC 27005:2011 risk management
standards.

Findings and Recommendations

A total of <XX> risks were identified during the risk assessment process. Table 1 illustrates the rating
of each risk without any controls in place:

Table 1 – Gross Risks

15 19 22 24 25
Severe

10 14 18 21 23
Significant

6 9 13 17 20
Moderate
Impact

3 5 8 12 16
Minor

1 2 4 7 11
Minimal

Possible but Highly Almost

Almost Never Possible
Unlikely Probable Certain
Likelihood

<Provide a high-level overview of the findings and recommendations>

Table 2 illustrates the expected residual rating of each of the identified risks if all the recommended
controls are implemented and appropriately configured and managed:

All-of-Government Risk Assessment Process: Report Template February 2014 5

Table 2 – Residual Risks

15 19 22 24 25

Severe
10 14 18 21 23
Significant

6 9 13 17 20
Moderate
Impact

3 5 8 12 16
Minor

1 2 4 7 11
Minimal

Possible but Highly Almost

Almost Never Possible
Unlikely Probable Certain
Likelihood

All-of-Government Risk Assessment Process: Report Template February 2014 6

2 Business Context
This section provides an overview of the business context of the <information system or service
name> that is in scope of this information security risk assessment.

Business Owner
The business owner of the service is:
<Full Name>
<Job Title>
<Business Unit>
<Organisation>

Technical Owner
The technical owner of the service is:
<Full Name>
<Job Title>
<Business Unit>
<Organisation>

Other Stakeholders
Additional business stakeholders for the service are:
<Full Name>
<Job Title>
<Business Unit>
<Organisation>

<Full Name>
<Job Title>
<Business Unit>
<Organisation>

Information Classification
<Document the classification of the information stored, processed and/or transmitted by the
information system/service based on the classification scheme presented in Security in the
Government Sector (SIGS) 2002>

Business Processes Supported

<Provide an overview of the business processes supported by the information system/service>

Business Impact
<Describe the business impact if the confidentiality, integrity, availability or privacy of the information
stored, processed or transmitted by the information system/service were compromised. Define and
document the maximum level of impact based on the impact rating table defined in Appendix X>

Users
<Document each user type and describe the access that they have to information with the information
system/service>:
 <User Type A> – <description of how they access and use the service, together with the level
of permissions that they have>.
 <User Type B> – <description of how they access and use the service, together with the level
of permissions that they have>.

All-of-Government Risk Assessment Process: Report Template February 2014 7

  <User Type C> – <description of how they access and use the service, together with the level
of permissions that they have>.

Security Requirements
<Document the business owner’s security requirements for the information system/service in terms of
the Confidentiality, Integrity and Availability (CIA) requirements and any other relevant legislation
etc.>

Information Protection Priorities

<Document the business owner’s information protection priorities for the information system/service
based on the following scale:

0: Irrelevant/not applicable
1: Unimportant
2: Some importance
3: Important
4: Highly Important
5: Critical>

Attribute Priority Rating

Confidentiality
Integrity
Availability
Privacy

All-of-Government Risk Assessment Process: Report Template February 2014 8

3 Detailed Findings
This section provides details of the risks identified during the risk assessment for the <information system/service name>.
Table 3 – Risk Details

Risk Risk Description Key Risk Drivers Consequence Gross Risk Recommended Controls Residual Risk
ID

Risk Rating

Risk Rating
Likelihood

Likelihood
Impact

Impact
R01.
R02.

All-of-Government Risk Assessment Process: Report Template February 2014 9

4 Controls Catalogue
Table 4 – Controls Catalogue

Number Title Description Reduces NZISM Reference(s)

C1.
C2.
C3.
C4.
C5.
C6.
C7.
C8.
C9.
C10.

All-of-Government Risk Assessment Process: Report Template February 2014 10

5 Controls to Risks Mapping
Table 5 – Controls to Risk Mapping

No. Control Risk(s)

C1
C2
C3
C4
C5
C6
C7
C8
C9
C10

All-of-Government Risk Assessment Process: Report Template February 2014 11

Appendix A – Risk Assessment Guidelines
Risk Statements
It is important to clearly describe risks so that they can be assessed and evaluated. Assessing the
likelihood and impact of a risk stated as “Fraud may occur” is difficult, if not impossible, as there is
limited information on which to base the assessment. However, assessing the same a risk stated as
“An employee commits fraud resulting in financial loss and reputational damage as fraud detection
processes within the information system and business processes are not robust” is straightforward.

Therefore (where possible) the description of risks identified should use the following structure:

An <uncertain event> occurs, leading to <effect on objectives>, as a result of <definite cause>.

