ICTCYS608 Perform cyber security risk assessment

Case Study
King Edward VII College was established in 2010. The College is based in Melbourne CBD and offers
a range of courses in management, marketing, human resources and international business. It
currently has around 500 students enrolled across all of its courses.
The College is very popular due to its competitive pricing structure, innovative teaching methods and
state of the art facilities.
Due to its success, the College plans to establish two additional campuses, one in Brisbane and one
in Sydney within the next 6 months.
The College currently employs 24 staff members. That includes the CEO, a Marketing Manager and a
Marketing Assistant, Human Resources Manager, Finance Manager, Administration Officer, IT
Manager, Receptionist, Academic Manager, Student Services Officer and approximately 14 trainers.
A Strategic and Operational Plan guides the company’s operations (included with this Simulation
Pack).

Information about risk

The company has a risk management policy and procedures in place, as well as a risk register
(included with this Simulation Pack). These are general documents that apply to risk across the entire
organisation, not specifically cyber security risk.
The College wants to focus on ensuring that there sound cyber security risk management system in
place. This was discussed at a recent management meeting and management agreed that the
company’s cyber security cannot be compromised as this is too high a risk to the company’s
operations. It was agreed that it would be important to establish a cyber security specific risk
framework. This should commence with a risk assessment that identifies all current risks related to
cyber security and assesses whether the organisation’s systems are sufficient to prevent risks.
It was noted that there are sound systems currently in place for cyber security including a detailed
information security policy and procedure. However, it was also noted that there is no current formal
training program for staff related to cyber security and no specific procedures on how to deal with
cyber security attacks such as Malware.

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 1 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Executive Summary
Established in 2010, King Edward VII College is a Registered Training Organisation (RTO) that
provides training to students in business and management. Students are both Australian students, as
well as international students.
Our principal purpose is to provide high quality training services to satisfy students’ needs.
Our training is nationally recognised and accredited to meet vocational and educational standards.
Courses are designed by highly qualified staff with extensive industry and training experience to
achieve teaching and learning excellence, flexibility and personal satisfaction.
We draw on our established relationships with industry and other stakeholders to ensure that our
courses are appropriate to the demands of our clients and consistently meet their expectations.
Quality is maintained in compliance with the national VET Quality Framework and through our
continuous improvement system.
A key objective is to develop the required knowledge and skills for clients to be job ready and
competently undertake their chosen role in a wide range of business areas.

Mission
King Edward VII College provides high quality industry training that engenders participation and
achievement.

Strategic Objectives
1. To be a leader in vocational education and training
2. To establish and maintain high quality infrastructure supporting clients and staff
3. To be well led, high performing, profitable and accountable
4. To develop our people and resources

Values
The core values underpinning our activities are:
 Sustain excellence in training and assessment.
 Promote innovation across all of our business operations.
 Be a collaborative and caring community.
 Embrace difference and diversity.
 Demonstrate integrity and equality of opportunity in all activities.
 Operate with openness and accountability.

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 2 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Target market for services

King Edward VII College has two broad segments to its target market, consisting of people wishing to
gain entry to the industry, as well as people already working in business and management who want
to formalise or develop their skills.
Building effective leadership and management skills of managers has been identified as particularly
important.
This has informed King Edward VII choice of delivery.
We also intend to capitalise on market needs for delivery of blended (classroom and online), as well
as on-line courses.
There are many training providers in our sector and King Edward VII seeks to offer a point of
difference through our competitive pricing structure, innovative teaching methods and state of the art
facilities.

The Market
The latest statistics show that in 2019, an estimated 4.2 million students were enrolled in VET with an
Australian training provider. Further details about VET statistics are included at:
https://www.ncver.edu.au/research-and-statistics/visualisation-gallery/latest-vet-statistics
At the time of writing, COVID-19 is affecting the whole world and the number of international students
hosted by the College has declined. However, there is much hope for the future. For example, it is
considered that VET is very important as part of the post-pandemic economic recovery, as well as re-
skilling and up-skilling of workers to deal with the crisis. Skill sets and short online courses are being
rolled out and a new Undergraduate Certificate has been added to the Australian Qualifications
Framework as a qualification to upskill workers displaced by COVID-19.

