risk assessment matrix department of education

An official website of the United States government

Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

REMS TA Center Sample Risk Assessment Matrix

Department of Education

This tool for school districts, administrators, and law enforcement helps school communities identify specific risks unique to their school environment through a priority ranking system.

• UC Finance >
• Risk Services >
• Enterprise Risk and Resilience >
• Enterprise Risk Management >

Higher Education Risk Assessment Tool

Enterprise risk and resilience.

This tool will help you consider your campus' risk portfolio for a specified list of the most common risks in higher education.

The purpose of this tool is not to ensure all risks are rated as "Adequately Controlled" but rather to help departments assess their control structure for sufficiency given their environment, resources, and bandwidth. This tool will not make decisions for you, but it will help you organize your thinking as you consider your campus' risk profile and related enterprise risk management implications.

The steps involved in completing this tool are outlined below, followed by additional notes.

• Step 1. Get started
• Step 2. Customize scales and weightings

Step 3. Assess your risks

• Step 4. Review a chart of your risks
• Step 5. Export your data

Download a sample version of this tool (xlsx)

View the higher education risk assessment tool webinar.

The sample version should allow you to understand how this tool displays information, how to navigate through the steps, and what types of information you will need to complete it. However, it does not contain any formulas or calculations.

The full version of this tool is available free of charge as a public service and outreach effort of the UCOP Office of Risk Services. However, we do ask that you provide us with some basic information to assist us in understanding how this tool is being used. This helps us ensure we are continuously evolving the tools in our toolkit to meet the needs of our users. 

If you would like a full version of this tool, please contact us at [email protected] with the following information:

• Your name and title
• Your organization
• Your phone number
• Your e-mail address
• The name(s) of the tool(s) you would like to use
• A brief description of how you intend to use the tool(s)

Step 1. Getting Started

When you open the tool, you may be prompted with a warning indicating some content is unsecured. The tool only uses one macro, which allows the data export function to work. You will be able to fully utilize the tool even if you do not enable this macro; however, you will not be able to export the data without enabling it.

Next, fill in the employee names and organization information at the top of the first page. Then save the file in a secure location with an appropriate, unique name. This will minimize confusion if multiple files are created.

Then click the “Get Started!” button below the introduction to move on to the next step.

Step 2. Customize Scales and Weighting

Before you begin rating the risks involved and assessing your controls, it is necessary to set some common definitions for the varying degrees of a risk's impact and likelihood. It is also important to set common parameters for evaluating the effectiveness of controls. Sample definitions are provided as shown in the following tables. Place your cursor in the definition field to modify the definitions to suit your needs.

Risk impact and risk likelihood are both weighted at 50% each by default as shown in the following table. Depending on the types of risk you are considering, those weights may change. For instance, if you are using this tool to consider risks that could cause workers’ compensation claims, you may weigh risk likelihood higher because there are statutory limits that determine the severity of the claims based on frequency. If instead you are considering reputational risks, where small number events may have a significant impact, you may weigh severity higher. To change how these factors are weighed, place your cursor in the cell and revise the percentages. These two factors must be equal to 100%.

As you move on to other steps, you can return to this page at any time by clicking the "Customize Scales" button

Formula Protection

Some cells on each page are protected to prevent accidental edits which may affect the tool’s calculations.  Cells containing formulas are shaded a light grey. Spaces intended to be left blank are also shaded in the same light grey.  Cells where you can enter information or make a selection from a drop-down menu are filled in white. Even for cells that are protected, you are able to format cells as you wish (change fonts, styles, colors, widths, heights, alignment, and text wrapping). These types of changes should be made without removing the protection on the page.

Risk Assessment

This step lists common risks related to higher education, which are organized in the following groups:

• Hazard Risks
• Financial Risks
• Information Technology Risks
• Human Resources Risks
• Research Risks
• Contract and Grant Risks
• Campus Life Risks
• Facilities & Maintenance Risks

There are blank spaces at the bottom of the page to list additional risks at your discretion.

Assess the impact and likelihood of each risk listed by selecting a scale from each dropdown menu. Next, describe how your organization is currently managing each risk, and describe any risk mitigation plans or efforts which are already in place . Then identify how frequently controls for that risk are performed .  For example, an audit may be performed annually, whereas access badges that restrict access to certain areas of the campus or medical center may be used multiple times daily.

Assess the effectiveness of the existing controls you just described by selecting a scale from the dropdown menu in the “Control Effectiveness” column. Once you have made this selection, the risk rating will be calculated and the “Risk Rating” field will populate.

