risk assessment matrix department of education

An official website of the United States government

Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

REMS TA Center Sample Risk Assessment Matrix

Department of Education

This tool for school districts, administrators, and law enforcement helps school communities identify specific risks unique to their school environment through a priority ranking system.

Risk Management – Schools

Policy last updated.

11 May 2023

• School councils

On this page:

Step 1 — establish the context, step 2 — risk identification, step 3 — risk analysis, step 4 — evaluation, step 5 — risk treatment, step 6 — communication and consultation, step 7 — monitoring and review, step 8 — recording and reporting.

This policy sets out the requirements for schools to identify and manage risks that might affect their students, staff or operations.

Managing risk means considering the effect of uncertainty (whether positive or negative) on school objectives.

Schools must proactively manage risks by following the department’s Risk Management Process for Schools set out in the Guidance tab .

Managing risk involves:

• identifying and assessing risks and controls
• documenting risks in a risk register (or equivalent)
• implementing actions and treatments to manage identified risks
• monitoring risks, including regularly reviewing risk registers
• reporting on risks.

Managing risk is everyone’s responsibility, as explained in the department’s Three Lines of Defence External Link model.

Identifying and managing risk maximises schools’ ability to make sound decisions to:

• deliver the best possible outcomes for the school and the community
• meet Victorian community and government expectations for accountable and responsible use of public finances and resources
• safeguard student and staff wellbeing.

Assessing and documenting risk

All schools must use the department’s Risk Management Process for Schools when assessing and documenting the risk(s) associated with:

• Emergency and Critical Incident Management Planning
• Child Safe Standards
• OHS Management System (OHSMS) Overview
• Buses – Owned, Hired or Chartered by a School

When assessing the risks listed above, schools must document the identified risks in a risk register. A template risk register is available in the Resources tab .

Schools may also assess and document risks for:

• development and review of the school’s Annual Implementation Plan (AIP)
• development and review of the school’s School Strategic Plan (SSP)
• community events such as school fetes, concerts and science fairs
• school projects/programs such as infrastructure builds
• lesson planning associated with higher risk activities such as science experiments or food technology classes.

If a school is uncertain whether a risk assessment is required, they must contact the Planning, Risk and Governance Branch for clarification and advice.

Monitoring risks

Schools must monitor risks for those mandatory risk assessments outlined above.

Schools may monitor identified risks by:

• including a standing item to review the school’s current and emerging risks on the school leadership meeting agenda
• undertaking a review of all risks associated with delivery of the AIP and the SSP at least once every 6 months
• reviewing all risk registers as necessary or when advised.

Reporting risks

Schools may report and escalate relevant risks to stakeholders, for example, school council, regional directors, Senior Education Improvement Leaders etc through appropriate channels.

Communication of this policy

Principals/school leadership are responsible for:

• providing staff with relevant training opportunities to support staff to manage risks at an operational level
• ensuring that all school staff follow departmental policies and processes, as risk management is integrated into other policies and processes.

Risk register templates are available on the Resources tab to document identified risks and their treatment and controls. Note that some templates include examples of controls or assessments which will need to be reviewed/updated to suit your specific context.

School leadership teams (principals and business managers) can contact the Planning, Risk and Governance Branch for specific risk advice and risk training workshops. Email: [email protected]

Printed copies of the Risk Management Process for Schools pocket guide (available in the Resources tab ) can also be ordered from the Branch.

Definitions

Objective An objective is an aspirational, results-oriented statement describing what your school intends to achieve within the set timeframe, and describes what successful delivery would entail.

Risk The effect (whether positive or negative) of uncertainty on objectives.

Risk management The identification, analysis, assessment and prioritisation of risks to the achievement of an objective.

Risk management involves the coordinated allocation of resources to:

• minimise, monitor, communicate and control risk likelihood and/or impact, or
• maximise the potential presented by opportunities.

Risk management includes coordinated activities to direct and control risks to the achievement of an objective.

Risk register A formatted list that records identified risks, assesses their impact and describes the actions (controls) to be taken to mitigate them. Typically, it describes the risk, the causes for that risk and the responsible person or group for managing it.

Control A control is any existing measure that modifies risk such as uniform policy or staff succession plan.

Controls are methods or procedures that assist in achieving objectives, safeguarding assets, ensuring financial information is accurate and reliable and supporting compliance with all financial and operational requirements.

Identifying current controls and their effectiveness is one of the most important aspects of risk management. It allows you to better understand the elements that are impacting the likelihood and/or consequence of a risk.

Treatment A risk treatment is an action you undertake to reduce a risk to an acceptable level, by adding new or improving/modifying existing controls.

Related policies

Relevant legislation.

Public Administration Act 2004 (Vic) External Link (section 81, part 1b)

Risk Management Process for Schools – completing school risk registers

This Risk Management Process for Schools guide contains the following chapters:

The Department’s Risk Management Process for Schools guides decision-making to help schools effectively manage risk and prioritise school resources in the context of the school’s operating environment.

Use the Risk Management Process for Schools to identify, assess and review risk associated with:

• activities where a mandatory risk assessment is required under legislation (emergency management, child safety, occupational health and safety, excursions including overseas travel, bus safety)
• developing the Annual Implementation Plan (AIP)
• developing the School Strategic Plan (SSP)
• school operations (such as lesson planning)
• community events or activities that require approval by the school council, such as a school fete

DET School Risk Process flowchart

The 8 steps in the DET School Risk Process flowchart are as follows.

1 Establish the context

• The strategic context
• The organisational context
• The risk management context
• Identify internal and external stakeholders

2 Risk identification

• What are the causes?
• What are the consequences?

3 Risk analysis

• Determine existing controls
• Determine consequence
• Determine likelihood
• Establish risk rating

4 Risk evaluation

Compare level of risk with risk acceptability criteria as defined in the Acceptability Chart

5 Risk treatment

Identify and implement treatment options including: Share/Terminate/Accept/Reduce

6 Communication and consultation

With all relevant internal and external stakeholders, during all stages of the risk management process

7 Monitoring and review

As a planned part of the risk management process that takes place at intervals appropriate to the nature of the objective and the level of risk

8 Recording and reporting

Outcomes of the risk management process should be documented and reported through appropriate mechanisms

Presentation

Each step is presented in separate boxes. Steps 1 to 5 are presented in descending order with down arrows pointing from Step 1 to 2, 2 to 3, 3 to 4 and 4 to 5.