For example:
 “A malicious party gains unauthorised access to information stored in the system by
performing a brute force password guessing attack as the organisations password and
account lockout policies are not enforced”; or

 “The loss of a laptop leads to official information being disclosed to an unauthorised party,
and reputational damage to the Minister and agency as a disk encryption solution has not
been deployed to all laptop devices”.

Risk identification phase should include an examination of the knock-on effects of the consequences
of the identified risks, including their cascade and cumulative effects.

Rating Risk
The likelihood and impacts of the risks will be rated using the simple qualitative scales documented
below. The identified risks should be assessed with no controls in place. This will provide the gross
risk rating and enable the effectiveness of the proposed controls to be assessed.

Impact (Consequences) Assessment

The qualitative scale used to assign an impact rating is presented in Table 6. All impacts need to be
seen in a business context, and be informed by the business. Rating the impact of a risk should
include a consideration of any possible knock-on effects of the consequences of the identified risks,
including cascade and cumulative effects.

All impacts need to be seen in a business context, and be informed by the business. The effect of a
risk event materialising must be assessed using the agency’s approved risk rating scales. If a risk has
multiple potential consequences then the impact with the largest effect must be used to rate the risk.
However, where multiple consequences for a single risk are assessed at the same level the impact
may be evaluated as being higher than the individual impact statements (e.g., a risk that has two
moderate impacts might be judged to have a significant impact when they are combined). Rating the
impact of a risk should include a consideration of any possible knock-on effects of the consequences
of the identified risks, including cascade and cumulative effects.

All-of-Government Risk Assessment Process: Report Template February 2014 12

Table 6 – Impact Scale

Rating Description Reputation Health and Safety Service Delivery Financial

 The agency suffers severe political and/or reputational  Loss of life.  Severe compromise of the strategic objectives and goals of  Impact cannot be managed without additional funding from
5 Severe
damage that is cannot easily recover from.  Major health and safety incident involving members of staff the agency. government.
 The Government suffers severe negative reputational and/or members of the public.  Severe compromise of the strategic objectives of the NZ  Impact cannot be managed without significant extra human
impact, and the Prime Minister loses confidence in the  The injured party or parties suffer major injuries with long- Government or other agencies. resources.
Minister and/or the agency’s senior management. term effects that leave them permanently affected.  Severe on-going impact on service delivery across NZ  Yearly operating costs increase by more than 12%.
 Minister and Chief Executive need to be briefed and  An external authority investigates the agency’s safety Government or multiple agencies.  One-time financial cost greater than $100,000.
regularly updated. practices and the agency is found to be negligent.  Skills shortages severely affect the ability of the agency to
 Media interest is sustained for a prolonged period (i.e., over meet its objectives and goals.
a week) with major criticism levelled at the Minister and/or  Staff work hours are increased by more than 50% (20
the agency. hours per week) for more than 30 days.
 The agency breaches multiple laws, which leads to legal  Between a 10% or more increase in staff turnover in a six-
action by affected stakeholders. month period that can be directly attributed to the risk
 External/independent investigation is commissioned by the eventuating
SSC, GCIO or OPC.
 The SSC and GCIO manage the communications and
recovery.
 The agency suffers significant political and/or reputational  A significant health and safety incident involving multiple  Significant compromise of the strategic objectives and  Impact cannot be managed without re-prioritisation of work
4 Significant
damage. members of staff and/or members of the public. goals of the agency. programmes.
 Minister suffers reputational damage and loses confidence  The injured party or parties suffer significant injuries with  Compromise of the strategic objectives of the NZ  Impact cannot be managed without extra financial and
in the agency’s senior management. long-term effects that leave them permanently affected. Government or other agencies human resources.
 Minister and Chief Executive need to be briefed and  An external authority investigates the agency’s safety  Significant on-going impact on service delivery across one  Yearly operating costs increase by 10% to 12%.
regularly updated. practices and the agency is found to be inadequate. or more business unit or multiple agencies.  One-time financial cost between $50,000 and $100,000.
 Media interest is sustained for up to a week with minor  Skills shortages affect the ability of the agency to meet its
criticism levelled at the agency. objectives and goals.
 Key stakeholders need to be informed and kept up to date  Staff work hours are increased by more than 38% (10 – 15
with any developments that affect them. hours per week) for 30 days.
 The agency breaches the law, which leads to legal action  Between a 3% and 10% increase in staff turnover in a six-
by affected stakeholders. month period that can be directly attributed to the risk
 External/independent investigation is commissioned by the eventuating.
SSC, GCIO or OPC.
 Communications and recovery can be managed internally
with strong guidance from the SSC and GCIO.
 Agency suffers limited political and/or reputation damage.  Health and safety incident involving multiple members of  Compromise of the strategic objectives and goals of the  Impact can be managed with some re-planning and modest
3 Moderate
 Minister is informed and may request to be briefed. staff or one or more members of the public. agency. extra financial or human resources.
 The Chief Executive and senior management need to be  The injured party or parties suffer injuries with long-term  Moderate impact on service delivery across one or more  Yearly operating costs increase by 7% to 10%.
briefed and regularly updated. effects and are not permanently affected. business unit due to prolonged service failure.  One-time financial cost of $20,000 to $50,000.
 The agency breaches its compliance obligations.  The agency’s safety practices are questioned and found to  Staff work hours are increased by less than 25% (8 – 10
 Media interest is sustained for less than a week with minor be inadequate. hours per week) for a two to four week period.
criticism levelled at the agency.  Between a 1% and 3% increase in staff turnover in a six-
 Key stakeholders need to be informed and kept up to date month period that can be directly attributed to the risk
with any developments that affect them. eventuating.
 External/independent investigation is commissioned by the
agency.
 Most communications and recovery can be managed
internally with some guidance from the GCIO.
 Senior management and/or key stakeholders believe that  Minor health and safety incident involving multiple members  Minor impact on service delivery across one or more  Impact can be managed within current resources, with
2 Minor
the agencies reputation has been damaged. of staff or a member of the public. branch due to brief service failure. some re-planning.
 The Chief Executive needs to be advised.  The injured party or parties suffers minor injuries with only  Limited effect on the outcomes and/or objectives of more  Increase of between 5% and 7% in yearly operating costs.
 Senior management needs to be briefed. short-term effects and are not permanently affected. than one business unit.  One time financial cost between $10,000 and $20,000.
 Media interest is short-lived (i.e., a couple of days) and no  Staff work hours are increased by less than 15% (6 hours
blame is directed at the agency. per week) for less than two weeks.
 Key stakeholders need to be informed.  Less than a 1% increase in staff turnover in a six-month
 Communications and recovery can be managed internally. period that can be directly attributed to the risk eventuating.
 Reputation is not affected.  No loss or significant threat to health or life.  Limited effect on the outcomes and/or objectives of a  Impact can be managed within current resources, with no
1 Minimal
 No questions from the Minister.  The agency’s safety practices are questioned but are found business unit. re-planning.
 No media attention. to be appropriate.  Staff work hours are increased by less than 5% (1 - 2 hours  Increase of less than 5% in yearly operating costs.
 All communications and recovery can be managed per week) for less than seven days.  One time financial cost of less than $10,000.
internally.  No increase in staff turnover as a result of the risk
eventuating.

