Professional Documents
Culture Documents
TOOLKIT
Rev. 2009
CONTENTS
1.
Introduction
2.
3.
What is risk?
4.
5.
6.
Process
7.
8.
9.
Escalating risks
10.
11.
Risk assessments
12.
Risk registers
13.
Summary
APPENDICES
1.
Sources of risk
2.
Glossary of terms
3.
Business continuity
4.
Partnerships
5.
6.
Risk register
7.
1.
INTRODUCTION
The diverse range of activities undertaken by the Council involves making decisions and
taking risks. Part of why KCC has been so successful is because it encourages and
supports well-managed risk taking by recognizing that innovation and opportunities to
improve public services requires risk taking provided that we have the ability, skills,
knowledge and training to manage those risks well. Risk management is therefore at the
heart of what we do.
We cannot always decide upon the activities with which we are involved. In the private
sector, high impact/high likelihood risks can be avoided by opting out of that part of the
business. In the public sector that option may not exist due to statutory responsibilities.
Risk management therefore plays an important role in helping to manage risks and
opportunities in a practical and cost effective manner.
Some risks will require very little management whereas others will require a more managed
and structured approach. This toolkit is designed to help in this process and describes a
simple methodology to maximise the opportunity to achieve expected results.
This toolkit will work through the following questions:
What do you want to achieve?
What can stop you achieving your target?
How big is the risk?
What is the chance of it happening?
What has been done about it?
What else do you need to do about it?
This toolkit is provided to assist with the management of operational risks however examples
of strategic risks are also provided for information.
Guidance is also provided on business continuity planning and the management of risks
within partnerships.
2.
PROCESS
Monitor
and
Review
Identify
Council
objectives
Plan &
action
1. Identify
What could go wrong?
What type of risk is it?
What category is it?
When to think about risks?
2. Assess
Likelihood
Very
likely
Likely
Possible
Unlikely
Very
Unlikely
RISK RATING
MATRIX
5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor
10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate
15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious
25
High
20
High
15
Medium
10
Medium
5
Low
5
Major
Impact
3.
WHAT IS RISK?
Put simply, business risk management is the culture, organizational structure and ongoing
processes of managing the risks around the provision of services or development of the local
economy. Its about getting the right balance between innovation and change on the one hand
and the avoidance of shocks and crises on the other in a consistent and systematic way.
Equally, risk management can also help identify opportunities and implementing measures
aimed at increasing the prospects of success.
The benefits of a robust approach to risk management will help to manage risks so that:
KCC has published its Risk Management Strategy which describes the framework for
managing risk. A key element of this is to have a consistent approach in how we identify and
control risks through risk assessment. This is known as the process and is described in the
following sections.
You might find it useful to use problem solving techniques as you proceed through the stages
of the process.
5. RISK APPETITE / TOLERANCE THRESHOLDS
Before identifying and assessing risks consideration should be given to the amount and type
of risk that you can or are prepared to accept, tolerate, or can be exposed to at any point in
time. The level of risk that you are prepared to accept is known as your risk appetite. Within
KCC there will be many different risk appetites due to the diverse range of activities. For
example there may be zero appetite for taking risks in relation to activities associated with
child protection. For new initiatives there will likely be a greater appetite for risk taking in order
to bring about change. The level of risk appetite at any level will be dictated by the level of risk
appetite at the next senior level. The levels of appetite that can be taken at any one level
should be made clear and communicated. As a strict rule the risk appetite at one level must
never exceed that of any senior levels. Working with defined risk appetites is a developing
area and where this has not been confirmed it might be useful to use levels of authority as a
guide.
The degree of residual risk you are prepared to accept forms the basis of your tolerance
threshold and should be set below your risk appetite. Risks that exceed your pre defined risk
appetite should not be allowed to exist. Risks that exceed your tolerance threshold should be
referred to a senior management for instruction as to how to proceed. Risk appetite and
tolerance thresholds are not always easy to describe and are more easy to apply to financial,
programme or project risks however by trying to describe and implement appetites and
tolerance thresholds you will demonstrate increased governance over risks. Appendix 5 can
be used as guidance.
6.