Step 6 is positioned to the left of the flowchart and has double-sided arrows pointing to and from Steps 1 to 5.

Step 7 is positioned to the right of the flowchart and has double-sided arrows pointing to and from Steps 1 to 5.

Step 8 is positioned below all other steps.

Before identifying risks, first decide on the scope of the activity, including your objectives, and develop an understanding of your operating environment.

Identify your stakeholders (both internal and external) and consider their concerns, issues and expectations.

Examples of key stakeholders for schools are:

• regional offices
• the school community
• local councils or shires

Risk identification means thinking about what could go wrong when you are delivering your objective.

2.1 Identify the risks

Use the SWOT matrix analysis tool External Link to analyse the environment, establish current issues and consider future risks. The SWOT matrix analysis tool provides a structured way to consider internal and external strengths, weaknesses, opportunities and threats. Ask yourself ‘what can go wrong?’

Consider whether it would be beneficial to involve key stakeholders when conducting your SWOT analysis.

2.2 Consider causes, consequences and opportunities

Consider each risk in more detail and identify:

• Causes: what would cause it to go wrong?
• Consequences: what are the impacts if it does go wrong?
• Opportunities: what can go right?

2.3 Record your risks

Use the school risk register templates in the Resources tab to record your risks and associated details (risk rating, controls and treatments).

Review risks periodically and update the risk register accordingly.

Assess each risk to determine the overall level of risk (the ‘risk rating’).

This involves:

• identifying any existing controls
• considering the consequences (effect) if the risk eventuates, and
• the likelihood that the risk will occur

3.1 Existing controls

Identify any existing controls and assess their effectiveness. Ask yourself 'what existing controls are in place?'

Assess the current effectiveness of these controls. Use the Control Effectiveness Chart External Link (PDF 59.02kb) to help you assess your current risk controls.

3.2 Consequences

Consider the consequences or impact (effect) of the risk if it was to occur.

Consequences are measured using the following terms:

• insignificant

Use the Consequence Criteria Guide External Link (PDF 501kb) to assess the significance of the risk. This guide provides criteria for assessing risks in the categories of student outcomes, wellbeing and safety, operational, financial, reputation and strategic.

3.3 Likelihood

Consider how likely it is that the risk will occur.

Likelihood is described using the following terms:

• almost certain

Use the Likelihood Criteria Chart External Link (PDF 83kb) to assess the likelihood that a risk will occur.

3.4 Overall level of risk (current assessment)

Use the Risk Rating Matrix External Link (PDF 56kb) to determine the overall level of risk.

Step 4 – Evaluation

Evaluate each risk to determine whether the level of risk is acceptable and the appropriate response to the risk. The levels of acceptability relate to the risk rating levels and are described as:

• Risk acceptability chart

The department's risk acceptability chart is used to decide whether the risk is acceptable, based on the rating calculated.

Extreme (must have principal, school council or regional office oversight)

Immediately consider whether the activity associated with this risk should cease. Any decision to continue exposure to this level of risk should be made at principal, school council or regional office level, be subject to the development of detailed treatments, on-going oversight and high level review.

High (with ongoing principal class officer review)

Risk should be reduced by developing treatments. It should be subject to on-going review to ensure controls remain effective, and the benefits balance against the risk. Escalation of this level of risk to principal class officer level should occur.

Medium (with frequent risk owner review)

Exposure to the risk may continue, provided it has been appropriately assessed and has been managed to as low as reasonably practicable. It should be subject to frequent review to ensure the risk analysis remains valid and the controls effective. Treatments to reduce the risk can be considered.

Low (with periodic review)

Exposure to this risk is acceptable, but is subject to periodic review to ensure it does not increase and current control effectiveness does not vary.

Step 5 — Risk treatments

A risk treatment is the way in which you respond to a risk.

Options for risk treatments include:

• Share: if practical, share all or some of the risk with outsourced parties or insurers.
• Terminate: cease the activity altogether.
• Accept: this will require appropriate authority.
• Reduce: apply additional treatments until the risk is reduced to an acceptable level.

The way you treat a risk will depend on the outcome of your evaluation:

• Risks that are rated high or extreme require treatment to reduce risk to a more acceptable level. You may also choose to share or terminate the risk as long as that option will reduce the risk rating.
• Risks that are rated low or medium do not necessarily require further actions to reduce and are considered acceptable.

Risk treatment is a cyclical process:

• assess the risk
• decide whether the risk level is acceptable
• implement a treatment option
• conduct a second assessment to confirm that the treatment has reduced the risk to expected level. (This second evaluation is called the ‘target assessment’.)

A treatment that reduces the risk level may become a new control.

Consult and update relevant internal and external stakeholders throughout the risk management process.

Report on risks that are shared with relevant stakeholders to provide assurance that the school is managing the risk appropriately.

Schedule monitoring and review periods at intervals appropriate to the nature of the objective and the level of risk.

Have a structured way to document and report the outcomes of the risk management process to relevant stakeholders. This ensures that risk exposures are understood and managed.

Risk register templates

Use the appropriate risk register template to document identified risks and existing risk management strategies (controls) and new risk management strategies (treatments).

All schools must assess their own school specific risks and fill in the register according to their own specific environment. The templates provide example risks with example of existing and new risk management strategies (controls and treatments) however these need to be reviewed or updated to suit your specific context.

