Risk Assessment

Risk management is not just risk avoidance. Risk Services encourages consideration of both positive and negative outcomes when assessing risk. Risk assessments can vary in complexity. Different assessment tools will be more or less suitable based on the activity under consideration.

The Activity or Event Risk Assessment Questionnaire can be used for smaller scale activities and events. The toolbox offers more complex and structured risk assessment tools utilizing Excel spreadsheets to guide the user through in-depth risk assessments.

Guided Risk Assessment

Designed to give a step-by-step process for assessing risk. Each step within the process can be simple or complex depending upon the scope of the undertaking.

1-Define the Objective

Define what the activity or undertaking being assessed is meant to accomplish. Think of how an undertaking supports the mission of the university, division or unit. If it seems to be a higher-risk activity, then carefully consider what the underlying objective of the activity is. If a much safer or less risky activity would achieve the same objective, then that activity may be a better choice. 

2-Define the Activity

A more detailed description of the activity will allow for a more meaningful risk assessment. Consider the who, what, where, when and how of the activity. 

3-Consider Negative Outcomes

What could go wrong? Consider the potential negative outcomes of the activity, for example:

• What harm–physical, psychological or social–could come to the participants?
• What property–owned by the university or owned by someone else–could be damaged?
• Is there any personal information that may be gathered and at risk for exposure?
• Have all agreements been reviewed and signed by the proper contracting office? 
• Are minors or volunteers involved?
• Is the activity taking place in a foreign or remote location?
• What is the reputational risk?
• What is the financial risk?

4-Risk Evaluation

Consider the potential negative outcomes of the activity in two dimensions: severity and frequency.

What is the severity? Will the negative outcome be debilitating to the organization or cause a minor administrative difficulty that is easily overcome or somewhere in between? Rank each as:

• Severe: organization would need extensive help to resolve; there may be lasting negative outcomes
• Significant: organization would need some outside assistance to recover
• Slight: organization can easily deal with outcome and will not require outside help in resolution

What is the likely frequency that the negative outcomes will occur?

• Almost nil: extremely unlikely to happen
• Slight: not likely to happen
• Moderate: will happen occasionally
• Definite: will happen often

For each negative outcome, use the chart below to decide how to proceed.

• Green indicates a more acceptable risk, especially if insurance is available to finance foreseeable losses.
• Yellow indicates a risk that needs to be controlled. Proceed only after controlling these risks; consider changing the activity to eliminate these risks.
• Red indicates an unacceptable risk and the activity needs to be changed so that these risks are eliminated.

Now consider the potential positive outcomes of the activity.

Balance the potential positive and negative outcomes. A highly beneficial activity may justify acceptance of higher risk. This can help inform the decision about whether to alter an activity. This is especially helpful for consideration of those areas that are evaluated as yellow within the chart.

5-Develop Controls

Consider ways to lessen the severity and frequency of the negative outcomes. Once controls are developed, go back and re-evaluate the risk. Repeat steps 4 and 5 until the activity poses an acceptable level of risk. 

6-Monitor the Controls

Once an activity is underway, periodically go back and make certain that the controls are working. New controls may need to be considered or existing controls may need to be updated.

For Questions and Information, Contact: risk@ucsc.edu