Risk management

Governing, communicating and making decisions about risk

Risk management

The Protective Security Requirements state that agencies should follow ISO 31000 for risk management.

Risk management is about understanding, assessing and documenting the scope of your risk in relation to service delivery, reputation, legal exposure, security and integrity, customer confidentiality and investment.

The core elements of risk management will always follow a similar pattern as described in ISO 31000:

  • Identification — identifying risks and creating a risk register.
  • Analysis — understand the risk and estimate the level of impact. Develop a risk impact scale.
  • Evaluation — decide if the risk level is acceptable or not.
  • Treatment — decide how you will approach each risk (for example avoid it, transfer the liability, mitigate the likelihood, or accept the risk).

Information Security risks

Risk assessments are part of many business processes. The key ones in information security will usually relate to privacy and security.

  • privacy 
  • security

Risk management for agencies is described on digital.govt.nz(external link)

Related links

NZ Digital government