• Child safety risk register (with examples) (DOCX) External Link
• Risk assessment for local excursions (DOCX) External Link (staff login required) – template for compulsory risk assessment for local excursions
• Excursions risk register and emergency management plan template (DOCX) External Link – risk register template mandatory for all day, overnight, adventure activities, interstate, overseas excursions or travel by air or water. This includes examples and a template for the emergency management plan
• Hosting visits from overseas sister school risk register (with examples) (DOC) External Link (staff login required)
• Registered bus operator risk register (with examples) (DOC) External Link (staff login required)
• School Risk Register (with examples) (DOC) External Link (staff login required) – general purpose risk register for a school documenting risks associated with objectives in annual implementation plan and school strategic plan as well as risks relating to school operations
• School risk register (DOC) External Link (staff login required) – blank and template only

Risk management framework

For more information about the overarching framework of risk management in the department, refer to the department’s Risk management framework (DOCX) External Link (staff login required) which:

• provides a structured and consistent approach for recognising, understanding and responding to risk
• embeds the practice and implementation of risk management as part of transparent, objective and considered decision making and strategic planning
• assists in the delivery high quality service under a duty of care
• supports compliance with government statutory regulations including requirements relating to occupational health and safety, emergency management and the Public Administration Act 2004 (Vic).

This Risk Management — Schools policy is a component of the department's risk management framework.

Tools to support schools undertake a risk management process

The following resources are available to support schools undertake a risk management process:

• DET school risk process flowchart
• DET risk process – explaining the 7 step school risk management process
• Consequence criteria guide
• Control effectiveness chart
• Likelihood criteria guide
• Risk rating matrix
• School cycle – where schools should use risk management
• PESTLE analysis – used to establish the risk context
• SWOT matrix analysis tool – used in risk identification
• Managing project risks in schools (DOCX) External Link

Reviewed 11 May 2023

Risk Assessment Matrix: Definition, Examples, and Templates

Fahad Usmani, PMP

November 28, 2022

A risk assessment matrix is a tool for assessing and prioritizing risks in risk management .

This blog post will discuss the risk assessment matrix, how to create a risk assessment matrix, and provide examples and a template you can use to create your risk assessment matrix.

What is a Risk Assessment Matrix?

Project managers evaluate and prioritize risks using a risk assessment matrix . Many experts refer to this matrix as either a probability and severity risk matrix or a risk matrix.

The matrix allows project managers to plot the severity of the consequences and the likelihood of the event occurring from low to high. This information helps rank the risk.

Creating a risk assessment matrix can be done in various ways; however, the most important things to keep in mind are that it should be concise, simple, and adapted to the project’s particular circumstances.

Risk ranking helps project managers separate high and low-rank risks. They can develop a risk management plan for high-ranked risks and keep low-level risks on a watchlist. Prioritizing helps the project management team focus on high-priority risks and saves resources in investing in low-priority risks.

The higher the severity and likelihood of an event, the greater the risk. Many factors influence the decision of what is high-risk. For example, if the consequences of an event are not severe, it may be considered a low-ranking risk.

How Does a Risk Matrix Work?

Risk assessment is the probability of an event multiplied by its impact. You can break probability and impact levels into verbal and numerical scales.

Risks can be grouped into three zones:

• The High Risk (Red Color) – Unacceptable
• Moderate Risk (Yellow Color) – May or May Not Be Acceptable
• The Low Risk (Green Color) – Considered Acceptable

Determining whether a risk is acceptable often comes from a cost/benefit calculation . For instance, it is difficult to justify paying millions of dollars to prevent an injury caused by ergonomics, yet investing the same millions of dollars in preventing a chemical explosion might be worth it.

Benefits of a Risk Assessment Matrix

The benefits of the risk assessment matrix include the following:

• It Prioritizes Risks: Project managers can prioritize and focus on high-ranking risks by assessing their probability and impact.
• It Improves Communication: A risk assessment matrix improves communication between different departments and stakeholders by providing a common language for discussing risks.
• It Facilitates Decision Making: The matrix helps develop risk response plans.
• It Improves Risk Understanding: The risk assessment matrix creation process helps the project team understand the risks and their interrelationships.
• It Helps Develop Budgets: Project managers can calculate contingency reserves and plan the budget after identifying and assessing the risks.

How To Create A Risk Assessment Matrix

The steps to create a risk assessment matrix are as follows: 

Risk Identification

The first step in creating a risk assessment matrix is risk identification. To acquire a range of perspectives, identify as many risks as possible.

Some organizations have risk checklists based on past project experiences. These checklists help identify risks quickly for new projects. 

Afterward, project managers can find more risks by brainstorming with the team, reviewing project documents , and talking to stakeholders .

The different types of risks include:

• Internal Risks: These risks come from within the company, and the project team has some control over them. For example, an ineffective team member, unrealistic deadlines, or a lack of resources.
• External Risks: These risks come from outside the company, and the project team has no control over them. For example, natural disasters, supplier problems, or changes in the market.
• Strategic Risks: These risks come from the organization’s strategy. For example, a new product launch might fail, or a competitor might release a similar product.
• Operational Risks: These risks are caused by day-to-day operations. For example, equipment breakdown, sick leave, mistakes, process errors, etc.
• Financial Risks: These risks come from the organization’s finances. For example, a decrease in sales, an increase in costs, or a change in interest rates.

Risk Analysis

The project team analyzes the likelihood of each risk after identifying those risks. They need to conduct a risk assessment to determine how likely they are to cause damage.

There are several ways to perform a risk analysis. One popular method is a SWOT analysis, which stands for Strengths, Weaknesses, Opportunities, and Threats. Another common method is PESTLE analysis , which stands for Political, Economic, Social, Technological, Legal, and Environmental factors.

Assessing Risk Impact

After analyzing the risks for their probabilities, the project management team will assess their impact severity and the potential loss incurred if the risk occurs.

There are a lot of different approaches to determining the seriousness of the possibility and the impact. One of the more prevalent approaches is using a scale that ranges from one to five, with one denoting the smallest probability and five denoting the greatest probability.

In addition, the impact intensity is graded on a scale from one to five, with one being the least significant impact and five representing the most significant impact. After estimating the severity of probability and impact of the risk, team members multiply them to get the risk ranking.

Risk Prioritization

The last step in creating a risk assessment matrix is prioritizing the risks. This is done by ranking them from highest to lowest.

Risks can be divided into four levels: high-priority risks, major risks, moderate risks, and minor risks.