Situation Analysis

Strengths Weaknesses

 Price, value and quality  Focus on business and management

 Clear understanding of student
requirements
 Delivery mode suitable for client
requirements
 High quality learning and assessment
materials
 Committed to quality ethical practice
 Ability to adapt to changing market
conditions
 Effective and practical policies and
procedures
 Competitive pricing
 Friendly organisational culture
courses only
 Substantial investment in Sydney and
Brisbane meaning large financial outlay
 Ageing workforce for senior management
positions
 High staff turnover of trainers
 Difficulty in finding skilled trainers and
assessors
 Lack of leadership and management skills
of existing workforce
 Lack of diversity in workforce
 Outdated ICT system

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 3 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

 Level of available finance for investment

Opportunities Threats

 Potential for offshore delivery  Changes in Industry legislation affecting

students
 Target market experiencing growth
 Possible adverse effects of government
 To target other States and Territories
policy changes
 Current portfolio of courses popular in
 High level of competition from other training
target markets
providers in relation to target market plus
 Potential to apply for Government funding competition for staff
 Instances of other RTO’s bad practice
creating poor perception of training
providers to clients
 Predicted uncertainties in the world
economy impacting level of demand for
training
 Low price courses offered by competitors
 Failing to satisfy clients’ demands
 Unskilled trainers
 Ageing workforce

Operational Priorities
The following table identifies the operational priorities we plan to achieve in pursuit of our strategic
objectives.

Date Priorities Key performance indicators

Year 1

April 20XX Upgrade current ICT system to be ICT system meets needs of staff and
faster, more efficient and sustainable students
and to ensure links between the multiple
Data can be retrieved via cloud
campuses to be established
access

June 20XX Improve web site information to attract 10% increase in students by June
more students 20XX
Improve market share by 5%

July 20XX Conduct annual internal audit Audit conducted and continuous
improvement identified

September Develop and implement workforce plan Workforce plan developed and staff
20XX informed of key strategies

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 4 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Date Priorities Key performance indicators

Oct 20XX Develop and implement a cultural All staff trained in cultural awareness
sensitivity and awareness program for
staff

November Implement staff performance Staff advised of new system and

20XX management review system performance reviews conducted
across the organisation

Dec 20XX Identify suitable location for Sydney Location identified and lease taken out
campus

Year 2

Jan XX Provide information sessions Identify at least 50 potential sign ups

showcasing the College (Melbourne and
Sydney campus ready for operation
Sydney)
Fit out Sydney campus ready for student
admissions in February
Interview staff for commencement in
February

March XX Develop an on-line learning platform for All courses offered on-line by end
all courses 20XX
Increase student numbers by 12%

April 20XX Identify suitable location for Brisbane Location identified and lease taken out
campus

May 20XX Fit out Brisbane campus ready for Brisbane campus ready for operation
student admission in June.
Interview staff for commencement in
June.

July 20XX Conduct annual internal audit Audit conducted and continuous
improvement identified

November Staff performance reviews All staff performance reviews

20XX conducted

Year 3

Feb XX Undertake scoping study for possible Scoping study completed by June XX
offshore campus and decision made as to whether to
proceed

July XX Conduct annual internal audit Audit conducted and continuous

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 5 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Date Priorities Key performance indicators

improvement identified

Nov XX Staff performance reviews All staff performance reviews

conducted

Marketing Strategies
Students make their RTO selection decisions based on the reputation of the organisation, quality of
courses, pricing, employment options and personal recommendations, amongst other factors.
Our strong vocational emphasis and continual industry consultation will ensure our courses are
appropriate to develop the skills and knowledge currently demanded by employers and students.
Our market decisions are based on extensive and continuous market research, targeting market
segments and clients within industry. We collect our data from a variety of sources, including current
and potential clients, VET and business sectors, competitors, media and government along with many
others.