This “Risk Rating” will show as one of the following:

If you want to change the options shown on the dropdown menus for "Risk Impact", "Risk Likelihood", or "Control Effectiveness" you can change them by returning to the "Customize Scales" step.

Then, under "Dashboards, Monitoring, & Reporting," describe how the control activities are being monitored and identify the person in your organization who is accountable for monitoring those controls.

Step 4.  Review a chart of your risks

The chart provides a graphical representation of your risk assessment based on your selections for risk likelihood, risk impact, and control effectiveness. There is a dropdown menu at the left of the page which allows you to select which information to plot on the chart. You can have the chart show each risk of a selected group or each group combined as a single point displayed with the other groups.

Step 5.  Export your data

When you have completed all of the steps, you may export the data into a comma-separated value file (.csv) for use in the University's Enterprise Risk Management Information System (ERMIS) by selecting the "Export" button in the Assess Risk step.

Related Resources

• Risk Assessment Toolbox
• Risk Assessment Tool Webinars

School operations

Including camps and adventure activities

• Student medical information
• Student Activity Locator
• Risk management planning
• Emergency or critical incident management
• Staffing – roles and responsibilities
• Supervision
• Student preparation and behaviour
• Liability, waivers and indemnities
• External providers
• Venue selection
• Weather and emergency warnings
• Communications
• Identification
• Overseas travel
• Adventure activities – including swimming and water-based activities

On this page:

Schools must assess risk for all excursions (including local excursions) and identify measures to reduce reasonably foreseeable risk to students wherever possible. The type and level of risk, and possible consequences, will differ depending on a range of factors including the location/environment, people, and equipment.

The type of excursion will determine the type of risk assessment required.

When planning for the engagement of a third-party operator to operate amusement rides, attractions or fireworks at non-public (that is, enrolled students only) events on non-school sites, schools must also follow the Amusement Rides, Attractions and Fireworks Policy , which provides further risk management guidance.

Risk assessment process

The risk assessment will inform the planning of the event and help decide what resources, staff and equipment will be required. The assessment should cover the entire excursion including:

• all activities to be undertaken
• excursion location or venue (including environment)
• people (student behaviour, student/teacher safety or illness or other specific needs)
• transportation (for example, public transport cancellations, travelling in hazardous areas, student behaviour, travel sickness).

Where appropriate, the risk assessment should also address:

• risk to intended educational objectives
• any significant financial risks to the school and/or parents (for example if an excursion needs to be cancelled)
• the risk that the general community might lose confidence or trust in the school or the department if a reasonably foreseeable risk is not identified or if insufficient steps are taken to minimise that risk and this results in injury, loss or damage.

The risk assessment must be completed during the planning of the excursion, reviewed before the commencement of the excursion and where appropriate or required, during the excursion.

Responsibilities and processes for treating risks must be communicated to all excursion staff before departing on the excursion.

Risk assessment for local excursions (not including adventure activities)

For local excursions (not including adventure activities), schools must assess and document their risk assessment. Local excursions are excursions to locations within walking distance of the school and do not involve adventure activities. Note: workplace learning and intercampus travel are not considered school excursions.

Documenting risk is important for a number of reasons, including because:

• it provides staff with a clear record of risks identified and measures put in place
• it assists with identifying any possible gaps in their risk assessment that need to be addressed
• it is a useful way of communicating risk-related roles and responsibilities
• it can become important evidence if someone is injured during the excursion and the school’s actions regarding risk planning and management are reviewed.

Schools must complete a template Risk assessment for local excursions template (DOCX) External Link (staff login required). This is evidence of consideration of the risks that may be encountered while on local excursions (that do not involve adventure activities).

Alternatively, schools may wish to use the same risk register as required for all other excursions.

All other excursions

For any of the following:

• day excursions
• overnight stays
• interstate travel
• overseas travel
• adventure activities
• travel via water or air
• weekends or school holidays

a risk register assessing risks across the entire excursion must be completed and submitted to the principal when seeking approval for the excursion (refer to Excursions risk register and emergency management plan template (DOCX) External Link ).

All risks need to be evaluated using the department’s risk rating matrix. Risks rated:

• low or medium do not necessarily require further treatments and are considered acceptable – these risks should be reviewed periodically.
• high or extreme will require further treatment to reduce their level of risk to a more acceptable level.

If planning a camp that involves multiple adventure activities, a risk assessment must be conducted for each adventure activity. Schools may choose to place all risks associated with each activity on the one camp risk register or complete a risk register for each activity.