• High Priority Risks: These risks have a high probability of occurring and could significantly impact the project.
• Major Risks: These risks have a moderate probability of occurring and could impact the project.
• Moderate Risks: These risks have a low probability of occurring and could moderately impact the project.
• Minor Risks: These risks have a very low probability and impact and a minor effect on the project. These risks are mentioned in the watchlist for monitoring.

The project manager will develop risk response plans for all risks except those on the watchlist.

How to Categorize Risks in a Risk Assessment Matrix

You can define risk assessment matrixes differently, but the most common is plotting risks on the x-axis and probabilities on the other.

This results in a matrix with four quadrants, each representing a distinct risk level. The dangers located in the upper left quadrant have a high chance as well as high severity, and they are considered to be the most severe.

The dangers located in the bottom right quadrant have a low likelihood and severity, and they are the hazards that are regarded as the least serious.

How to Use the Result of a Risk Matrix

You use the output of the risk matrix to develop a risk management plan, more specifically, a risk response plan.

You have a list of prioritized risks. Therefore, you will begin by formulating a response strategy for high-level risks and move on to medium-level threats.

You won’t bother developing a reaction plan for low-level risks; instead, you’ll keep track of them on a watch list and continue monitoring them until the project is through.

You will work on developing a risk response strategy if the severity of any low-risk situation increases from a low level to a high level.

In addition, you can maintain a high-priority risk on a watchlist even if its severity level decreases and it transitions into a low-priority risk if the situation warrants it.

Example Of a Risk Assessment Matrix

Here is an example of a simple risk assessment matrix to evaluate the risks.

The matrix shows the risk associated with returning to work during the pandemic.

Risk: Flawed policies to prevent the spread of the virus to employees and visitors.

What Can Go Wrong?

• Employees feel uncomfortable wearing masks for a long period and remove them while talking with colleagues. The virus spreads throughout the team.
• The customer refuses to wear a mask and is asked to leave the premises.
• Employees and customers not staying six feet apart.

Mitigation(s)

• Apply penalties for not wearing masks. 
• Assign places where employees can remove the masks, finish breakfast, lunch, etc.
• Keeping signs on the front door that refuse people entry without a mask. 
• Placing dots six feet apart to instruct people on where to stand in line and prevent crowding.

Risk Assessment Matrix Template

Let’s review risk assessment matrix templates.

The risk categories range from low to high, and probability ranges from highly likely to very unlikely. The risk rating can be seen by finding the intersection of both criteria.

The following example shows the risk assessment matrix template 4X4.

Limitations of Risk Matrix

A risk matrix is useful in risk management but has some limitations. These limitations are:

• Inefficient Decision-Making: Sometimes, poor categorization of risk can cause poor assessment of risks, leading to poor decision-making.
• Biased Assessment: Many times, due to biases in risk assessment, risk levels can be miscalculated, and it can affect the risk management plan.
• Can Consume Time: Sometime, over-analysis can lead to a waste of time and resources.
• No Consideration for Timeframe: The risk matrix does not consider how risk can change during the project life cycle.

One of the most important tools in risk management is a risk assessment matrix. The management team for the project can conduct an effective risk analysis and establish a priority order for the risks associated with the project because they created a risk assessment matrix.

A risk assessment matrix is a living document that should be regularly reviewed and updated as new risks arise or the likelihood or impact of existing risks changes.

I am Mohammad Fahad Usmani, B.E. PMP, PMI-RMP. I have been blogging on project management topics since 2011. To date, thousands of professionals have passed the PMP exam using my resources.

PMP Question Bank

This is the most popular Question Bank for the PMP Exam. To date, it has helped over 10,000 PMP aspirants prepare for the exam. 

PMP Training Program

This is a PMI-approved 35 contact hours training program and it is based on the latest exam content outline applicable in 2024.

Similar Posts

What are Milestones in Project Management?

A project milestone is an event on the project schedule that shows the completion of a phase, the handover of a deliverable, an important meeting, approval, or the start or end of the project. A milestone can be anything worth giving importance to the project schedule. The PMBOK Guide defines the project milestones as follows:…

What is Sensitivity Analysis? Examples & Templates

Project managers are always involved with data analysis and decision-making. They must be conscious of the sensitivities in data and their impact on the project. To control for this, they use sensitivity analysis to determine the sensitivity of data variables in the project outcome. In brief, sensitivity analysis examines project scenarios under different circumstances. This…

What is Master Schedule in Project Management?

The project management environment is dynamic, and a project manager has to deal with many things simultaneously. They must ensure that the project is within budget and on schedule and proceeds as planned until it is completed. They also have to engage with stakeholders and keep them satisfied.  In today’s post, I will introduce you…

254 Great Icebreaker Questions to Start the Conversation

Understanding the significance of icebreaker questions is vital in today’s business environment, as the working environment can sometimes become monotonous and boring. Icebreaker questions are the lubricant that transforms awkward silences into vibrant exchanges, transforming unfamiliar faces into friends or collaborators. In today’s blog post, I will provide you with 254 ice-breaking questions that you…

Purchase Order (PO): Definition, Templates, Types & Example

A Purchase Order (PO) is a crucial document in procurement management. Project managers use purchase orders to buy materials for their projects, and organizations buy materials and consumables for their operations.  A better understanding of this document is essential for you if you manage projects which require frequent purchasing. Today’s blog post will discuss this…

Risk Tolerance Vs Risk Appetite

Risk tolerance and risk appetite affect your risk management plan; therefore, you must understand these terms. Today’s blog post will discuss risk tolerance vs risk appetite in detail with explanations and examples. A risk management plan depends on the stakeholders’ risk attitude, and the risk attitude depends on risk appetite and risk tolerance (and risk threshold).  A…

Good explanation !

Thank you for the brief-yet-thorough explanation, Fahad. Really helpful. Best of luck!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

• UC Finance >
• Risk Services >
• Enterprise Risk and Resilience >
• Enterprise Risk Management >

Higher Education Risk Assessment Tool

Enterprise risk and resilience.

This tool will help you consider your campus' risk portfolio for a specified list of the most common risks in higher education.

The purpose of this tool is not to ensure all risks are rated as "Adequately Controlled" but rather to help departments assess their control structure for sufficiency given their environment, resources, and bandwidth. This tool will not make decisions for you, but it will help you organize your thinking as you consider your campus' risk profile and related enterprise risk management implications.

The steps involved in completing this tool are outlined below, followed by additional notes.

• Step 1. Get started
• Step 2. Customize scales and weightings

Step 3. Assess your risks

• Step 4. Review a chart of your risks
• Step 5. Export your data

Download a sample version of this tool (xlsx)

View the higher education risk assessment tool webinar.

The sample version should allow you to understand how this tool displays information, how to navigate through the steps, and what types of information you will need to complete it. However, it does not contain any formulas or calculations.

The full version of this tool is available free of charge as a public service and outreach effort of the UCOP Office of Risk Services. However, we do ask that you provide us with some basic information to assist us in understanding how this tool is being used. This helps us ensure we are continuously evolving the tools in our toolkit to meet the needs of our users. 

If you would like a full version of this tool, please contact us at [email protected] with the following information:

• Your name and title
• Your organization
• Your phone number
• Your e-mail address
• The name(s) of the tool(s) you would like to use
• A brief description of how you intend to use the tool(s)

Step 1. Getting Started

When you open the tool, you may be prompted with a warning indicating some content is unsecured. The tool only uses one macro, which allows the data export function to work. You will be able to fully utilize the tool even if you do not enable this macro; however, you will not be able to export the data without enabling it.

Next, fill in the employee names and organization information at the top of the first page. Then save the file in a secure location with an appropriate, unique name. This will minimize confusion if multiple files are created.

Then click the “Get Started!” button below the introduction to move on to the next step.

Step 2. Customize Scales and Weighting

Before you begin rating the risks involved and assessing your controls, it is necessary to set some common definitions for the varying degrees of a risk's impact and likelihood. It is also important to set common parameters for evaluating the effectiveness of controls. Sample definitions are provided as shown in the following tables. Place your cursor in the definition field to modify the definitions to suit your needs.

Risk impact and risk likelihood are both weighted at 50% each by default as shown in the following table. Depending on the types of risk you are considering, those weights may change. For instance, if you are using this tool to consider risks that could cause workers’ compensation claims, you may weigh risk likelihood higher because there are statutory limits that determine the severity of the claims based on frequency. If instead you are considering reputational risks, where small number events may have a significant impact, you may weigh severity higher. To change how these factors are weighed, place your cursor in the cell and revise the percentages. These two factors must be equal to 100%.

As you move on to other steps, you can return to this page at any time by clicking the "Customize Scales" button

Formula Protection

Some cells on each page are protected to prevent accidental edits which may affect the tool’s calculations.  Cells containing formulas are shaded a light grey. Spaces intended to be left blank are also shaded in the same light grey.  Cells where you can enter information or make a selection from a drop-down menu are filled in white. Even for cells that are protected, you are able to format cells as you wish (change fonts, styles, colors, widths, heights, alignment, and text wrapping). These types of changes should be made without removing the protection on the page.

Risk Assessment

This step lists common risks related to higher education, which are organized in the following groups:

• Hazard Risks
• Financial Risks
• Information Technology Risks
• Human Resources Risks
• Research Risks
• Contract and Grant Risks
• Campus Life Risks
• Facilities & Maintenance Risks

There are blank spaces at the bottom of the page to list additional risks at your discretion.

Assess the impact and likelihood of each risk listed by selecting a scale from each dropdown menu. Next, describe how your organization is currently managing each risk, and describe any risk mitigation plans or efforts which are already in place . Then identify how frequently controls for that risk are performed .  For example, an audit may be performed annually, whereas access badges that restrict access to certain areas of the campus or medical center may be used multiple times daily.

Assess the effectiveness of the existing controls you just described by selecting a scale from the dropdown menu in the “Control Effectiveness” column. Once you have made this selection, the risk rating will be calculated and the “Risk Rating” field will populate.

This “Risk Rating” will show as one of the following:

If you want to change the options shown on the dropdown menus for "Risk Impact", "Risk Likelihood", or "Control Effectiveness" you can change them by returning to the "Customize Scales" step.

Then, under "Dashboards, Monitoring, & Reporting," describe how the control activities are being monitored and identify the person in your organization who is accountable for monitoring those controls.

Step 4.  Review a chart of your risks

The chart provides a graphical representation of your risk assessment based on your selections for risk likelihood, risk impact, and control effectiveness. There is a dropdown menu at the left of the page which allows you to select which information to plot on the chart. You can have the chart show each risk of a selected group or each group combined as a single point displayed with the other groups.

Step 5.  Export your data

When you have completed all of the steps, you may export the data into a comma-separated value file (.csv) for use in the University's Enterprise Risk Management Information System (ERMIS) by selecting the "Export" button in the Assess Risk step.

Related Resources

• Risk Assessment Toolbox
• Risk Assessment Tool Webinars

• Skip to content
• Skip to search
• Staff portal (Inside the department)
• Student portal
• Key links for students

Other users

• Forgot password

Notifications

{{item.title}}, my essentials, ask for help, contact edconnect, directory a to z, how to guides, policy library.

• Excursion Planning and Management (PDF 630 KB)

Related Information

• Variation of routine Staff only
• Risk management plan - Excursions and travel health Staff only
• Overseas excursions planning Staff only
• Private tours, events and activities (PDF 152 KB) Staff only
• Good practice in billeting (DOCX 27 KB)
• Inbound overseas visitor groups

Changes since previous update

Changes since previous version

2023 Oct 16 updated language and links in the policy statement and implementation document to reflect changes to the WHS Risk Management Procedures and supporting resources.

Document history

2022 Oct 10 - updated contact details in policy statement and link to the Behaviour code for students. Updated the implementation document, Excursion Planning and Management, to reflect updates to the Student Behaviour policy and Inclusive Education policy. Also updated links (for risk assessment, Working with Children Check and overseas excursion website), clarified parent requirements in relation to car travel (4.2), anaphylaxis (6.2) and supervisory responsibilities (7.1). Updated information about COVID-19 requirements (1.1.4, 9.1, 11.1.3 and 13.3.3).