Market share development

We plan to increase our market share by:
 establishing two new campuses
 offering on-line blended learning
 providing face to face information sessions
 improving our web site
 continually improving the quality of service given to clients’ pre-enrolment, during course delivery
and through the provision of support services while remaining price competitive
 focusing on the provision of courses required by industry
 maintaining effective communication channels with all stakeholders to ascertain industry
requirements and then develop products and manage services accordingly
 continually improving communication channels with all our stakeholders, ensuring a flow of timely
and accurate information to facilitate effective planning and decision making
 consistently satisfying individual client needs and demands at the same time as developing the
knowledge and skills required by industry
 targeting identified growth markets with planned, market appropriate campaigns, employing a
variety of promotional strategies and advertising media
 offering attractive fee structures
 continually improving the skills, knowledge and effectiveness of King Edward VII College
management and staff through our commitment to training and development
 regularly reviewing the effectiveness of all our operations and making improvements when and
where necessary.

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 6 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Risk Management
The following section identifies the associated risks in pursuit of our strategic objectives and how we
will deal with them.

Strategic Objectives
1. To be a leader in vocational education and training
2. To establish and maintain high quality infrastructure supporting clients and staff
3. To be well led, high performing, profitable and accountable
4. To develop our people and resources

Risk Australian government changing policy in relation to industry

 Accepting policy change will be a constant factor to manage

 An understanding of this should be instilled in all staff
 Develop ability to foresee and react quickly to change
 Maintain effective communication channels with stakeholders
 Diversification of source markets
 Develop product range

Related to Strategic Objectives: All

Responsibility: CEO & Administration Manager

Risk Significant drop in cash flow

 Identify operating costs as per future plans and past performance

 Identify available finance
 Efficient invoicing and debt recovery
 Accurate income projections
 Close monitoring of expenditure
 Arrange overdraft facilities
 Scenario planning

Related to Strategic Objectives: All

Responsibility: CEO & Administration Manager

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 7 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Risk Failure to recruit planned number of clients

 High quality delivery of all services

 Swift reaction to feedback
 Skilled, motivated staff
 Attractive fee structures
 Effective market research
 Allocate finance for each market
 Monitor performance
 Take early corrective action if not meeting targets or expectations
 Maintaining effective relationships with clients
 Maintaining effective communication channels with all stakeholders

Related to Strategic Objectives: 1, 2, 3

Responsibility: CEO

Risk The world recession and the domino effect

 Diversification of source markets

 Target markets with strong growth forecasted
 Monitor the economic trends
 Regularly review performance in line with anticipated market conditions
 Develop culture of accepting continual change
 React quickly to change
 Scenario planning
 Maintaining effective communication channels with all stakeholders

Related to Strategic Objectives: 1, 3

Responsibility:CEO

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 8 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Risk Over committing resources

 Balance activities with the amount of finance available for investment

 Financial planning
 ICT systems
 Monitoring of cash flow
 Review invoicing and debt recovery system
 Swift response to identified issues
 Accessing financial advice

Related to Strategic Objectives: 1, 3

Responsibility:CEO & Administration Manager

Risk Adverse changes in market conditions

 Effective communication channels

 Continuous market research
 Monitor new markets and overall recruitments trends for all market segments
 Scenario planning
 Develop working knowledge of potential markets
 Networking
 Maintaining effective communication channels with all stakeholders

Related to Strategic Objectives: 1, 2, 3

Responsibility:CEO

Risk Changes to relevant legislation

 Emphasis on professional, ethical practices with all stakeholders

 Staff training
 Leading by example
 Policy implementation and monitoring
 Effective communication channels with all stakeholders
 Ability to manage change

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 9 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

 Managing available finance for re-investment

Related to Strategic Objectives: All

Responsibility:CEO

Risk Shortage of, and difficulty in recruiting, appropriate qualified, skilled trainers and
assessors and other key staff

 Development of workforce plan

 Offer attractive salary packages, including full-time contracts to trainers and assessors
 Development of further HR policies and procedures
 Provide opportunities for career progression
 Develop stimulating and enjoyable working environments
 Commitment to training and development
 Commitment to professional development
 Succession planning to deal with ageing workforce

Related to Strategic Objectives: 1 & 4

Responsibility: CEO

Risk Failure to meet and manage client’s expectations

 Accurate and timely communication with potential and current clients

 Management of recruitment activities
 Up to date ICT system
 Continuous improvement system
 Regularly review learning and teaching approaches, resources, structure and systems
 Client management policies in academic and support services
 Industry liaison
 Reviewing effectiveness of communication channels with clients
 Employing a continuous improvement approach to all operations
 Continuous market research and action
 Systematic feedback on management performance and personal reflection