Consultation with external providers

Schools should consider whether to consult with external providers during the preparation of the excursion risk register. Schools should also consider whether using an accredited provider and/or appropriately trained staff to lead activities (such as adventure activities) is sufficient mitigation for some activity specific risks. If so, the excursion risk register should not focus on treating risks relating to technical aspects of an activity (for example, ropes or harnesses used in abseiling). Instead, these risks should be identified and include ‘the use of external provider’ as a control.

Sample risk registers for excursions, camps, overseas travel and specific adventure activities can be found on the Resources tab .

For further information on risk management more generally, refer to the department’s policy Risk Management – Schools .

Reviewed 24 January 2024

• Print whole topic

• Governance and risk frameworks
• Communication, education and knowledge sharing
• Due diligence, risk assessments and management
• Transnational Education Guidance Note on Due Diligence
• Enhancing Cyber Security Across Australia’s University Sector: Final Report
• Case studies - Governance and risk frameworks
• Case studies - Due diligence, risk assessments and management
• Case studies - Cybersecurity
• Case Studies - Transnational Education
• Australian Government Contacts
• Foreign Interference Impacts on Campus Culture Guidance Note
• National Security Architecture Placemat
• Australian Government legislation and codes
• Other guidance links
• University Foreign Interference Taskforce

Report and resolve responsibility matrix

An example of where the responsibility may be sit within a university when reporting and resolving concerns of foreign interference.

• Download Report and resolve responsibility matrix as a DOCX (31.9kb)
• Download Report and resolve responsibility matrix as a PDF (93.53kb)

We aim to provide documents in an accessible format. If you're having problems accessing a document, please contact us for help .

Template: Risk Management Plan and Risk Acceptance Matrix

Template download.

If you are a user of  Formwork, our eQMS software , choose “QMS” on the top menu and “OpenRegulatory Templates” on the left menu, and then open the relevant folder to find this template ready to load into Formwork.

If, for some mysterious reason, you’re using a different QMS Software, you can also simply download this template – specifically, as Word (.docx), PDF, Google Docs or Markdown file. Scroll down for a preview!

The  template license  applies (don’t remove the copyright at the bottom).

Tired of copy-pasting? If you want to save time and edit these templates directly, you can use  Formwork, our eQMS software . And if you’re looking for step-by-step instructions for filling them out,  check out our Wizard  🙂

Questions? Still Lost in Regulation?

Good news! Our goal is to provide lots of stuff for free, but we also offer  consulting  if you need a more hands-on approach. We get stuff done really fast.  Have a look!

The Risk Management Plan contains the risk policy and defines the criteria for risk acceptance. It also references relevant processes and activities which will be conducted for product-specific risk management as part of the integrated software development process (SOP Integrated Software Development).

Mapping of Standard Requirements to Document Sections

1. relevant processes, 1.1 risk management process and activities.

Risk Management Activities are integrated in the software development lifecycle as described in SOP Integrated Software Development.

1.2 Risk Policy and Risk Acceptability

The following policy establishes criteria for risk acceptability following ISO 14971:2019 and ISO/TR 24971:2020. It applies to all people and activities involved in the design, development and distribution process of the medical device, and intends to ensure highest levels of medical device safety consistent with stakeholder expectations.

The manufacturer defines framework criteria for risk acceptability in the form of estimated usage, severity of harm and probability of occurrence (para. 1.2.1 – 1.2.3). The criteria are initially defined as part of the early software development process and reviewed during every post-market surveillance cycle.

Estimated usage, categories of severity / probability and risk matrix acceptance are defined based on applicable regulatory requirements, relevant international norms and standards, as well as the generally acknowledged state of the art (e.g. accepted results of scientific research, reports published by authorities, established industry best practices).

Acceptability for individual risks always must be established based on both, the estimated severity and the estimated probability of a risk. The risk is deemed acceptable based on a combination of both, following the risk matrix defined in para. 1.2.4.

All identified risks must be reduced as far as possible (AFAP) without adversely affecting the benefit-risk-ratio. Risk control measures implemented to reduce the risks must be chosen in the following order:

• Inherent safety by design
• Protective measures
• Information for safety

Acceptability of the overall residual risk is established as part of the clinical evaluation process by weighing benefits from intended use against the overall residual risk. Benefits may be described by their magnitude or extent, the probability of experience within the intended patient population, the duration and frequency of the benefit. For example, the manufacturer may compare the device to similar medical devices available on the market: residual risks can be compared individually to corresponding risks of the similar device, considering differences in intended use. The overall evaluation of the benefit-risk-ratio should take into account knowledge of the intended medical indication, the generally acknowledged state of the art in technology and medicine, and the availability of alternative medical devices or treatments.