2022 Jul 18 - updated contact details in policy statement and implementation document, Excursion Planning and Management.

2022 May 18 - updated links in implementation document, Excursion Planning and Management, to reflect revision of the Working with Children Check forms (sections 2.1.1, 7.1 and appendix 2).

2022 Mar 07 - update to policy statement and implementation document: Excursion Planning and Management - revised overseas excursions application and approval process, including introducing a common application pack for all department schools; clarified instructions to staff in relation to privately arranged tours; more explicit instructions relating to risk management, child protection and safety, and refund of unspent excursion money. Updated related documents.

2019 Oct 16 - updated contact details and made minor style changes.

2016 Mar 14 - updated main contact details.

Inclusion of excursions involving preschool children and the applicability of the Children's Services Regulation 2004 New advice on film screenings and live performances in the context of revisions to the Controversial Issues in Schools Policy Advice on child protection issues relating to excursions to courts where the potential for students to be placed at risk of harm by being exposed to violent or sexually explicit evidentiary material. Further direction on excursion consent forms relating to the need to clarify parental wishes and consent Incorporation of Commonwealth Government initiatives relating to overseas excursions Advice on reporting of incidents occurring while on excursions in context of the revised Incident Reporting Policy and Procedures

Superseded documents

This policy replaces Excursions and Other Visits (97/137), 16 June 1997, Excursions policy PD/2004/0010 v001 Excursions policy PD/2004/0010 v002 and Excursions policy - PD/2004/0010/V003

• Excursions are part of quality teaching and learning programs. School excursions are structured learning experiences provided or managed by the school, conducted on or external to the school site, as determined by the principal. Incursions are a type of excursion, conducted on the school site.
• Excursions provide educational value by supporting curriculum outcomes, in consideration of the needs and resources of the school, the needs of the students and the total learning program.
• Excursions are inclusive. All students within a specific learning group are to be given the opportunity to participate, unless exceptional circumstances exist.
• The department has a duty of care to students while on excursions and this duty cannot be delegated to any third party or organisation.
• Identifying and assessing risk needs to be integrated into excursion planning to ensure appropriate risk management strategies are developed. An approved risk assessment must be implemented at all stages of an excursion.
• The obligation to report suspected risk of harm to children and young people applies throughout all stages of an excursion.
• permission for students to participate in excursions, including activities during an excursion
• a medical information form.
• The Behaviour code for students (PDF 83 KB) applies at all times while on excursions.
• Additional mandatory procedures apply to excursions that involve overseas travel.
• All NSW Government schools and preschools.
• Excursions involving preschool children are subject to specific protocols under the Education and Care Services National Regulations .
• Residential high schools and schools in Juvenile Justice Centres are subject to specific additional procedures with regard to students in residence.
• workplace learning programs
• privately organised (PDF 149 KB) tours, events or other activities the department is not responsible for these.
• The department is committed to providing a safe, secure, disciplined, inclusive, and quality learning environment in which students can develop their individual talents, interests and abilities through a curriculum that fosters students' intellectual, physical, social and ethical development. Excursions Planning and Management (PDF 393 KB) provides detailed direction and guidance to schools.
• School excursions vary in terms of the curriculum focus, students involved, duration of the excursion and venue. Groups participating in an excursion may be a class or a group of students drawn from a number of classes or schools.
• Excursions can range from an incursion to an extended journey occupying a number of days or weeks requiring overnight or long-term accommodation.
• approve all domestic excursions within Australia involving their school
• approve their own school's participation when more than one school is involved
• ensure that a risk assessment for the excursion has been completed
• endorse overseas excursions and submit the overseas excursions application to their Director, Educational Leadership for approval by the Executive Director in line with the department's overseas excursions application and approval process
• maintain records of excursions and any incidents occurring on an excursion
• exercise a duty of care towards all students, staff and other participants
• evaluate their school's practices for the safe conduct of excursions on the basis of past experience, systemic and locally produced risk profiles and teaching and learning outcomes
• manage any issues or incidents arising from school excursions, consistent with the department's Controversial Issues in Schools policy and Incident Notification and Response policy
• ensure the appropriate infection control measures are included in the planning and are followed during the excursion.
• may initiate and organise excursions
• exercise a duty of care to all students
• complete and monitor risk assessments for each planned excursion ensuring there will be adequate supervision
• report any incidents that occur on an excursion
• who organise an overseas excursion do so in line with the department's overseas excursions application and approval process .
• endorse an overseas excursion proposal
• endorse an overseas excursion for the approval to their Executive Director in line with the department's overseas excursions application and approval process
• monitor schools' compliance with this policy.
• approve overseas excursions in line with the department's overseas excursions application and approval process .
• The Executive Director, Curriculum and Reform monitors the implementation of this policy, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.
• Contact Curriculum and Reform [email protected]

• Governance and risk frameworks
• Communication, education and knowledge sharing

Due diligence, risk assessments and management

• Transnational Education Guidance Note on Due Diligence
• Enhancing Cyber Security Across Australia’s University Sector: Final Report
• Case studies - Governance and risk frameworks
• Case studies - Due diligence, risk assessments and management
• Case studies - Cybersecurity
• Case Studies - Transnational Education
• Australian Government Contacts
• Foreign Interference Impacts on Campus Culture Guidance Note
• National Security Architecture Placemat
• Australian Government legislation and codes
• Other guidance links
• University Foreign Interference Taskforce
• Announcements

On this page:

The Guidelines to Counter Foreign Interference in the Australian University Sector (the Guidelines) are foundational elements essential for building resilience within a university. They are designed to be holistic and reinforce each other. Understanding threats and risks will help drive and build proportionate and calibrated counter foreign interference activities. A positive security culture that supports international engagement is a core component within universities that will help to embed considerations of risk at all levels of the university. Being part of a community of best practice to share our journey and intelligence will promote the resilience of the sector and the nation.

This guidance material is designed to assist universities to develop and implement due diligence, risk assessments and management in accordance with the Guidelines .  It is advisory only. It is intended to provide specific considerations to which decision makers can refer appropriate to their circumstances to address key themes and objectives in the Guidelines .