PROCESS
Objectives
Risk Appetite
/ Tolerance thresholds
Process
1
Risk Identification
What can happen?
How could it happen?
4
Risk Monitoring
Monitor & review the
effectiveness of controls and
review the risk profile
2
Risk Analysis
Determine the
likelihood/impact in order
Estimate the level of risk
3
Plan & Implement
how to
organisations,Determine
contractors,
treat the risk
The best people to identify and control risks are those who are directly responsible for the
activity. Ideally, the group identifying the risks should contain the risk owner i.e. the person
who will be responsible for actually designing and implementing controls and able to provide
early warning of difficulties.
Where activities and associated risks cut across other directorates, partners, external
organisations, etc it may be prudent to consult with them where they can influence the level of
risk, outcome or output.
8.
In order to manage risk it is necessary to know what risks exist or might occur. Understanding
where risks might exist and how to deal with them helps to ensure that all the positive things
we plan do happen and that we identify and prevent any of the negative things from occurring
that could stop or cause us to revise these plans or cause harm.
When thinking about risks you can look at events such as the failure of a database, criminal
prosecution, increase in demand for services or a process such as the management of health
and safety, financial control or client care management.
First, set out the objectives of the activity to be examined. It may help to have key documents
available such as the current annual business operating plan, medium term plan, project brief,
performance indicators etc. Using these documents you can start to identify your risks.
You should think about risks in terms of
Event
For example:
Consequence
Impact
As you proceed through this process you will start to build up a list of risks.
Risks can be broken down into two categories strategic and operational.
Strategic risks
are those arising from major events
which could impact across the whole of
the Council e.g. major overspend or
serious damage to the reputation of the
Council. Their sources of origin include:
Operational risks
are those arising from the day-to-day
management of activities within
directorates and less likely to impact
upon other directorates or the Council as
a whole. Their sources of origin include:
Political
Economic
Social
Technological
Legislative
Environmental
Competitive
Customer/stakeholders
Professional
Financial
Legal
Physical
Contractual
Technological
Environmental
Most risks will fall into the operational category. The process for managing strategic and
operational risks is identical however accountability for strategic risks lies with the Chief
Executive Officer and the Chief Officers Group whereas operational risks lie with directorate
managers.
To help facilitate discussion the above sources of risk are expanded in Appendix 1.
Having compiled a list of risks it is necessary to assess which of these are going to pose the
greatest threat (or opportunity) and this is done by looking at both impact (what harm might
result from the risk) and likelihood (chance of the risk occurring).
Likelihood
When assessing risks you are simply looking at what might happen, the chances of it
happening and when. This assessment can be achieved through rating each risk. A 5x5
matrix is used for this purpose. By considering these factors and giving each risk a score you
will quickly be able to rank these and identify which need early and closer attention.
Very likely
Likely
Possible
Unlikely
Very
Unlikely
5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor
10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate
15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious
25
High
20
High
15
Medium
10
Medium
5
Low
5
Major
Impact
Each risk identified should first be scored according to the potential level of likelihood and
impact without controls to give the inherent risk value and then again with existing controls in
place and working to give the residual risk value (what is left). If there are no controls in
place the residual risk can only be scored as you proceed through stage 3.
Risks will fall into three categories:
LOW
MEDIUM
HIGH
16
8 15
16 - 25
Identified risks should be recorded. If you are dealing with one particular activity it may be
appropriate to simply record details of risks within a risk assessment.
When recording risks across a range of activities a risk register should be prepared. Any entry
within a register can also be supported by a risk assessment which sets out any barriers to
success and describes controls in more detail to help monitor them. Templates are provided
in Appendix 6 & 7 for this purpose.
An example of an entry within a risk register at business unit level may be:
Ref
No.
Source
Event
Building is
located in
a high
crime area
Break in leads to
theft of IT
systems
resulting in the
loss of
information
Planned
Outcome
Secure
site
Accountable
Manager
Assistant
Director
Existing
Controls
- intruder
alarm
system
New Task
/ Actions
Date
inherent
Rating
I=3
L= 5
R= 15
MED
Residual
rating
I= 3
L= 3
R=9
MED
When a risk is recorded it should be given a reference number. This reference number should
remain with the risk until it no longer exists to provide an audit trail.
Risk Control
Having identified and assessed a risk it is then necessary to decide on what initial or further
action needs to be taken to control it or overcome barriers to ensure you achieve your
objective. The residual rating attributed to each risk should be rescored on the assumption
that the controls have been implemented are and effective.
Those risks with HIGH residual scores will need early and closer attention and should be
addressed as a priority. It may be that some high risks will remain HIGH even with controls in
place. These risks should be considered against your risk appetite and tolerance thresholds.
The level of tolerance should be established if not already done. For example the risk
tolerance line could be set where MEDIUM risks butt up against HIGH risks on the 5x5 matrix.
Any risks that exceed this tolerance threshold should be referred immediately to the next level
of management for guidance. Risks beyond the tolerance threshold can only be accepted with
the permission of the next level of management.
Tolerance
Only a workable number of risks should be focused upon at any one time - probably anything
up to 10. Hopefully there wont be many HIGH risks in which case MEDIUM risks can also be
considered. Any remaining risks can be dealt with as more immediate risks drop out of the
top 10 once appropriate controls have been introduced and are working. As part of this
process you should identify which of the controls are more critical in terms of their
effectiveness. It may be helpful to list controls in order of their criticality.
Although those risks requiring early or closer attention have been identified there may be
other risks that are suitable for a quick fix and can be quickly and easily controlled. These
should be dealt with if possible particularly where they will have a real impact upon the overall
effectiveness of control measures.
The courses available to control risks are:
Action:
Evaluated level of
risk
Tolerate
Treat
Transfer
Terminate
Accept with
existing level of
controls?
Yes
or
No
Tolerate
Treat
Transfer
Terminate
Likelihood
Contract conditions
Process controls and inspections
Project management
Preventative maintenance
Effective internal controls
Supervision
Structured training programme
Any controls should always be proportional to the risk and over control avoided. Loss control
initiatives can be expensive and time consuming to initiate and it is therefore important to try
and ensure that they are likely to be successful and will not cost more than the losses they are
designed to avoid or mitigate.
Controls should be clearly described to avoid ambiguity and any obstacles or barriers that
might arise and affect them should be explored along with early warning indicators. Controls
should be recorded in the order of their critically upon the achievement of the outcome for
ease of identification.
Target dates for completion of aspects of control, reporting of progress etc should be made
clear and recorded where possible.
Some risks might seem too difficult to tackle because they are controversial, political, too big
or too specialist. These should not be avoided but dealt with in a positive but proportional
way by considering factors such as the opportunity to improve them, ease of improvement,
cost of improvement and breadth of community affected.
Even with controls some degree of residual risk may remain in which case business continuity
plans might need to be considered to reduce impact and ensure that the service can function
even if something awful is happening. See Appendix 3
Few risks remain static and it is important to know and understand what is happening. This
can be achieved through regularly monitoring progress and formally reviewing risks in order
to:
Gain assurance that progress is being made towards controlling risks and the
effectiveness of controls
Monitor changes to the risk profile brought about by circumstances and business priorities
i.e. new legislation
A suggested monitoring period might be every three months with a more formal review period
annually. The frequency will be dependent on the circumstances and environment around the
risks. Within a rapidly changing environment monthly monitoring and three monthly reviews
may be more appropriate.
When monitoring and reviewing risks you need to be clear about how this is to be undertaken.
It may help to develop a set of questions for example:
Where objectives have not been achieved or are not on course to be achieved the cause(s)
should be investigated to inform and improve the risk assessment process. At the next formal
review of the risk the rating attributed to the risk should again be considered. At this stage you
may wish to review your risk appetite or tolerance levels to ensure they remain appropriate.
The review and monitoring process of risks should be integrated into existing organisational
and business planning processes so that it adds value and supports the successful
achievement of objectives and not just seen as a bolt on.
9.
ESCALATING RISKS
There will be occasions when risks should be shared with more senior managers. These will
automatically include risks that exceed your tolerance thresholds. Residual risks that are
rated as HIGH, i.e. with a combined score of 16+, should also be referred up to the next level
of management to advise upon the appropriate level of control. HIGH residual rated risks
should not remain without the permission of the next senior level of management.
