Skip to main content

Setting up a successful risk assessment

At each step of the risk assessment process, it’s important to consult the right people, inside and outside of your organisation, and communicate effectively.

Consult the right people — stakeholders

If you do not have the people who understand the business and technical contexts, you might be unable to identify the risks. This would defeat the purpose of a risk assessment. 

When to seek out stakeholders

Good moments to identify the stakeholders of an information system are when you’re:

Dialogues over monologues

It’s important for everyone to have the right attitude — communicating in the spirit of consultation. When writing or speaking with each other, make sure it’s a 2-way instead of 1-way flow of information.

Communicate effectively with stakeholders

Having stakeholders writing and speaking effectively with each other is essential to a successful risk assessment. When working together well, you’ll be able to:

  • identify the risks to an information system instead of missing them
  • make the appropriate decisions when evaluating and treating the risks your team has identified and analysed.

Example template for risk assessments

The Government Chief Digital Officer (GCDO) has an example template of a risk assessment in case you need some help working through the process.

Risk assessment process: report template (Word 264KB)

Tips for communicating during risk assessments

Each stakeholder’s perception of a risk can vary significantly. People are likely to make judgements on the acceptability of the risk based on their own experience of it.

This is okay — you just need to make sure their perceptions of an information system, both its risks and benefits, are documented. The key here is to understand and address their reasons for each position instead of avoiding them.

Tips for sending information to many stakeholders

People will have different levels of experience with an information system, its risks and its benefits. To be effective in sending information to many stakeholders about the management of risks, all information should have the following traits.

Clear and concise

Take the time to edit your writing to be short and to the point. Avoid unnecessary details or repetition.

Useful

Make it relevant to the people receiving your writing. Technical information that is too detailed or sent to non-technical stakeholders will likely get in the way of seeing a clear view of risks.

Timely

This allows you and your team to make decisions and take actions at the right time in the risk assessment process.

Targeted

So that people can make informed decisions, put together information:

  • at the right level of detail
  • without hiding the root cause of a risk
  • with the audience in mind, adapting it for them.

Controlled

Only people with a genuine need to know should have access to:

  • risk reports
  • risk management plans
  • the risk register.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated