ICT Risk management

The table below provides a range of risk management tools and techniques currently available to the Queensland Government. See the ICT Risk matrix to find rating scales for risk likelihood and risk consequences for systems (application and technology assets).

If you have any additional resources you think we should add, please email qgea@qld.gov.au.




Information, application and technology asset risk management

Digital and ICT best practice methodologies

(Government login required)

Provides techniques to assess the current risk of all assets based on the business impact and technical condition of the asset.  Detailed assessment criteria are available to individually calculate the business impact and technical condition of information, application and technology assets. The business impact can be used to indicate the consequences to the business should the asset fail or not be available.

ICT sourcing and procurement risk management

ICT-as-a-service decision making framework

Provides criteria and guidance to help an agency to determine via a risk assessment whether an ICT workload (system/application/data) is suitable for cloud delivery.

Helps departments select the appropriate method for procurement depending on the level of risk and expenditure.

Portfolio risk management (initiative prioritisation)

Portfolio management Methodology

(Government login required)

Based on ISO31000:2009 Risk Management: Principles and guidelines.

Provides achievability and attractiveness criteria which considers key risks to initiatives delivering organisation strategic objectives and provides an indication of the order of priority in which initiatives should be implemented.

Information risk management best practice guidelines (PDF, 134.07 KB) This guideline details a risk management process to prioritise and plan for implementation of QGEA policies and information standards.

Digital and ICT best practice methodologies

(Government login required)

Provides some additional attractiveness and achievability criteria to extend on that provided in the Portfolio Management Methodology. In addition a technique to rank initiatives is also provided using a mathematical formula to calculate a linear distance along a diagonal from the optimum score of 5 for attractiveness and 5 for achievability to zero on the priority grid model.

QGEA policy implementation prioritisation

QGEA implementation prioritisation technique guideline

Provides a technique using assessments of attractiveness and achievability to prioritise implementation of QGEA policies. The attractiveness assessment examines the contribution the policy makes to current whole-of-government and departmental business direction, benefits realisation and risk mitigation. Achievability examines the likelihood of successful implementation based on the department’s current capability and capacity.

Project and program risk management

Project management methodology

(Government login required)

Based on ISO31000:2009 Risk Management: Principles and guidelines.

Provides information on managing risks throughout a project lifecycle, based on the 'continued business justification' principle.

Program Management Methodology

(Government login required)

Provides information on managing risks relating to programs and is based on nine principles that should underpin successful risk management within a program.

ICT project and program assurance

Establishes a consistent assurance process to manage risk and improve confidence in information regarding programs and projects.Provides nine criteria techniques to calculate an initiatives assurance profile level to uncover areas of risk for further analysis.

Privacy impact assessment process

The Office of the Information Commissioner has issued a number of useful process and guideline for conducting privacy impact assessments for projects:

Queensland Government Program Evaluation Guidelines

The Queensland Government Program Evaluation Guidelines outline a set of broad principles to underpin the planning and implementation of evaluations for programs funded by the Queensland Government. For further information please contact PEG@treasury.qld.gov.au.

Information security risk management

Queensland Government Information Security Classification Framework (QGISCF)

Provides techniques for agencies to undertake a security impact assessment for information assets based on standard criteria.

The assessment results in a determination of the most appropriate security classification (either national or non-national classifications) for the information assessed.

Queensland Government Authentication Framework (QGAF)

Provides a process which allows agencies to evaluate the risk associated with a service a determine the appropriate level of authentication assurance required.

AS/NZS ISO/IEC 27005:2012 Information technology - Security techniques - Information security risk management (ISO/IEC 27005:2011, MOD)

Provides guidance on information security risk management.

Workforce planning risk management

Workforce planning methodology

Provides information about the risks associated with not undertaking workforce planning, and gaps in workforce competencies.

Risk management capability

None currently identified

Currently no information identified in this area. If you would like to discuss this area of risk, please email qgea@qld.gov.au
kk Cloud solution

Cloud solution risk framework template

(Government login required)

Provides a template to conduct a risk assessment for providing a cloud solution in your organisation.