Directorate management teams should have in place a process which allows for risks at any
level to be escalated upwards to enhance their level of control.
Business unit
risks
Service unit
risk register
Directorate
risk register
Where a risk is escalated to a more senior level it should be considered along with all other
risks at this new level and possibly included within the higher level risk register.
Using a system whereby risks can be escalated allows senior managers to better target their
attention and resources towards key activities.
10.
The sooner you know something is not going to plan or events are happening around you that
will impact upon objectives the quicker you will be able to take corrective action and get back
on target or amend your course of action / priorities to reflect changing circumstances.
Early warning indicators are used as a way of measuring change in local critical areas so that
if pre-defined levels (tolerance levels or appetite) are reached, corrective action will be
triggered. To be effective they need to be monitored on a regular basis and the findings
presented in such as way that the information can be quickly assimilated.
Early warning indicators should be specific to the risk and should not be confused with Key
Performance Indicators.
Indicators should be reviewed and updated to ensure they remain appropriate.
When establishing an indicator you should establish from the outset what information is to be
collected, the reporting frequency and trend or tolerance thresholds.
Early warning indicators can be applied to strategic and operational risks.
risks they can be set to measure activity such as:
For operational
RISK ASSESSMENTS
Although there are some similarities in the information recorded within risk assessments and
risk registers both documents actually serve a specific purpose. Risk assessments tend to
look at one particular element of a risk recorded against an objective in detail and its
associated controls whereas registers summarise risks and their controls across a project, unit
or directorate.
It may be necessary to complete a number of risk assessments to support a single objective
especially where elements may be under the control of different teams.
Risk assessments should be used to assess the level of risk associated with the objective and
inform the process for refreshing risk registers
All risk assessments associated with objectives within business plans should be kept updated
throughout the year as necessary. They will also be used by Internal Audit to inform the
Annual Audit Progamme and provide the basis for testing the extent and effectiveness of
controls and provide evidence that risk management methodology is being complied with.
Key project and partnership risks should be included within this process as they will have their
sources of origin in business objectives.
12.
RISK REGISTERS
Risk registers provide an immediate record of all the identified risks, key controls and their
status resulting from their assessment in terms of likelihood and impact across a wider pool of
risks.
Risks registers should be monitored by management teams. Risks included within directorate
registers should be closely monitored by senior management teams.
The critical risks that can affect the Council as a whole should be recorded within the Strategic
Risk Register which is monitored by Directorate Resource Managers on behalf of the Chief
Officer Group which is made up of the Chief Executive and Managing Directors of the Council.
13.
SUMMARY
Working through this toolkit provides a simple basic methodolgy to help identify and manage
business threats and opportunities that might arise.
It is important to ensure that continuous risk assessment feeds into any decision making and
therefore business process.
It may be helpful to understand how managing risk through this process fits in with the overall
framework for managing risk throughout the Council. Details of this can be found in the
document Risk Management Strategy.
If you would like further advice about the risk management process contact the Corporate
Risk & Insurance Manager or your directorate lead officer for risk management.