Mutual support and information sharing within universities and across universities and Government can add to the practices.

Identifying risk does not preclude an activity from proceeding.

Declaring international associations or affiliations allows the management and mitigation of potential risks.

The following guidance material will assist universities and academics to have confidence in their collaborations and to make informed decisions around potential risks.

There are a number of useful resources and reference sites which can assist universities in undertaking due diligence. These include, but are not limited to:

• The ASIO Due Diligence Integrity Tool (please contact the ASIO Outreach Team at [email protected] for a copy of the ASIO Due Diligence Integrity Tool)
• Foreign Influence Transparency Scheme (FITS)
• DFAT Consolidated List
• Defence Export Controls (DEC)
• Due Diligence Assistance Framework
• Guidance for developing and undertaking open source searches

Separately, universities should also consider whether the proposed activity, partnership or variation to an existing arrangement needs to be notified under the DFAT Foreign Arrangements Scheme .

Assess the technology and research

The Australian Government has a range of requirements that researchers need to consider when collaborating internationally on specific areas or disciplines. This includes unintended applications of research outcomes, and commercial potential of research outcomes.

For more information, go to:

• Defence Strategic Goods List (DSGL) self assessment tool
• Department of Foreign Affairs and Trade - Australian Sanctions Office: Australian sanctions regimes: export and import sanctioned goods and the provision of sanctioned services  
• Critical Technology Supply Chain Principles : Principles outlined on this website are useful for universities to understand supply chains for critical technologies.
• Department of Prime Minister and Cabinet: Protecting and promoting critical technologies  (available on the web archive)
• Blueprint for Critical Technologies  (available on the web archive): Document from PM&C to assist universities to identify which technologies are critical to Australia's national interest.

Questions for decision makers

Assess the partner and personnel.

• Can the university determine, to the extent that is reasonable and consistent with the level of risk, whether the partner is being upfront and transparent about their reasons for collaborating?
• Similarly, has the university explored whether the partner is being upfront and transparent about affiliations, ownership/subsidiary status, parent partners and intent? These may include existing vendor relationships, sourcing partners and stakeholders with interest in the primary partner.
• When would it be appropriate for the university to seek further information from Government through available resources or through direct contact?
• Have foreign researchers expressed a concerning level of interest in obtaining the details of your research?
• Have you had any offers from foreign entities to purchase or invest in your research? If so, from whom and what were the terms of the offer? Does it look too good to be true?
• What processes are in place to monitor how conflicts of interest are reported and managed? These may include prompts to mitigate potential risks, protect academic freedom and free speech, and ensure compliance with export control laws and other regulations.
• How are incidences of non-disclosure by staff managed?
• What is the escalation pathway for assessing risk?
• Does the partner or the backing entity appear on any public registers (for example, the Foreign Influence Transparency Scheme, Register of Lobbyists, GrantConnect)?
• Does the proposed activity or partnership need to be registered under the Foreign Influence Transparency Scheme or the Foreign Arrangements Scheme?
• Is the partner or the backing entity listed as a ‘designated individual or entity’ for sanctions purposes on the DFAT Consolidated List?

Assess technology and research

• How might an adverse foreign actor exploit your research or product?
• Does your research have multiple uses? Can you imagine a scenario in which your research could be used for malicious purposes regardless of intended use?
• Is your research strategic/novel/ground-breaking or could it otherwise fill in an important piece of the puzzle for a competitor?

Comprehensive risk assessment and mitigation strategies

• Do the benefits of the activity outweigh the risks?
• What elements of the activity need to be adjusted to mitigate risk?
• Are researchers and their international partners, aware of their legal obligations including declaring conflicts of interests?
• Are there potential reputational or ethical risks to your university associated with the collaboration or activity?
• Do you have information that promotes awareness of what is being shared with foreign entities (for example within travel safety, video conferencing or other policies)?
• What access will the partner have to your IT networks? If they do have access, does this pose additional risk?
• Is there any physical separation or protection required to safeguard the research?
• Who is responsible for maintaining, promoting and applying risk mitigation?
• ownership arrangements for any intellectual property (IP) that is generated
• how existing IP, research data, confidential or personally identifiable data is protected
• identification and protection of commercially valuable research or research that may benefit Australia’s economic interest
• university IP policies and procedures. Issues that may arise include personal financial gain from the use of university research, which assists outside organisations by providing inappropriate access to university IP.

Approval, audit and continuous evaluation

• Have collaborators’ conduct, interests and external relationships changed over time into something with which the university or individual is not comfortable?
• Who is responsible for reviewing and approving arrangements including risk mitigation?
• What policies exist in the university to identify research or other contracts that may require additional oversight due to the nature of the research and/or the type of partnership? What Government support is available to help you make these assessments?
• University risk and security frameworks should also consider whether it is appropriate to report security incidents (breaches of university security protocols). They should also consider when to escalate incidents of concern to Government.