Related to Strategic Objectives: All

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 10 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Responsibility: CEO & Administration Manager

Risk Failure to comply with legislation

 Consistently implement compliant policies and procedures

 Continuous improvement system
 Commitment to training and development
 Systematic review of policies and procedures
 Regular reviews of all operations

Related to Strategic Objectives: All

Responsibility:CEO& Administration Manager

Risk Competitors undercutting prices

 Maintain competitive pricing policy

 Monitor competitors’ prices and quality
 Regularly review financial management models and processes
 Continue focusing on quality
 Continue strategy of quality brand promotion

Related to Strategic Objectives: All

Responsibility:CEO

Risk Failure to control expenditure

 Effective financial planning and review

 Co-ordination of activities
 Systematic review of practice
 Financial management and control systems
 Facilities management
 Implementation of efficient processes

 Efficient procurement of products and services

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 11 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

 Cost comparisons prior to purchasing

Related to Strategic Objectives: 1, 2, 3

Responsibility:CEO & Administration Manager

Risk Only providing business and management courses

 Weighing the relative advantages of diversification and specialisation

 Monitor recruitment trends in the market
 Forecasting
 Match new and planned courses to market demand
 Cost benefit analysis
 Developing reputation for being a specialist in business and management courses
 Developing market share for delivery of business and management courses

Related to Strategic Objectives: 1

Responsibility:CEO

Risk Ineffective planning

 Experienced management team

 Continuous market research
 Planning system
 Organisation structure and systems
 Regular review of structure, systems and procedures
 External liaison
 Maintaining effective communication channels with all stakeholders

Related to Strategic Objectives: All

Responsibility:CEO & Administration Manager

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 12 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Risk Non-payment of course fees

 Effective recruitment policies

 Review of recruitment policies and market segments
 Efficient invoicing
 Attractive payment structures
 Payment plans
 Cash flow management
 Timing of collecting fees

Related to Strategic Objectives: 4

Responsibility:CEO & Administration Manager

Risk Rate of growth in client numbers

 Systematic review of systems and practice

 Buying in knowledge and skills
 Sourcing reliable market information
 Strategic and operational planning
 Review and, if indicated, amend management structure
 Develop policies and procedures
 Regular reviews of capacity and operation of all functional and curriculum areas
 Good communication channels with stakeholders
 Recruitment policy
 Finance available for expansion

Related to Strategic Objectives: 1, 3 & 4

Responsibility: CEO & Administration Manager

Risk Unethical or unprofessional practices of staff (when employed)

 Staff selection processes

 Staff monitoring systems

 Previous experience of managing staff

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 13 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

 Swift reaction to feedback

 Termination of agreements
 Maintain currency of market recruitment trends
 Maintain relationships with HR organisations

Related to Strategic Objectives: All

Responsibility: CEO & Administration Manager

Risk Small staff team

 Identify and source potential casual staff to call on in times of sickness and holidays
 Planning for holidays and leave
 Maintain relationships with HR organisations
 Offer incentivised pay structure for casual staff

Related to Strategic Objectives: All

Responsibility: CEO & Administration Manager

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 14 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

King Edward VII College

Risk Management Policy and Procedures

Purpose
To provide information and guidance on Risk Management.This Policy applies to all King Edward VII
College employees.

Principles
The following principles form the foundation of the King Edward VII College Risk Management Policy
and Procedures:
 A commitment to implement risk management effectively:
o King Edward VII College is committed to managing and minimising risk. This will be done by
identifying, analysing, evaluating and treating risk exposure that may impact on King Edward
VII College achieving its objectives and/or the efficiency and effectiveness of its operations.
o King Edward VII College will incorporate risk management into its planning and decision-
making processes and it must also be included as a consideration in operational planning as
a delegated line management responsibility.
o King Edward VII College staff must implement risk management according to relevant
legislative requirements and appropriate risk management standards.
 A commitment to training and knowledge development in the area of risk management:
o King Edward VII College is committed to ensuring that all staff, particularly those with
management, advisory and decision-making responsibilities, obtain a sound understanding
of the principles of risk management and the requisite skills to implement risk management
effectively.
 A commitment to monitor performance and review progress in risk management:
o King Edward VII College will regularly monitor and review the progress being made in
developing an appropriate culture of risk management and the effective implementation of
risk management strategies throughout the organisation as a basis for continuous
improvement.

