Analysing Risk

Risk analysis is the process to understand the nature of the risk and determine the level of risk. It is necessary to establish the probable impact of the risk on organisational objectives.

Following risk identification, GGiA implements a two staged risk analysis process to determine Residual Risk and then Treated Risk. That is, it assesses the consequence of each risk, should it occur, then determine the likelihood of risk occurring with those consequences. A rating is then assigned to describe the magnitude of the potential consequence and likelihood of occurrence of each risk.

  • Residual Risk is determined by estimating the consequences of the particular risk should it occur, and the likelihood of the risk occurring, with the selected consequences, in the presence of existing controls; and
  • Treated Risk is determined by identifying the additional actions (‘treatments’) that are required to reduce the risk, and then re-estimating the consequence and likelihood of the risk based on these planned treatments (i.e. treated risk is the risk that is ‘left’ after treatments are implemented).

Identifying controls

Once risks have been identified, it is necessary to confirm the range of existing controls that currently operate to manage the risks. A control can be a policy, process, system, people resource, or physical prevention, and it must be measurable and auditable.

It is preferable to focus controls at the risk source as this will ideally prevent or reduce the likelihood of the risk occurring (e.g., policy, technical guidelines, standards, training, management plans). If it is not cost effective to implement controls ‘at the source’, then it’s necessary to consider controls to minimize the impact of the risk should it occur (i.e., physical containment), procedural (contingency plans, emergency response procedures), behavioral (e.g., emergency response training).

Many of the controls currently in place to manage risks are built into existing business systems and processes. A control must be in place and operating – if not in place, there is still a treatment.

During the control identification process, it is necessary to identify the Control Owner. This often is not the risk owner nor are they under the direct influence of the risk owner. It is incumbent on the risk owner to regularly confirm with the control owner that the key controls are still in place and operating. It is equally incumbent on the control owner to notify the risk owner should a control breakdown/failure occur.

Control Effectiveness

To inform the determination of controlled consequence and likelihood, and whether further treatment of a particular risk is necessary, it is necessary to consider how effective the group of controls are in managing the risk. Understanding the control effectiveness is important as it can highlight where further work may be needed to reduce the severity of the risk by improving the controls.

Risk Control Effectiveness Table

Effective (well controlled)Limited Effectiveness (needs moderate improvement)Not effective (needs significant improvement)
Controls are effective. Well documented, communicated and applied consistently.

High level of confidence in the effectiveness and reliability of the controls. No improvement required.

Controls are moderately effective. Reasonably well documented, communicated and applied. Some confidence in the operating effectiveness and reliability of the controls. Moderate improvement required to mitigate risk. Improvement action required.Controls are not effective. Controls are not (well) documented and communicated, and/or low confidence in the operating effectiveness and reliability of the controls. Significant improvement required to risk mitigation. Urgent action required.

Residual Risk Assessment

Once the current controls have been identified, and their effectiveness evaluated, an assessment of consequence and likelihood, using the criteria on the Risk Consequence Table below, is undertaken to determine the Residual Risk.

In determining the appropriate consequence level its necessary to:

  • Identify the specific consequence categories ‘triggered’ by the particular risk: Workplace Health and Safety, Reputation and Trust, Financial, Compliance and Governance, Program and Precinct Delivery, Environment and Cultural Heritage (see Risk Consequence Table)
  • Determine the applicable consequence level for each category identified: Extreme, Major, Moderate, Minor, Insignificant, adopting a ‘plausible, worst case scenario approach

Select the highest level as the overall consequence level.

Consequence assessment

Consequence is determined by using the consequence ratings in the Risk Consequence Table below.
When using this table, it is necessary to consider the impact the Risk would have on the purpose and objectives of GGiA, as well as the impact on the objectives of the specific activity or function.

Risk Consequence Table

Risk CategoryInsignificantMinorModerateMajorSevere
Child Safe Child FriendlyAn adult member without a girl facing role does not complete the CSCF for Adults in Guiding in the required timeframe and not making decisions in accordance with the CSCF


An Adult in Guiding with a child facing role does not complete CSCF training in the designated timeframe (noting there will always be another adult present in accordance with the Supervision ratio) and not responding to feedback, a concern or a complaint in accordance with policyA Leader or Manager not completing the CSCF for Leaders and Managers training and as a result is not aware of the responsibiliti es for

reporting harm, abuse and neglect

Failure of an SGGO to have a system in place to

monitor compliance with the CSCF Framework resulting in GGiA not being able to

demonstrate compliance with the National Principles for Child Safe Organisations

Deliberate non- compliance with the CSCF Framework.