SOURCES OF RISK
Appendix 1
Social Relating to the effects of changes in demographic, residential or socio-economic trends on the
Councils ability to deliver its objectives. Examples of nature of risk:Failing to meet the needs of disadvantaged
Failures in partnership working
communities
Problems in delivering life-long learning
Impact of demographic change
Crime and disorder
Technological Associated with the capacity of the Council to deal with the pace / scale of technological
change, or its ability to use technology to address changing demands. They may also
include the consequences of internal technological failure on the Councils ability to deliver
its objectives. Examples of nature of risk:Obsolescence of technology
Breach of confidentiality
Hacking or corruption of data
Failure in communications
Legislative Associated with current or potential changes in national or European law. Examples of
nature of risk:Inadequate response to new legislation
Judicial review
Intervention by regulatory bodies
Human Rights Act breaches
and inspectorates
Environmental Relating to the environmental consequences of progressing the Councils strategic
objectives (e.g. in terms of energy, efficiency, pollution, recycling, landfill requirements,
emissions etc). Examples of nature of risk:Impact of Local Agenda 21 policies
Impact of planning &transportation policies
Noise, contamination and pollution
Competitive Affecting the competitiveness of the service (in terms of quality or cost) and / or its ability
to deliver Best Value. Examples of nature of risk:Take over of services by government
Failure of bids for government funds
Agencies
Failure to show best value
Customer / citizen Associated with the failure to meet the current and changing needs and
expectations of customers and citizens. Examples of nature of risk:Lack of appropriate consultation
Glossary of Terms
APPENDIX 2
Benefits
Business Continuity Plan
Business risk
Consequence
Contingency
Control (control
measures)
Corporate Governance
Early warning indicator
Hazard
Identifying risks
Impact
Inherent risk
Issue
Likelihood
Mitigation (Plan)
Objective
Operational risks
Opportunity
Outcome
Periodic review
Project risks
Risk appetite
Risk evaluation
Risk identification
Risk management
Risk
prioritisation
matrix
Risk owner
Risk perception
Risk profile
Risk source
Risk register
Risk strategy
Risk tolerance
Strategic risks
Terminate
Threat
Tolerate
Transfer
Treat
Appendix 3
BUSINESS CONTINUITY PLANNING
The likelihood of some risks occurring remains high even with controls in place. Where these risks
may also have a high impact an action plan should be devised to cope with the event to restore
services that support and are provided by the Council. In such cases Business Continuity
Planning (BCP) should be considered.
Business continuity planning (BCP) is one of the ways in which high impact risks can be managed.
Its purpose is to enable managers to plan for how they will respond both immediately and in the
longer term should there be a major disruption or interruption to their service. The BCP process
provides an early opportunity to identify single and weak points that may jeopardise service
delivery
Having a plan will enable you to better manage those risks where it is extremely difficult to reduce
the impact should the event occur. These are probably the risks where impact and probability
produce a combined rating of 20 or more using the KCC risk ranking matrix.
Should an event occur it may be your responsibility to get a service back operational as quickly as
possible, identify and implement interim arrangements, communicate with those that may be
affected etc.
For example how do you tell your staff about the event, how do you tell the
community or clients that you cannot provide their service that day or for a longer period, how do
you meet important deadlines, what are your critical systems, suppliers and services, who might be
expected to provide physical help, advice etc and how do you get in contact? These are just
examples of some of the questions that you may need to deal with.
It is essential that you are able to respond sensibly and with minimum wasted effort and resources.
This can be best achieved by planning your response in advance with your business continuity
team. Going through a business impact analysis will illustrate where the risks are highest and the
potential impacts greatest. This will then enable you to identify potential problems and guard
against them developing into even greater disruptions through measured planning.
Possible areas for consideration might include:
Main event / cause
Result
Financial loss
Breach of confidentiality
Failure / corruption of IT
Impact on stakeholders
It may not be possible to predict the actual nature of the event that may cause the disruption but by
thinking about your response in advance you should be able to use and adapt this information to inform
your actions. You should also remember that you may not be dealing with a crisis in isolation and those
officers or contractors upon whom you reply within your own plan may themselves be
in a similar situation.
When preparing a plan it should address the procedure to recover functionality within
a defined time frame dependant upon the Councils need. Managers are used to
making decisions in response to ad hoc events and it might be more helpful if the
plan is kept quite simple but with key points identified to prompt action along with
details of who to contact for assistance outside of your own team. For example,
finance managers are best placed to assist with making decisions on the release of
funding and payment of invoices in an emergency, Corporate Communications can
deal with media management, Personnel & Development can advise on staffing
issues, ISG can advise on IT and so on.
KCC is reliant upon many other organisations and contractors to help deliver its
services. Where there is a dependency upon any of these it may be appropriate to
ensure that they too have a plan to deal with any disruption and that it supports your
own response.
Once you have a plan you will need to ensure that it is regularly reviewed, tested and
accessible in an emergency.