1.2.1 Estimates for Usage

Define estimates for how much you think your device is going to be used in the market.

1.2.2 Severity of Harm

Define what can go wrong with your product here. Make the examples specific – chances are, your product can’t cause skin lacerations. In all likelihood it also doesn’t cause death. So, feel free to remove severity rows here. But most importantly, customize the definitions and examples so that they resemble the harms in your product.

1.2.3 Probability of Occurrence

Define your probabilities. You can probably just use these definitions. The idea is that each probability row is 10^2 apart from adjacent ones.

Also, change the “Estimated Maximum Event Count”. That’s the usage number you estimate for your (not yet released product) during its entire lifecycle (which you need to define). So, if you assume that your product will be on the market for 4 years and that it’ll be used 100 times per day, that results in 146.100 usages (100 usages/day * 365.25 days/year * 4 years). The numbers in the lower columns of “Estimated Maximum Event Count” are simply the total usage number multiplied by the upper limit probability of the same row, e.g. you want to know “how often can probability P3 occur if the product is being used 100 times per day?”

1.2.4 Risk Acceptance Matrix

The most important part. You assess each severity-probability combination whether it’s acceptable for you as a company. There are no definitive rules on what’s deemed acceptable. It depends on your company’s risk policy and, more importantly, the benefits of your product which you show in your clinical evaluation. So, for example, if your product saves 10 lives per day, it might be acceptable to cause one death per day. If your product doesn’t save any lives, it might not be acceptable to cause any deaths. You get the idea, I hope.

1.3 Verification of Risk Control Measures

Risk Control Measures are verified as described in the software development lifecycle as described in SOP Integrated Software Development.

1.4 Assessment of the overall residual risk

After determination of the Risk Control Measures any risk that could arise from the combination of the individual risks or mitigating measures is assessed. For this purpose, the probability and severity of the possible residual risk are estimated and evaluated using the existing risk matrix.

1.5 Collection and Review of Post-Production Information

Review and collection of Post-Production information is described in SOP Post-Market Surveillance.

2. Related Documents

• SOP Integrated Software Development
• Risk Acceptance Matrix
• Risk Management Report

Template Copyright  openregulatory.com . See  template license .

Please don’t remove this notice even if you’ve modified contents of this template.

Leave the first comment (Cancel Reply)

• Skip to content
• Skip to search
• Staff portal (Inside the department)
• Student portal
• Key links for students

Other users

• Forgot password

Notifications

{{item.title}}, my essentials, ask for help, contact edconnect, directory a to z, how to guides, policy library.

• Excursion Planning and Management (PDF 630 KB)

Related Information

• Variation of routine Staff only
• Risk management plan - Excursions and travel health Staff only
• Overseas excursions planning Staff only
• Private tours, events and activities (PDF 152 KB) Staff only
• Good practice in billeting (DOCX 27 KB)
• Inbound overseas visitor groups

Changes since previous update

Changes since previous version

2023 Oct 16 updated language and links in the policy statement and implementation document to reflect changes to the WHS Risk Management Procedures and supporting resources.

Document history

2022 Oct 10 - updated contact details in policy statement and link to the Behaviour code for students. Updated the implementation document, Excursion Planning and Management, to reflect updates to the Student Behaviour policy and Inclusive Education policy. Also updated links (for risk assessment, Working with Children Check and overseas excursion website), clarified parent requirements in relation to car travel (4.2), anaphylaxis (6.2) and supervisory responsibilities (7.1). Updated information about COVID-19 requirements (1.1.4, 9.1, 11.1.3 and 13.3.3).

2022 Jul 18 - updated contact details in policy statement and implementation document, Excursion Planning and Management.

2022 May 18 - updated links in implementation document, Excursion Planning and Management, to reflect revision of the Working with Children Check forms (sections 2.1.1, 7.1 and appendix 2).

2022 Mar 07 - update to policy statement and implementation document: Excursion Planning and Management - revised overseas excursions application and approval process, including introducing a common application pack for all department schools; clarified instructions to staff in relation to privately arranged tours; more explicit instructions relating to risk management, child protection and safety, and refund of unspent excursion money. Updated related documents.

