Risk and Issues Management Tool1

Management Dashboard - Issues & Risks
Issue Status
Issue Summary Risk Summary
Open 0 Open 42 Open Closed In Progress Monitoring Resolved
Closed 0 Closed 0
In Progress 0 In Progress 0
Monitoring 0 Monitoring 0
Resolved 0 Resolved 0
Low Impact 0 Low 0
Med Impact 0 Moderate 0
High Impact 0 High 0
Low Priority 0 Extreme 0
Med Priority 0 Total Risks 42 Risk Status
High Priority 0
Open Closed In Progress Monitoring Resolved
Total Issues 0
Issue Type Summary Risk Type Summary

Strategic 0 Strategic 6
Financial 0 Financial 6
Regulatory 0 Regulatory 7
Management 0 Management 4
Operational 0 Operational 19 100%
Risk & Issue Types Total Risk Ratings
20 1
18 0.9
16 0.8
14 0.7
12 Risk Type 0.6
10 Issue Type 0.5
8 0.4
6 0.3
4 0.2
2 0.1
0 0
Strategic Financial Regulatory Management Operational Low Moderate High Extreme
Last Review Date: 21-02-2014 Record Number: 00676480

Cloud Computing Risk Log
Ref Date Impact Risk Risk Mitigation Last Current
Risk Type Risk Control Area Issue Action Owner Likelihood Rating Likelihood Impact
No Logged Rating Rating Actions Reviewed Status
Lack of effective internal information security
governance, risk management and
R1 Management Governance & Enterprise Risk Management compliance, and alignment with the provider <select> <select> N/A Open
own security governance
Risk of adequate Data Protection no longer

being maintained to a compliant level
R2 Management Data Protection Risks <select> <select> N/A Open
Media cannot be physically destroyed,

cannot be properly identified or no adequate
procedure in place
R3 Management Sensitive Media Sanitisation <select> <select> N/A Open
Loose identification of sensitive data or

protection of data in transit or stored in the
cloud, and prevention of data leakage
R4 Management Information Management and Data Security <select> <select> N/A Open
Risk of failing to comply with government-

mandated and industry-specific regulations
R5 Regulatory Compliance and Audit Management and standards, and failure to get audit <select> <select> N/A Open
information from the provider
Storage, processing, disclosure to third-party,

transfer to other legal jurisdictions of personal
R6 Regulatory Legal Issues: Contracts and Electronic Discovery data and the risk for the provider not being <select> <select> N/A Open
able to produce business data in case of
subpoena
Failure for the provider to detect, handle
incidents and report them to the agency with
R7 Regulatory Incident Response data that can be analysed easily to satisfy <select> <select> N/A Open
legal requirements in case of forensic
investigations
The system cannot be audited and/or
certified as it should
R8 Regulatory Audit or Certification unavailable <select> <select> N/A Open
Failure in achieving or maintaining

Compliance (to regulation, governance,
R9 Regulatory Compliance Degradation standards) <select> <select> N/A Open
The agency might relinquish control to the

provider on a number of issues which may
R10 Regulatory Governance Degradation affect overall governance <select> <select> N/A Open
Mirroring data for delivery and redundant

Storage of data in multiple jurisdictions and lack storage without actualised information as to
R11 Regulatory where the data is stored. agency may <select> <select> N/A Open
of transparency
unknowingly violate regulations especially if
clear information is not provided about the
jurisdiction
Unable of storage
to make business applications
interoperate between providers and lack of
R12 Strategic Interoperability and Portability standards to minimise the risk of vendor lock- <select> <select> N/A Open
in
Page 2 of 5
AS/NZ Standard 4360:2004 Risk Management
Each risk has been rated in terms of its resulting likelihood of occurrence and the potential impact, using the rating system specified in AS/NZ
STANDARD 4360:2004 Risk Management. These are explained in the tables below.
Table 1 - Types of Issues/Risks

Type Description
Strategic Related strategic mission and objectives.
Financial economic
Related to legal impact (costs,
and contractual revenues,Political
obligations. budgets).legislative
Regulatory (Compliance)impacts.
Management Related to decision making, resources, policies, etc.
Operational (Technical) Related to ICT delivery, support or management services.
Table 2 - Qualitative Measure of Consequences of Likelihood

