Risk assessments for government organisations

About risk assessments

Risk assessments help government organisations in New Zealand to make sure they can understand, prioritise and manage security risks.

Setting up a successful risk assessment

At each step of the risk assessment process, it’s important to consult the right people, inside and outside of your organisation, and communicate effectively.

Business context

Understand how the system fits in your organisation so you can judge how important the information is.

Technical context

Find the technical context of an information system to get a basic understanding of its current security position — this way, you can know whether a change makes that position better or worse.

Identify the risks

Create a full list of events that may prevent, degrade or delay your organisation in achieving its business objectives.

• Run a workshop with stakeholders
• Describe the risk scenarios
• List the causes of each risk and the impacts if they happen

Analyse the risks

Carry out impact and likelihood assessments, listing the existing controls, to find the risk ratings for an information system.

• Using risk scales and matrices for your organisation
• Assess the impacts of risks happening
• Assess the likelihood of risks happening
• Find the initial risk ratings
• List the existing controls for each risk
• Find the final risk ratings

Prioritise the risks

Find out which risks need to be evaluated and in which order of priority.

Evaluate the risks

The business owner must select an action and controls for each risk, and sign off on the risk assessment report — using it to manage the risks to the information system.

Next step — use the risk assessment report

The business owner makes sure the controls recommended in the risk assessment report are implemented.