Responsibilities
Risk must first and foremost be managed at the corporate level as part of the King Edward VII College
good governance and corporate management processes. Risk management is considered an integral
part of all management and decision-making functions within King Edward VII College. The
responsibility for the identification of risk and the implementation of control strategies and follow up
remains a delegated line management responsibility. All stakeholders have a significant role in the
management of risk. This role may range from initially identifying and reporting risks associated with
their own jobs to participation in the risk management process.

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 15 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Aims and Objectives

 King Edward VII College aims tointegrate risk management into the management culture of King
Edward VII College and foster an environment where staff assume responsibility for managing
risks.
 To secure its commitment to implement risk management effectively, King Edward VII College
aims toimplement risk management across all aspects of King Edward VII College in accordance
with best practice guidelines.
 To secure its commitment to training and knowledge development in the area of risk
management, King Edward VII College aims toensure that performance in risk management is a
consideration in the King Edward VII College' performance management systemsand other
stakeholders have access to appropriate information, training and other development
opportunities in the area of risk management.
 To secure its commitment to monitoring performance and reviewing progress, King Edward VII
College aims toensure that appropriate monitoring, review and reporting processes are in place
in the area of risk management.
 The objectives of risk management are to:
o provide a structured basis for strategic, tactical and operational planning across King
Edward VII College, enhancing its governance and corporate management processes;
o enable King Edward VII College to effectively discharge its statutory and legislative financial
management responsibilities;
o provide a practical framework for managers to assess risks inherent in the decisions they
take;
o assist and motivate decision makers, at all levels, to make good and proactive management
decisions that do not expose King Edward VII College to unacceptable levels of risk of
unfavourable events occurring which adversely impact on the attainment of organisational
goals
o encourage and commit decision makers to identify sound business opportunities that will
benefit King Edward VII College without exposing the company to unacceptable levels of
risk;
o minimise the risks of not identifying sound business opportunities

o protect King Edward VII College from unacceptable costs or losses associated with its
operations, while safeguarding its resources: its people, finance, property and reputation
o assist King Edward VII College in achieving its strategic objectives

o create an environment where all staff assume responsibility for risk management

Procedures

Corporate
Risk management is a whole of Organisation Process. It must first and foremost be managed at the
corporate level as part of King Edward VII College' good governance and corporate management
processes. This process, coordinated and facilitated by the CEO, will involve the following key steps:

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 16 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

 an annual risk identification exercise undertaken by the CEO. This involves assessment of the
consequence and likelihood of risk, the development and/or review of individual risk
management plans for the risks identified which exceed the King Edward VII College 's defined
acceptable risks
 wherever practicable, the inclusion of a Risk Management Assessment for all business activities
 the incorporation of risk management into strategic planning, as well as operational and resource
management planning processes
 ensure risk management processes are incorporated into the quality assurance and
improvement systems of King Edward VII College
 clearly define and document escalation procedures for risk management
 ensure a consistency in approach of responses to the same risk by different sections of King
Edward VII College
 test documented risk management procedures at appropriate intervals.

Management
Risk management is a delegated line management responsibility. It is the responsibility of all line
managers to continually monitor their areas of responsibility to ensure that risks are identified and
managed. Line managers should ensure that a contribution is made to King Edward VII College risk
management process, on behalf of their areas of responsibility, that identifies risks at all levels.
The sharing of documented responses to risks and knowledge of risk management principles and
procedures will be fostered between line managers to ensure consistency across the King Edward VII
College.
On an annual basis, line managers should review all activities to ensure that any unacceptable risk
exposures are identified and managed at an appropriate level. All operational sections will be required
to report on risk management as part of the King Edward VII College 's annual operational and
resource management process.