• Teaching & Learning Home
• Becoming an Educator
• Become a Teacher
• California Literacy
• Career Technical Education
• Business & Marketing
• Health Careers Education
• Industrial & Technology Education
• Standards & Framework
• Work Experience Education (WEE)
• Curriculum and Instruction Resources
• Common Core State Standards
• Curriculum Frameworks & Instructional Materials
• Distance Learning
• Driver Education
• Multi-Tiered System of Supports
• Recommended Literature
• School Libraries
• Service-Learning
• Specialized Media
• Grade Spans
• Early Education
• P-3 Alignment
• Middle Grades
• High School
• Postsecondary
• Adult Education
• Professional Learning
• Administrators
• Curriculum Areas
• Professional Standards
• Quality Schooling Framework
• Social and Emotional Learning
• Subject Areas
• Computer Science
• English Language Arts
• History-Social Science
• Mathematics
• Physical Education
• Visual & Performing Arts
• World Languages
• Testing & Accountability Home
• Accountability
• California School Dashboard and System of Support
• Dashboard Alternative School Status (DASS)
• Local Educational Agency Accountability Report Card
• School Accountability Report Card (SARC)
• State Accountability Report Card
• Compliance Monitoring
• District & School Interventions
• Awards and Recognition
• Academic Achievement Awards
• California Distinguished Schools Program
• California Teachers of the Year
• Classified School Employees of the Year
• California Gold Ribbon Schools
• Assessment Information
• CA Assessment of Student Performance and Progress (CAASPP)
• CA Proficiency Program (CPP)
• English Language Proficiency Assessments for CA (ELPAC)
• Grade Two Diagnostic Assessment
• High School Equivalency Tests (HSET)
• National Assessment of Educational Progress (NAEP)
• Physical Fitness Testing (PFT)
• Smarter Balanced Assessment System
• Finance & Grants Home
• Definitions, Instructions, & Procedures
• Indirect Cost Rates (ICR)
• Standardized Account Code Structure (SACS)
• Allocations & Apportionments
• Categorical Programs
• Consolidated Application
• Federal Cash Management
• Local Control Funding Formula
• Principal Apportionment
• Available Funding
• Funding Results
• Projected Funding
• Search CDE Funding
• Outside Funding
• Funding Tools & Materials
• Finance & Grants Other Topics
• Fiscal Oversight
• Software & Forms
• Data & Statistics Home
• Accessing Educational Data
• About CDE's Education Data
• About DataQuest
• Data Reports by Topic
• Downloadable Data Files
• Data Collections
• California Basic Educational Data System (CBEDS)
• California Longitudinal Pupil Achievement Data System (CALPADS)
• Consolidated Application and Reporting System (CARS)
• Cradle-to-Career Data System
• Annual Financial Data
• Certificated Salaries & Benefits
• Current Expense of Education & Per-pupil Spending
• Data Governance
• Data Privacy
• Educational Data Governance (EDGO)
• Student Health & Support
• Free and Reduced Price Meal Eligibility Data
• Food Programs
• Data Requests
• School & District Information
• California School Directory
• Charter School Locator
• County-District-School Administration
• Private School Data
• Public Schools and District Data Files
• Regional Occupational Centers & Programs
• School Performance
• Postsecondary Preparation
• Specialized Programs Home
• Directory of Schools
• Federal Grants Administration
• Charter Schools
• Contractor Information
• Laws, Regulations, & Requirements
• Program Overview
• Educational Options
• Independent Study
• Open Enrollment
• English Learners
• Special Education
• Administration & Support
• Announcements & Current Issues
• Data Collection & Reporting
• Family Involvement & Partnerships
• Quality Assurance Process
• Services & Resources
• CA Equity Performance and Improvement Program
• Improving Academic Achievement
• Schoolwide Programs
• Statewide System of School Support (S4)
• Specialized Programs Other Topics
• American Indian
• Gifted & Talented Education
• Homeless Education
• Migrant/International
• Private Schools and Schooling at Home
• State Special Schools
• Learning Support Home
• Attendance Improvement
• School Attendance Review Boards
• Expanded Learning
• 21st Century Community Learning Centers
• After School Education & Safety Program
• Expanded Learning Opportunities Program
• Child Nutrition Information & Payment System (CNIPS)
• Rates, Eligibility Scales, & Funding
• School Nutrition
• Parents/Family & Community
• Clearinghouse for Multilingual Documents
• School Disaster and Emergency Management
• Learning Support Other Topics
• Class Size Reduction
• Education Technology
• Educational Counseling
• Mental Health
• Safe Schools
• School Facilities
• Transportation
• Youth Development
• Professional Learning Home
• Title II, Part A Resources and Guidance
• Learning Support

In 1974, the Legislature enacted California Education Code ( EC ) Section 48320 to enhance the enforcement of compulsory education laws and to divert students with school attendance or behavior problems from the juvenile justice system until all available resources have been exhausted. EC Section 48321 provides several organizational structures for School Attendance Review Boards (SARBs) at the local and county level to create a safety net for students with persistent attendance or behavior problems. Although the goal of SARBs is to keep students in school and provide them with a meaningful educational experience, SARBs do have the power, when necessary, to refer students and their parents or guardians to court.

County or Local SARBs

SARBs, composed of representatives from various youth-serving agencies, help truant or recalcitrant students and their parents or guardians solve school attendance and behavior problems through the use of available school and community resources. County SARBs are convened by the county superintendent at the beginning of each school year. In any county where no county SARB exists, a school district governing board may elect to establish a local SARB, which shall operate in the same manner and have the same authority as a county SARB. In many counties, the county SARB provides consultant services to the local SARBs.

In addition to county and local SARBs authorized by EC Section 48321, EC Section 48325 established a State SARB for statewide policy coordination and personnel training to divert students with serious attendance and behavior problems from the juvenile justice system and to reduce the number of dropouts in the state public education system. The State Superintendent of Public Instruction (SSPI) extends invitations of participation to representatives of appropriate groups throughout the state. The State SARB makes annual recommendations to the SSPI regarding the needs of high-risk youth.

• State SARB Members
• State SARB Meeting Schedule and Agendas
• State SARB Subcommittee Meeting Schedule and Agendas
• Model SARB Recognition Program

Model SARB Recognition Program The Model SARB Recognition Program identifies outstanding results-based school attendance improvement programs that provide comprehensive services to high-risk youth with school attendance or school behavior problems.

State SARB Recommendation

State SARB Recommendation for 2016 As required by EC Section 48325(4)(c), the State SARB submits annual recommendations to provide the SSPI with guidance about potential actions to support schools in improving student attendance and reducing the number of dropouts in the California public education system.

Outcome Data

Reports of SARB Outcomes Recommended format for school districts to use to gather and transmit outcome data to the county superintendent of schools.

Publications & Resources

Sample Policy and Administrative Regulations The State SARB has developed a sample policy on attendance supervision as a resource to help school districts address truancy and dropout concerns.

School Attendance Review Boards - CalEdFacts This content is part of California Department of Education's information and media guide about education in the State of California. For similar information on other topics, visit the full CalEdFacts .

• School Attendance Review Board (this page)
• Child Welfare & Attendance
• School Attendance Review Boards Handbook & Forms
• School Attendance Improvement Strategies
• Sample Policy & Administrative Regulation