2019 Oct 16 - updated contact details and made minor style changes.

2016 Mar 14 - updated main contact details.

Inclusion of excursions involving preschool children and the applicability of the Children's Services Regulation 2004 New advice on film screenings and live performances in the context of revisions to the Controversial Issues in Schools Policy Advice on child protection issues relating to excursions to courts where the potential for students to be placed at risk of harm by being exposed to violent or sexually explicit evidentiary material. Further direction on excursion consent forms relating to the need to clarify parental wishes and consent Incorporation of Commonwealth Government initiatives relating to overseas excursions Advice on reporting of incidents occurring while on excursions in context of the revised Incident Reporting Policy and Procedures

Superseded documents

This policy replaces Excursions and Other Visits (97/137), 16 June 1997, Excursions policy PD/2004/0010 v001 Excursions policy PD/2004/0010 v002 and Excursions policy - PD/2004/0010/V003

• Excursions are part of quality teaching and learning programs. School excursions are structured learning experiences provided or managed by the school, conducted on or external to the school site, as determined by the principal. Incursions are a type of excursion, conducted on the school site.
• Excursions provide educational value by supporting curriculum outcomes, in consideration of the needs and resources of the school, the needs of the students and the total learning program.
• Excursions are inclusive. All students within a specific learning group are to be given the opportunity to participate, unless exceptional circumstances exist.
• The department has a duty of care to students while on excursions and this duty cannot be delegated to any third party or organisation.
• Identifying and assessing risk needs to be integrated into excursion planning to ensure appropriate risk management strategies are developed. An approved risk assessment must be implemented at all stages of an excursion.
• The obligation to report suspected risk of harm to children and young people applies throughout all stages of an excursion.
• permission for students to participate in excursions, including activities during an excursion
• a medical information form.
• The Behaviour code for students (PDF 83 KB) applies at all times while on excursions.
• Additional mandatory procedures apply to excursions that involve overseas travel.
• All NSW Government schools and preschools.
• Excursions involving preschool children are subject to specific protocols under the Education and Care Services National Regulations .
• Residential high schools and schools in Juvenile Justice Centres are subject to specific additional procedures with regard to students in residence.
• workplace learning programs
• privately organised (PDF 149 KB) tours, events or other activities the department is not responsible for these.
• The department is committed to providing a safe, secure, disciplined, inclusive, and quality learning environment in which students can develop their individual talents, interests and abilities through a curriculum that fosters students' intellectual, physical, social and ethical development. Excursions Planning and Management (PDF 393 KB) provides detailed direction and guidance to schools.
• School excursions vary in terms of the curriculum focus, students involved, duration of the excursion and venue. Groups participating in an excursion may be a class or a group of students drawn from a number of classes or schools.
• Excursions can range from an incursion to an extended journey occupying a number of days or weeks requiring overnight or long-term accommodation.
• approve all domestic excursions within Australia involving their school
• approve their own school's participation when more than one school is involved
• ensure that a risk assessment for the excursion has been completed
• endorse overseas excursions and submit the overseas excursions application to their Director, Educational Leadership for approval by the Executive Director in line with the department's overseas excursions application and approval process
• maintain records of excursions and any incidents occurring on an excursion
• exercise a duty of care towards all students, staff and other participants
• evaluate their school's practices for the safe conduct of excursions on the basis of past experience, systemic and locally produced risk profiles and teaching and learning outcomes
• manage any issues or incidents arising from school excursions, consistent with the department's Controversial Issues in Schools policy and Incident Notification and Response policy
• ensure the appropriate infection control measures are included in the planning and are followed during the excursion.
• may initiate and organise excursions
• exercise a duty of care to all students
• complete and monitor risk assessments for each planned excursion ensuring there will be adequate supervision
• report any incidents that occur on an excursion
• who organise an overseas excursion do so in line with the department's overseas excursions application and approval process .
• endorse an overseas excursion proposal
• endorse an overseas excursion for the approval to their Executive Director in line with the department's overseas excursions application and approval process
• monitor schools' compliance with this policy.
• approve overseas excursions in line with the department's overseas excursions application and approval process .
• The Executive Director, Curriculum and Reform monitors the implementation of this policy, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.
• Contact Curriculum and Reform [email protected]

• CPA NEW SYLLABUS 2021
• KCSE MARKING SCHEMES
• ACTS OF PARLIAMENT
• UNIVERSITY RESOURCES PDF
• CPA Study Notes
• INTERNATIONAL STANDARDS IN AUDITING (ISA)
• Teach Yourself Computers

KNEC / TVET CDACC STUDY MATERIALS, REVISION KITS AND PAST PAPERS

Quality and Updated

KNEC, TVET CDACC NOTES AND PAST PAPERS

DIPLOMA MATERIALS

• KNEC NOTES –  Click to download
• TVET CDACC PAST PAPERS – Click to download

CERTIFICATE MATERIALS

• KNEC CERTIFICATE NOTES – Click to download