45 Moreland St, Footscray VIC 3011
t: +61 (03) 9362 8871 | www.acapta.org.au
Risk Assessment Template
The activities below are based on the Australian and New Zealand Standard for Risk Management
(AS/NZS 4360:1999).
Step 1: Risk Identification
Develop a comprehensive list of risks that may affect your performance or activity.
This is perhaps the most critical step in the entire risk assessment process, as any risk not identified
at this stage is incapable of any later evaluation, assessment or treatment.
Step 2: Existing Risk Controls
List the existing controls you have in place to minimise these risks.
Step 3: Risk Analysis - Consequences
Risk Analysis involves assessing the consequences of risk and the likelihood of it occurring in the
context of any existing risk controls.
Consequence
Consequences may be described in many ways, each of which has a different impact. These may
include financial loss, impact on people, damage to reputation, damage to the environment or
interruption to critical business processes (see example below). Table 1 defines an example of
consequence ratings and typical descriptors for various activities.
45 Moreland St, Footscray VIC 3011
t: +61 (03) 9362 8871 | www.acapta.org.au
Table 1: Risk Consequence Descriptors
Consequence
Business
Interruption
Essential
service failure,
or key revenue
generating
service
removed.
Service or
provider needs
to be replaced.
Category
Catastrophic
5
Major
4
Moderate
3
Temporary,
recoverable
service failure.
Minor
2
Brief service
interruption.
Negligible
1
Environmental
Irreversible
damage
Financial
Above
$5,000,000
Harm requiring Up to
restorative work. $5,000,000
Residual
pollution
requiring clean
up work.
Remote,
temporary
pollution
Negligible
Brief, non
impact, brief
hazardous,
reduction/loss of transient
service
pollution
Up to
$500,000
Up to
$100,000
Up to
$10,000
Public Image &
Reputation
Death(s) / many National &
critical injuries. International
Concern /
exposure
Human
Single Death/
multiple long
term or critical
injuries.
Single minor
disablement/
multiple
temporary
disablement.
Injury
State wide
Concern /
exposure
Minor First Aid
Resolved in
day-to-day
management
Local
community
concern
Customer
complaint
Step 4: Risk Analysis - Likelihood
After you have determined the consequence, it is necessary to establish the likelihood of the risk
occurring.
Table 2 defines the Likelihood ratings.
Table 2: Likelihood Ratings
Likelihood
Category
Almost Certain
A
B
C
D
E
Likely
Possible
Unlikely
Rare
Description
The event is expected to occur in most circumstances
The event will probably occur in most circumstances
The event should occur at some time
The event could occur at some time
The event may occur only in exceptional circumstances
45 Moreland St, Footscray VIC 3011
t: +61 (03) 9362 8871 | www.acapta.org.au
Step 5: Risk Rating
This Level of Risk Matrix compares the consequence of a risk occurring and the likelihood of it
occurring. For each risk, determine the consequence descriptions in Table 1, and the likelihood using
the likelihood ratings in Table 2. Then find the result on the Level of Risk matrix.
Table 3: Level of Risk Matrix
Consequence
Likelihood
A - Almost Certain
B - Likely
C - Possible
D - Unlikely
E - Rare
1
Negligible
Moderate
Low
Low
Low
Low
2
Minor
Moderate
Moderate
Low
Low
Low
3
Moderate
High
Moderate
Moderate
Moderate
Low
4
Major
High
High
High
Moderate
Moderate
5
Catastrophic
Extreme
Extreme
High
High
Moderate
Step 6 : Risk Evaluation
The aim of Risk Evaluation is to determine those exposures that are acceptable or unacceptable to
the organisation. Those risks that are determined as unacceptable are then subjected to later Risk
Treatment. (It is important to note that no organisation can eliminate all the risks to which it is
exposed.)
Defining a risk as acceptable does not imply that the risk is insignificant. The evaluation should take
account of the degree of control over each risk and the cost impact, benefits and opportunities
presented by the risks.
Reasons why a risk may be accepted:
 The level of risk is so low that specific treatment is not appropriate within available resources.
 The risk is such that there is no treatment available. For example, the risk that a project might
be terminated following a change of government is not within the control of an organisation.
 The cost of treating the risk, including the purchase of insurance, is so manifestly excessive
when comparing the benefits to the threats.
Step 7: Risk Treatment
Risk Treatment involves the selection and implementation of appropriate options for managing risk.
Treatment needs to be appropriate to the significance of the risk. As a general guide: 

Accept the risk- Where risk cannot be avoided, reduced or transferred, you may chose to
accept the risk. In such cases, usually the likelihood and consequences are low. Risks should
be monitored and determined how losses, if they occur, will be funded.
Transfer the risk-This option involves shifting the responsibility to another party such as an
insurer or contractor who will bears the consequence of a loss if it were to occur eg. Purchase
of insurance cover for company vehicles
45 Moreland St, Footscray VIC 3011
t: +61 (03) 9362 8871 | www.acapta.org.au


Avoid the risk- Under this option a decision is taken not to proceed with the policy, program or
activity likely to generate a risk. If it is not possible or feasible to avoid the activity it is usual to
choose an alternative means of conducting/completing the activity.
Manage (minimise) the risk- This option involves either reducing the likelihood of an
occurrence or the consequences if it were to occur. e.g. Implement procedures for specified
tasks.
Step 8: Accountability
Determine who is accountable for the risk treatment and when it needs to be completed
Step 9: Residual Risk
The Residual Risk is determined after the appropriate Risk Treatment option has been proposed and
accepted. The rating is then determined using the Level of Risk matrix (Table 3).
Step 10: Monitor & Review
To ensure the ongoing effectiveness of the selected Risk Treatment options and to assess whether
your risk management objectives are being achieved, it is necessary to regularly monitor and review
the chosen treatment plan. Determine who is responsible for this process.
The outcome of the monitor and review process should be an accurate measure of the extent to
which the organisation is meeting its risk management objectives, how to close performance gaps
and continually improve risk management standards.