Whilst accessibility is a risk, the level of accessibility risk is clearly not the same for all ICT procurements. For example, software which is used by 7 people in a lab obviously carries less risk than a system which will be accessed by 40,000 students. The following sections should assist in identifying potential risks and assessing their level.
‘AS ISO 31000:2018 Risk management - Guidelines’ is an Australian Standard which helps individuals and organisations to manage risks, make decisions, achieve objectives and improve performance.
Risk management seeks to create and protect value and seeks to manage the effects of uncertainty using the following principles:
a. Risk management is an integral part of all organisational processes b. Risk management is structured and comprehensive c. Risk management is customized to the organisation’s context d. Risk management is inclusive of stakeholders e. Risk management is dynamic and responds to change f. Risk management is based on historical and current information, as well as future expectations g. Risk management is influenced by human and cultural factors h. Risk management is continually improved through learning and experience
The risk management process involves the following activities:
Communication and consultation aims to:
The risk management process should be customised to take account of the scope of activities, the context of the organisation and its risk criteria.
Assessing risk includes:
Treating risk is an iterative process that involves:
Monitoring and review involves planning, gathering information, recording results and providing feedback.
Risk management activities should be documented and reported in order to communicate outcomes, provide information for decision-making, improve risk management activities and to assist stakeholders, particularly those with responsibility and accountability.
Managing risk is often a shared responsibility. Whilst procurement officers will often help to elicit accessibility information from vendors, it will ultimately be up to the business owner or accessibility steering committee to assess and treat risk.
The following are potential risks associated with ICT accessibility. They do not all apply to the procurement of ICT services and products directly; some apply to the policy framework and others to subsequent delivery and implementation. However, all are worth consideration.
This initial list of potential risks applies across the board and could be considered as pre-procurement.
These items could be considered as the most important from a procurement perspective.
These risks are predominantly those which might apply during the implementation, maintenance or delivery of an ICT service or system. They may also apply to non-ICT digital accessibility.
This section gives guidance about the level of risk that might be faced.
Record all your risks, assess them against the impact and probability of occurrence, determine possible mitigations strategies and complete the risk evaluation table.
The tables below show the definitions of Impact and Probability that could be used during a risk analysis
Table 1 — Risk impact definitions
|High||High impact risks are those that may:|
- seriously impede day to day operations
- last up to three years and require specialist input and/or vendor remediation
- cause difficulty in meeting legislative requirements
- prevent successful defence against legal action
- or cause significant reputational damage
|Medium||Medium impact risks may:|
- result in the loss revenue or staff
- last up to a year and require specialist input and/or vendor remediation
- impede day to day ability of staff to perform role specific functions
- impede successful defence against legal action
- or cause reputational damage
|Low||Low impact risks may:|
- result in the limited loss of revenue
- be remediated by the University
- frustration of staff
- or may noticeably affect day to day operations
*Table 2 — Risk probability definitions*
|Probability / Likelihood||Definition|
|Low||Events that are unlikely to happen within a year|
|Medium||Events that are somewhat likely to happen within a year|
|High||Events that are likely to happen within a year|
*Table 3 — Level of risk*
### Risk evaluation
Complete the table with all risks and the assessment of each. Add a possible mitigation in the final column.
***Please note:*** *We view this as a living resource and welcome feedback. We are improving our website to ensure this content is fully accessible for all users. There is also a fully accessible version of the content available on the [ADCET website](https://www.adcet.edu.au/accessible-it-procurement/). We welcome feedback about the content and its accessibility as part of our ongoing process for improvement — email: [email@example.com](mailto:firstname.lastname@example.org).*
CAUDIT acknowledges the Traditional Owners of the lands where we live, learn and work. We pay our respects to Elders past and present and celebrate the stories, culture and traditions of all First Nations people.