Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Setting up a successful risk assessment

At each step of the risk assessment process, it’s important to consult the right people, inside and outside of your organisation, and communicate effectively.

Consult the right people — stakeholders

If you do not have the people who understand the business and technical contexts, you might be unable to identify the risks. This would defeat the purpose of a risk assessment.

When to seek out stakeholders

Good moments to identify the stakeholders of an information system are when you’re:

classifying its data
establishing its business context
finding its technical context
monitoring and reviewing its risks on a regular basis
aware that its stakeholders have changed.

Dialogues over monologues

It’s important for everyone to have the right attitude — communicating in the spirit of consultation. When writing or speaking with each other, make sure it’s a 2-way instead of 1-way flow of information.

Communicate effectively with stakeholders

Having stakeholders writing and speaking effectively with each other is essential to a successful risk assessment. When working together well, you’ll be able to:

identify the risks to an information system instead of missing them
make the appropriate decisions when evaluating and treating the risks your team has identified and analysed.

Example template for risk assessments

The Government Chief Digital Officer (GCDO) has an example template of a risk assessment in case you need some help working through the process.

Risk assessment process: report template (Word 264KB)

Tips for communicating during risk assessments

Each stakeholder’s perception of a risk can vary significantly. People are likely to make judgements on the acceptability of the risk based on their own experience of it.

This is okay — you just need to make sure their perceptions of an information system, both its risks and benefits, are documented. The key here is to understand and address their reasons for each position instead of avoiding them.

Tips for sending information to many stakeholders

People will have different levels of experience with an information system, its risks and its benefits. To be effective in sending information to many stakeholders about the management of risks, all information should have the following traits.

Clear and concise

Take the time to edit your writing to be short and to the point. Avoid unnecessary details or repetition.

Useful

Make it relevant to the people receiving your writing. Technical information that is too detailed or sent to non-technical stakeholders will likely get in the way of seeing a clear view of risks.

Timely

This allows you and your team to make decisions and take actions at the right time in the risk assessment process.

Targeted

So that people can make informed decisions, put together information:

at the right level of detail
without hiding the root cause of a risk
with the audience in mind, adapting it for them.

Controlled

Only people with a genuine need to know should have access to:

risk reports
risk management plans
the risk register.

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 10 October 2022