Level Descriptor Description
A Almost certain Is expected to occur in most circumstances. More than once per year
B Likely Will probably occur in most circumstances. 1 in 1 - 3 years
C Possible Might occur at some time. 1 in 3 - 5 years
D Unlikely Could occur at some time. 1 in 5 - 10 years
E Rare May occur in exceptional circumstances. 1 in 10 years
Table 3 - Qualitative Measure of Consequences of Impact

Level Description Example detail description
No injuries, low financial loss, no risk to
1 Insignificant
reputation.
Minor First aid treatment, on-site release
2 Minor immediately contained, medium financial loss,
some customer dissatisfaction.
Medical treatment required, on-site release
3 Moderate contained with outside assistance, high
financial loss and public visibility.
Major Extensive injuries, loss of production
4 Major capability, invocation of disaster recovery with
no detrimental effects, major financial loss.
Death, off-site with detrimental effect, huge
5 Catastrophic
financial loss.
Table 4 - Quantitative Measure of Consequences of Impact

Level Description Example detail description
1 Insignificant Nil Negligible
2 Minor Under 500K
3 Moderate Between $500k - $5m
4 Major Between $5m - $20m
5 Catastrophic Above $20m
Table 5 - Qualitative Risk Analysis Matrix
Consequences
Insignificant Minor Moderate Major Catastrophic
Likelihood: 1 2 3 4 5
A (almost certain) H H E E E
B (likely) M H H E E
C (possible) L M H E E
D (unlikely) L L M H E
E (rare) L L M H H
Key Description
E Extreme Risk: Immediate action required to mitigate the risk.
H High Risk: Action should be taken to compensate for the risk.
M Moderate Risk: Action should be taken to monitor the risk.
L Low Risk: Routine acceptance of the risk.
Table 6 - Issues/Risks status types

Type Description
Open New item identified and awaiting action.
Closed Item closed e.g. no longer a concern, rejected, etc.
In progress Item undergoing treatment/mitigation activities.
Monitoring Treatment/Mitigiation activities complete and being monitored.
Item resolved through treatment/mitigation actions and resolution
Resolved
accepted by stakeholders.
Cloud Computing Issues Log
Ref No Issue Type Date Logged Issue Control Area Description Impact Priority Last Update Allocation Details/Update Assigned To Status Deadline
I1 <select> <select> <select> <select>
Table 1 - Types of Issues/Risks

Type Description
Strategic Related strategic mission and objectives.
Financial Related
Related toto legal
economic impact (costs,
and contractual revenues,
obligations. budgets).
Political
Regulatory (Compliance) or legislative impacts.
Management Related to decision making, resources, policies, etc.
Operational Related to ICT delivery, support or management services.
Document Control
Date Version Name and Position Review type/status or amendments
Provided by KineticIT
Final version - customised
7/7/2009 1.00 under contract to the
original Issue-Risk log template.
Dept of Finance
Customised for DoF project

9/11/2013 1.10 Updated and rebadged
management.
Modified - increased issues and

9/18/2013 1.20 Jack Hondros
risk items.
Additional content provided by
Greg Stone - Chief Technology
Officer, Microsoft Australia, Pierre
12/13/2013 1.30 Jack Hondros Noel - Chief Security Advisor,
Microsoft Asia and James
Kavanagh - Chief Security
Advisor, Microsoft Australia.

Risk and Issues Management Tool1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk and Issues Management Tool1

Uploaded by

Copyright:

Available Formats

Management Dashboard - Issues & Risks

Issue Type Summary Risk Type Summary

Risk & Issue Types Total Risk Ratings

Last Review Date: 21-02-2014 Record Number: 00676480

Risk of adequate Data Protection no longer

Media cannot be physically destroyed,

Loose identification of sensitive data or

Risk of failing to comply with government-

Storage, processing, disclosure to third-party,

Failure in achieving or maintaining

The agency might relinquish control to the

Mirroring data for delivery and redundant

Table 1 - Types of Issues/Risks

Table 2 - Qualitative Measure of Consequences of Likelihood

Table 3 - Qualitative Measure of Consequences of Impact

Table 4 - Quantitative Measure of Consequences of Impact

Table 5 - Qualitative Risk Analysis Matrix

Table 6 - Issues/Risks status types

Table 1 - Types of Issues/Risks

Date Version Name and Position Review type/status or amendments

Customised for DoF project

Modified - increased issues and

You might also like