Guided Risk Assessment

    1 - Define the Objective

  • Define what the activity or undertaking being assessed is meant to accomplish. Think of how an undertaking supports the mission of the university, division or unit. If it seems to be a higher-risk activity, then carefully consider what the underlying objective of the activity is. If a much safer or less risky activity would achieve the same objective, then that activity may be a better choice. 

  • 2 - Define the Activity

  • A more detailed description of the activity will allow for a more meaningful risk assessment. Consider the who, what, where, when and how of the activity. 

  • 3 - Consider Negative Outcomes

  • What could go wrong? Consider the potential negative outcomes of the activity, for example -
    - What harm - physical, psychological or social - could come to the participants?
    - What property - owned by the university or owned by someone else - could be damaged?
    - Is there any personal information that may be gathered and at risk for exposure?
    - Have all agreements been reviewed and signed by the proper contracting office? 
    - Are minors or volunteers involved?
    - Is the activity taking place in a foreign or remote location?
    - What is the reputational risk?
    - What is the financial risk?

  • 4 - Risk Evaluation

  • Consider the potential negative outcomes of the activity in two dimensions - severity and frequency -
    What is the severity - will the negative outcome be debilitating to the organization or cause a minor administrative difficulty that is easily overcome or somewhere in between? Rank each as - 
    - severe: organization would need extensive help to resolve; there may be lasting negative outcomes
    - significant: organization would need some outside assistance to recover
    - slight: organization can easily deal with outcome and will not require outside help in resolution
    What is the likely frequency that the negative outcomes will occur - 
    - almost nil: extremely unlikely to happen
    - slight: not likely to happen
    - moderate: will happen occasionally
    - definite: will happen often
    For each negative outcome, use the chart below to decide how to proceed -
    - green indicates a more acceptable risk, especially if insurance is available to finance foreseeable losses
    - yellow indicates a risk that needs to be controlled - proceed only after controlling these risks; consider changing the activity to eliminate these risks
    - red indicates an unacceptable risk and the activity needs to be changed so that these risks are eliminated  

    Risk Evaluation

    Now consider the potential positive outcomes of the activity -
    Balance the potential positive and negative outcomes. A highly beneficial activity may justify acceptance of higher risk. This can help inform the decision about whether to alter an activity. This is especially helpful for consideration of those areas that are evaluated as yellow within the chart.

  • 5 - Develop Controls

  • Consider ways to lessen the severity and frequency of the negative outcomes. Once controls are developed, go back and re-evaluate the risk. Repeat steps 4 and 5 until the activity poses an acceptable level of risk. 

  • 6 - Monitor the Controls

  • Once an activity is underway, periodically go back and make certain that the controls are working. New controls may need to be considered or existing controls may need to be updated.