Repeated non- compliance with the CSCF Framework so that GGiA cannot demonstrate compliance with the National Principles for Child Safe Organisations

Our PeopleMinor injury requiring first aid only; or minor complaint from a volunteer; or

Recruitment of volunteer and staff roles outside of normal recruitment cycles that does not impact on the day-to-

Fractured bone, sprain etc. requiring medical intervention


Recruitment of a key volunteer leadership role or recruitment for executive leadership not

completed by the required

Injury requiring admission into hospital


mid-tier volunteer or employees’ roles open impacting key decision making and outcomes in the organisation

Serious injury to personnel

or executive

leadership role is unfilled for more than 3 months

No members, or

death of a participant at a Guiding activity


insufficient employees to support operational outputs



Risk CategoryInsignificantMinorModerateMajorSevere
day operationstime, but underway


Appropriate training for Adults in Guiding not delivered

data breach of personal identifiable data.
FinanceA lost nominal petty cash receipt (e.g., for milk supplies).Delayed parent membership fees to Units.Cancellation of a national event with a loss causing a negative overall financial impact below the ‘major’ level.Significant fraud, loss of a third of GGA’s or state

membership, loss with a negative overall financial impact below the



Girl Guiding entity insolvency or bankruptcy.
StrategyProjects are temporarily delayed due to reassignment of resourcing.Strategic project reporting is complete but lacks stakeholder feedback.Strategic Projects are delayed by more than 4 months, once commenced.No stakeholder engagement during implementatio n of strategic goals.Non delivery of GGA Board approved strategic initiatives
GuidingProgram / activity interrupted for 1 week.Program / activity interrupted for 2-4 weeks.Program / activity involving 2 or more Units are actually or potentially interrupted for more than 4 weeks.Program / activity involving 2 or more Regions are actually or potentially interrupted for more than 4 weeks and no alternative is available.Program / activity that if interrupted have the potential to threaten GGiA



Risk CategoryInsignificantMinorModerateMajorSevere
OperationsKey employees unavailable to be contacted in a timely manner.Temporary impact or interruption which may cause slight delay.Short term impact to business operations, loss of data or personnel, short term impactSignificant impact to the business operations, loss of capacity and capability over medium timeline.Non- compliance against Corporations Act resulting in penalties, fine or action by the ACNC
Informatio n Security and TechnologyAdult in Guiding device failure requiring replacementOffice Wi-Fi is impacted for more than 24 hours.GGA, SGGO

and/or national information (i.e., 1300)

phone lines are offline for more than 24hours.

Data breach of non- personal identifiable data.Data breach of personal identifiable data or a ransomware attack or total loss of Girl Guiding data.
Governanc e and RegulatoryAdverse community sentiment/ media article or insignificant breach of governing rule with small breach of consequenceInformal complaint from parent/ member which may result in adverse media over several days, minor breach of governing rules with minor breach consequenceFormal complaint (e.g., written) or material breach of legislation leading to more significant review being undertaken, failure to follow Supervision ratios in Guide Lines.A breach of legislations; failure to follow ASIC rules.Sustained reputational or legal damage with potential to lead to the collapse / closure of a GGiA entity; Loss of GGA capacity to operate and WAGGGS

removal of licence to operate as a recognised Girl Guide/Girl Scout organisation and very serious damage to the reputation.

Risk Likelihood

Risk likelihood can be assessed from various sources including:

  • past records and statistical analysis
  • relevant experiences, specialist, and expert judgements
  • testing of equipment
  • research literature

Risk Likelihood Table

LIKELIHOODDESCRIPTIONExpected Frequency (as a guide only)
Almost CertainThe event is expected to happen in most circumstances.More than once a year
LikelyThe event will probably happen in most circumstances.Once a year
PossibleThe event should happen at some time.Once every 3 years
UnlikelyThe event will probably not happen (or could happen at some time).Once every 10 years
RareThe event may only happen in exceptional circumstancesLess than once in 10 years

Risk Impact Rating

Combining estimates of the Likelihood and Consequences of the event happening it is possible to calculate the level of the Risk that will remain from the event, by assigning a Risk Impact Rating using the Risk Analysis Matrix table below.

Risk Analysis Matrix Table

LIKELIHOOD RATINGAlmost CertainMediumMediumHighExtremeExtreme

Last Modified: 20/06/24 at 2:16 PM