Council needed a simple and effective method for assessing and managing their ICT risks and communicate the impact of those risks upwards and across the organisation. These risks also needed to be supported by a prioritised improvement roadmap.
This Council had new Executive leadership and knew they needed a fresh review and assessment of their ICT environment. They wanted to assess and manage their risks in a way that was practical and effective. As a result, they requested Information Professionals to undertake a risk assessment across their entire ICT landscape, inclusive of governance and cybersecurity risks.
The risk identification, assessment and ongoing management required both a top down and a bottom up approach. Top down, the risks must be relevant to the Council, its overall environment, and strategic objectives (including risk appetite) to provide the baseline for the potential impact of each risk. Bottom up, technologies and supporting processes within Council need to be assessed to determine the level of exposure or importance each poses on each risk. Together these combined approaches ensure appropriate mitigations are put place.
Our approach blended this top down and bottom up approach such that Council has a clear understanding about the consequences of each risk, and can agree the mitigations and actions to be completed, and most notably their importance and priority.
We undertook interviews and reviewed extensive documentation to make this assessment. A number of standards were applied as necessary, such as ISO31000 (risk management), ISO27000 (cyber security), the NSW Government cybersecurity policy (2020), COBIT and TOGAF. We leveraged the security and risk management maturity assessment tool by Gartner to engage with Council stakeholders and help prioritise the risks and subsequent improvement roadmap. A risk matrix, with risk scores across various operating elements of Council was developed. This will be used in ongoing risks management reviews and processes.
The work resulted in a matrix of risks and mitigations that were structured into a prioritised roadmap across five projects and three tranches. The implementation roadmap charted this for Council, showing the staged reduction in overall risk profile as they implemented each tranche.
A Risk report was also developed that provided an Executive and graphical view of the state of the risks and supported the CIO in communicating risk priorities across the organisation and gain support for priority investments.
The work itself resulted in broader dialogue and agreement on the key priorities and remediation steps in improving Council’s digital capability. It provided a prioritized roadmap that included fully costed and scheduled work packages that could form the basis for project briefs.
An executive report provided an infographic supported report that could be used by Council to circulate with the executive team as required to support dialogue and joint problem solving and ultimately support for the required initiatives. Many of these are now complete or underway.
Sutherland Shire Council (undisclosed)