If you would like to find out more about preparing a business continuity plan please
contact KCCs business continuity advisers on 01622 221974 or 01622 694803
Appendix 4
PARTNERSHIPS
Partnership working is playing an increasingly important role in our policy
development and service delivery. In recent years, the focus for many public, private,
voluntary and community organisations has been on the opportunities offered by
partnership or joint working arrangements. Indeed, many new funding sources
relating to a wide range of issues can only be accessed by the demonstration of
multi-partner approaches.
Working in partnership usually means committing resources such as officer time or
direct funding to develop and deliver desired outcomes. It may not be easy and,
whilst there are opportunities there are also risks. It is therefore important to
understand and manage these in so far as they affect both the partnership and
Council. The assessment of risks within partnerships therefore needs to be inward
and outward looking. Risks to the partnership should be assessed and recorded
within the partnership risk registers whereas risks to the Council should be assessed
and recorded in directorate risk registers as appropriate.
To help officers maximize the opportunities of working within partnerships and
managing the associated risks a guide has been prepared and is available on KNET
by searching under Risk Management.
Appendix
5
Likelihood
Very likely
Likely
Possible
Unlikely
Very
Unlikely
5
Low
4
Low
3
Low
2
Low
1
Low
10
Medium
8
Medium
6
Low
4
Low
2
Low
15
Medium
12
Medium
9
Medium
6
Low
3
Low
20
High
16
High
12
Medium
8
Medium
4
Low
25
High
20
High
15
Medium
10
Medium
5
Low
Minor
Moderate
Significant
Impact
Serious
Major
Score
5
Likely
Possible
Unlikely
Very Unlikely
Indicators
Regular occurrence
Circumstances frequently encountered i.e. daily/weekly/monthly
The risk is current & is almost certain to happen within the next
twelve months
Likely to happen at some point within the next 1-2 years
Circumstances occasionally encountered (once/twice a year)
Has happened in past
Reasonable possibility it will happen within next 3 years
May have happened in the past
Unlikely to happen in 3+ years
Has happened rarely/never before
Score
5
Major
Serious
Effect on Service
Complete breakdown in
service delivery with severe,
prolonged impact on
customer service affecting
the whole organisation.
Minor
Failure of a strategic
partnership
Large scandal.
Widespread disgruntlement
Extensive damage to a
critical building or
considerable damage to
several properties from one
source
Inability to deliver popular
policies due to budgetary
constrictions.
People
Criticism of a secondary
process/service
Embarrassment contained
within the business unit
Effect on project
objectives
Extreme delay
Localised disgruntlement
Small impact on customer
service which may result in
complaints to the business
unit
Nuisance
Disgruntlement by a few
RM:Toolkit Rev.2009
Compliance
with law / contracts
A substantial failure in
accountability or integrity.
Moderate
Financial &
Resources
A vote of no confidence in
one service area.
Failure of an operational
partnership
Significant
Reputation
RISK REGISTER
Appendix 6
Ref
Source
RM:Toolkit Rev.2009
Event
Planned
Outcome
Acc table
Manager
Existing Controls
New Tasks/
Actions
Date
Inherent
rating
Residual
rating
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
Appendix
Business/Service Objective:
Date completed: 01.04.2009
To ensure that employees, visitors and contractors remain safe whilst on KCC
property
Risk
No.
RM:Toolkit Rev.2009
Risk
Very
likely
Likely
Possible
Unlikely
Very
Unlikely
Impact
(Severity)
5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor
10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate
15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
Impact
20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious
25
High
20
High
15
Medium
10
Medium
5
Low
5
Major
Likelihood
(Probability)
Revd Risk
Rating
16
HIGH
9
MED
6
LOW
EXAMPLE
Completed by:
Business/Service Objective:
Date completed:
Very
likely
Likely
Possible
Unlikely
Very
Unlikely
Risk
No.
RM:Toolkit Rev.2009
5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor
10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate
15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
Impact
20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious
25
High
20
High
15
Medium
10
Medium
5
Low
5
Major
(Risks)
Impact
(Severity)
Likelihood
(Probability)
Risk
R
a
t
i
n
g
RM:Toolkit Rev.2009
Impact
(Severity)
Likelihood
(Probability)
Revd Risk
Rating
RM:Toolkit Rev.2009