All-of-Government Risk Assessment Process: Report Template February 2014 13

Likelihood (Probability) Assessment
The qualitative scale used to assign a likelihood rating is presented in Table 7 below. Where information is
available about the frequency of an incident in the past it should be used to determine the likelihood of the
risk eventuating. However, where such information does not exist it does not necessarily mean that the
likelihood of the risk eventuating is low. It may merely indicate that there are no controls in place to detect it or
that the agency has not previously been exposed to the particular risk.

Table 7 – Likelihood Scale

Rating Description Meaning

5 Almost Certain It is easy for the threat to exploit the vulnerability without any specialist skills or
resources or it is expected to occur within 1 – 6 months.
4 Highly Likely It is feasible for the threat to exploit the vulnerability with minimal skills or
resources or it is expected to occur within 6 – 12 months.
3 Possible It is feasible for the threat to exploit the vulnerability with moderate skills or
resources or it is expected to occur within 12 – 36 months.
2 Possible but Unlikely It is feasible but would require significant skills or resources for the threat to
exploit the vulnerability or it is expected to occur within 3 – 5 years.
1 Almost Never It is difficult for the threat to exploit the vulnerability or it is not expected to occur
within 5 years.

All-of-Government Risk Assessment Process: Report Template February 2014 14

Risk Matrix
Table 8 presents a 5x5 matrix for assigning a risk rating to a risk. It is used by mapping the likelihood and
impact ratings. The rating being the point where the likelihood and impact ratings intersect.

Table 8 – Risk Matrix

Severe

15 19 22 24 25
Significant

10 14 18 21 23
Moderate
Impact

6 9 13 17 20
Minor

3 5 8 12 16
Minimal

1 2 4 7 11

Possible but Highly Almost

Almost Never Possible
Unlikely Probable Certain
Likelihood

Escalation of Risk
Table 9 below provides an example of risk escalation and reporting table. It defines who must be informed
and has authority to accept risk based on its magnitude.

Table 9 – Risk Escalation and Reporting

Risk Escalation and Reporting levels for each level of risk

Zone 4 Chief Executive

Zone 3 Senior Leadership Team

Zone 2 Business Owner

Zone 1 Service Manager or Project Manager

All-of-Government Risk Assessment Process: Report Template February 2014 15