
Risk management is not just risk avoidance. Risk Services encourages consideration of both positive and negative outcomes when assessing risk. Risk assessments can vary in complexity. Different assessment tools will be more or less suitable based on the activity under consideration.
- Designed to give a step-by-step process for assessing risk. Each step within the process can be simple or complex depending upon the scope of the undertaking.
Activity or Event Risk Assessment – Questionnaire
- Designed to facilitate review of common types of events or activities that commonly occur on campus. Use the form to guide the risk assessment within the division or unit considering the activity or use the form to request input from UCSC Risk Services after your division or unit has vetted the activity internally.
UC Office of the President, Risk Services – Risk Assessment Toolbox
- The toolbox offers more complex and structured risk assessment tools utilizing Excel spreadsheets to guide the user through in-depth risk assessments.
Guided Risk Assessment
1 – Define the Objective
Define what the activity or undertaking being assessed is meant to accomplish. Think of how an undertaking supports the mission of the university, division or unit. If it seems to be a higher-risk activity, then carefully consider what the underlying objective of the activity is. If a much safer or less risky activity would achieve the same objective, then that activity may be a better choice.
2 – Define the Activity
A more detailed description of the activity will allow for a more meaningful risk assessment. Consider the who, what, where, when and how of the activity.
3 – Consider Negative Outcomes
What could go wrong? Consider the potential negative outcomes of the activity, for example:
- What harm–physical, psychological or social–could come to the participants?
- What property–owned by the university or owned by someone else–could be damaged?
- Is there any personal information that may be gathered and at risk for exposure?
- Have all agreements been reviewed and signed by the proper contracting office?
- Are minors or volunteers involved?
- Is the activity taking place in a foreign or remote location?
- What is the reputational risk?
- What is the financial risk?
4 – Risk Evaluation
Consider the potential negative outcomes of the activity in two dimensions: severity and frequency.
What is the severity? Will the negative outcome be debilitating to the organization or cause a minor administrative difficulty that is easily overcome or somewhere in between? Rank each as:
- Severe: organization would need extensive help to resolve; there may be lasting negative outcomes
- Significant: organization would need some outside assistance to recover
- Slight: organization can easily deal with outcome and will not require outside help in resolution
What is the likely frequency that the negative outcomes will occur?
- Almost nil: extremely unlikely to happen
- Slight: not likely to happen
- Moderate: will happen occasionally
- Definite: will happen often
For each negative outcome, use the chart below to decide how to proceed:
- Green indicates a more acceptable risk, especially if insurance is available to finance foreseeable losses.
- Yellow indicates a risk that needs to be controlled. Proceed only after controlling these risks; consider changing the activity to eliminate these risks.
- Red indicates an unacceptable risk and the activity needs to be changed so that these risks are eliminated.

Now consider the potential positive outcomes of the activity.
Balance the potential positive and negative outcomes. A highly beneficial activity may justify acceptance of higher risk. This can help inform the decision about whether to alter an activity. This is especially helpful for consideration of those areas that are evaluated as yellow within the chart.
5 – Develop Controls
Consider ways to lessen the severity and frequency of the negative outcomes. Once controls are developed, go back and re-evaluate the risk. Repeat steps 4 and 5 until the activity poses an acceptable level of risk.
6 – Monitor the Controls
Once an activity is underway, periodically go back and make certain that the controls are working. New controls may need to be considered or existing controls may need to be updated.