Risk Register considerations

Introduction

Whilst accessibility is a risk, the level of accessibility risk is clearly not the same for all ICT procurements. For example, software which is used by 7 people in a lab obviously carries less risk than a system which will be accessed by 40,000 students. The following sections should assist in identifying potential risks and assessing their level.

Risk management principles

‘AS ISO 31000:2018 Risk management - Guidelines’ is an Australian Standard which helps individuals and organisations to manage risks, make decisions, achieve objectives and improve performance.

Risk management seeks to create and protect value and seeks to manage the effects of uncertainty using the following principles:

a. Risk management is an integral part of all organisational processes b. Risk management is structured and comprehensive c. Risk management is customized to the organisation’s context d. Risk management is inclusive of stakeholders e. Risk management is dynamic and responds to change f. Risk management is based on historical and current information, as well as future expectations g. Risk management is influenced by human and cultural factors h. Risk management is continually improved through learning and experience

Risk management process

The risk management process involves the following activities:

Communicating and consulting

Communication and consultation aims to:

• bring together different areas of expertise during the risk management process
• consider different views when defining risk criteria and evaluating risks
• provide sufficient information to facilitate risk oversight and decision making
• build a sense of inclusion and ownership to those affected by risk

Establishing the context and criteria

The risk management process should be customised to take account of the scope of activities, the context of the organisation and its risk criteria.

Risk assessment

Assessing risk includes:

• identifying uncertainties
• analyzing uncertainties by considering factors such as likelihood, magnitude of consequences, complexities, time-related factors, effectiveness of existing controls and confidence levels
• evaluating risks and deciding whether to do nothing, consider risk treatment options, undertake further analysis, maintain existing controls or reconsider objectives

Risk treatment

Treating risk is an iterative process that involves:

• formulating treatment options such as:
  • avoiding the risk by not continuing with the activity
  • taking the risk in order to pursue an opportunity
  • removing the risk source
  • changing the likelihood
  • changing the consequences
  • sharing the risk
  • retaining the risk via an informed decision
• planning and implementation
• assessing effectiveness
• deciding whether remaining risk is acceptable
• taking further treatment, if required

Monitoring and review

Monitoring and review involves planning, gathering information, recording results and providing feedback.

Recording and reporting

Risk management activities should be documented and reported in order to communicate outcomes, provide information for decision-making, improve risk management activities and to assist stakeholders, particularly those with responsibility and accountability.

Assigning responsibility

Managing risk is often a shared responsibility. Whilst procurement officers will often help to elicit accessibility information from vendors, it will ultimately be up to the business owner or accessibility steering committee to assess and treat risk.

Risk statements

The following are potential risks associated with ICT accessibility. They do not all apply to the procurement of ICT services and products directly; some apply to the policy framework and others to subsequent delivery and implementation. However, all are worth consideration.

Generic

This initial list of potential risks applies across the board and could be considered as pre-procurement.

• Failure to allocate sufficient resources and authority to coordinate and implement the ICT Accessibility Policy.
  • Risk because without sufficient resources, policies and procedures are just words
• Failure to make faculty, staff, and students aware of institutional resources for accommodation and accessibility.
• Failure to systematically and effectively monitor digital content and ICT services to ensure accessibility.
  • This particularly applies to course content and delivery
  • Also applies to upgrades to significant ICT systems
• Failure to provide regular, ongoing training, instruction, and support at all levels (e.g., administrators, faculty, IT staff, support staff, student employees) appropriate to a person’s roles and responsibilities, regarding the institution’s ICT Accessibility Policy and procedures, tools, resources, and techniques to ensure the policy and procedures are effectively and consistently implemented

Procurement

These items could be considered as the most important from a procurement perspective.

• Failure to provide an accessibility policy that demonstrates the campus’s commitment to ICT and digital accessibility
• Failure to define a technical standard for implementing ICT accessibility (such as WCAG 2 or AS EN 301 549)
• Failure to assign a person or entity to coordinate institution-wide accessibility
• Failure to implement a procedure to ensure information obtained, provided, or developed by third parties is accessible
• Failure to implement a procedure, which ensures procured ICT is accessible, such as including accessibility requirements in RFPs and contractual language
• Failure to implement accessibility solutions for ICT other than web-based, online, or software-based technologies, such as classroom controls, copiers, and digital signage
  • However, in the absence of fully accessible ICT solutions, or depending on the risk level, adopting an Equally Effective Access plan may be required
• Failure to thoroughly test ICT for accessibility beyond automated testing or VPAT statements

Secondary risks beyond ICT procurement

These risks are predominantly those which might apply during the implementation, maintenance or delivery of an ICT service or system. They may also apply to non-ICT digital accessibility.

• Failure to provide accessible websites
• Failure to provide a portal dedicated to accessibility, which serves as a central repository and includes, but is not limited to, accessibility information, news, tools, and best practices
• Failure to provide accessible instructional materials and library resources in a timely manner
• Failure to provide native ICT accessibility (e.g., relying on second-class ICT alternatives for people with disabilities)
• Failure to create a culture where accessibility is considered a proactive need, but rather is considered a reactive accommodation need
• Failure to provide captioning of announcements and commentary made over public address systems during athletic and other public events
• Failure to provide accurate video captioning
  • Also applies to live / virtual lectures
• Failure to provide audio descriptions

Risks levels

This section gives guidance about the level of risk that might be faced.

Low risk

• Limited audience/user base (students of staff)
• For administrative/research use by limited number of staff
• Not required for course work
• Used only occasionally
• Easily identifiable/available alternatives that provide an equally effective program/service in an equally integrated manner to individuals with disabilities
• No commercially available accessible product
• Low cost

Medium Risk

• Not required for core activities
• Used by some faculties
• Local knowledge exists regarding available alternatives
• Used a few times each semester
• Alternate access plan exists
• Remediation roadmap exists
• Medium cost

High Risk

• Large student audience/user base
• Used campus wide by most students or staff
• Required for course work
• Used daily or weekly
• High degree of educational opportunities/benefits through technology
• No easily identifiable alternative that provides an equally effective, equally integrated program/service in an equally integrated manner to individuals with disabilities
• A commercially available accessible alternative exists
• High purchase/licence cost

Risk assessment

Record all your risks, assess them against the impact and probability of occurrence, determine possible mitigations strategies and complete the risk evaluation table.

Impact and Probability Definitions

The tables below show the definitions of Impact and Probability that could be used during a risk analysis

Table 1 — Risk impact definitions

*Table 2 — Risk probability definitions*

*Table 3 — Level of risk*

### Risk evaluation

Complete the table with all risks and the assessment of each. Add a possible mitigation in the final column.

## References

• AS ISO 31000:2018 Risk management – Guidelines, Standards Australia (2018)
  • Available from Standards Australia store ($130)
• IT Accessibility Risk Statements and Evidence (PDF), EDUCAUSE (2015)
• Accessible Procurement Toolkit – Assessing risk, The University of Melbourne (ud)
• Evaluating Electronic and Information Technology (EIT) for University Procurement, Accessing Higher Ground (2022)

***Please note:*** *We view this as a living resource and welcome feedback. We are improving our website to ensure this content is fully accessible for all users. There is also a fully accessible version of the content available on the [ADCET website](https://www.adcet.edu.au/accessible-it-procurement/). We welcome feedback about the content and its accessibility as part of our ongoing process for improvement — email: [procurement@caudit.edu.au](mailto:procurement@caudit.edu.au).*