Individual
Each employee or other stakeholder throughout King Edward VII College has a role in the risk
management process and is responsible for actively participating in the risk management process as
appropriate to their position within the organisation.

New Opportunities
In addition to the risks that already exist, King Edward VII College is continually exposed to new risks,
particularly from the introduction of new activities.
New risks should be incorporated into the initial planning and assessment processes conducted prior
to undertaking the activity and, subsequently, into the annual risk management assessment at the
appropriate level(s) of activity and management. A risk management plan must then be developed.
The risk management process is a collaborative process whereby all managers and supervisors
identify risks and then meet to discuss and evaluate risks.
To identify risks, the following questions must be considered:
 Threats or opportunities in the current economic climate that may impact on the business area?

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 17 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

 What could go wrong with the expansion in regard to the business area?
 What issues relevant business area could prevent the expansion from occurring?
 What is the worst-case scenario in terms of the business area and the expansion?

Principles
The principles of risk management shall be applied to all areas of risk exposure, insurable and non-
insurable, and shall include, but not be limited to the following areas:

Insurable Risks Non-Insurable Risks

 Insurable workplace health and safety risks
 Insurable fraud and corruption prevention
activities
 Unauthorised use of resources which
represent an insurable risk
 Reputation and image as an insurable risk
 Fire prevention measures and security
precautions
 Property loss and damage
 Computer security
 Professional negligence
 Other liability exposures
 Legal liability
 Non-insurable workplace health and safety
risks
 Non-insurable fraud and corruption
prevention activities
 Unauthorised use of resources which
represent a non-insurable risk
 Reputation and image as a non-insurable
risk
 Crisis contingency planning and disaster
recovery
 Accounting controls that are not cost
effective
 Loss of key staff and intellectual property
 Management system inadequacies and
poor work quality
 Failure or disruption of a major income
source or investment

Risk assessment
For all risks the business elects to manage, the likelihood of each risk occurring must be
estimated.Risk likelihood must be calculated by taking the average of at least two stakeholder
estimations. This must be done using the following scale:

Rare 1

Unlikely 2

Likely 3

Very likely 4

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 18 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Similarly, the risk impact must be calculated by taking the average of at least two stakeholder
estimations using the following scale:

Minor 1

Moderate 2

significant 3

Catastrophic 4

Risk will be prioritised using the risk matrix:

Severity

Minor Moderate Significant Catastrophic

Likelihood Very likely Moderate High Extreme Extreme

Likely Low Moderate High Extreme

Unlikely Very low Low Moderate High

Rare Very low Very low Low Moderate

Extreme and high risks should receive high priority.

Moderate risks should receive medium priority.
Low and very low risks should receive low priority.

Review
The CEO will regularly monitor and review the progress being made in developing an appropriate
culture of risk management and the effective implementation of risk management strategies
throughout the organisation.

Guidance
The CEO will ensure that, through its monitoring, review and reporting functions, King Edward VII
College maintains a consistent approach to its assessment of acceptable risk.

Documentation
Each stage of the risk management process shall be appropriately documented. The extent of
documentation required is dependent on the nature of the risk. Documentation will be controlled, and
become part of an auditable quality management process. Risk registers must contain:
 risk
 potential outcomes
 likelihood

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 19 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

 impact
 calculated risk
 priority
 treatment.

Compliance
A representation and compliance statement should be provided by each manager as formal
acknowledgement of their responsibility to comply with risk management policies and procedures.
Each employee should have included in their Position Description a responsibility for risk
management, and Annual Performance Appraisals should include an appropriate assessment thereof.

Staff Development
Management shall ensure that staff have available to them appropriate information and training
opportunities in risk management as appropriate to their position and role within King Edward VII
College.

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 20 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2
 ICTCYS608 Perform cyber security risk assessment

Risk Register
Risk Consequences Severity Rating Likelihood Rating Evaluation Non-compliances Treatment or
with current control methods
arrangements

Not enough students Plans for new sites Significant Occasional Unacceptable NA Sufficient market
to make new sites scrapped risk research to identify
commercially viable expected number
New sites closed
of students
down
Focus on existing
Staff laid off
campus

Competitors follow Reduction in Significant Probable Acceptable risk Market intelligence Branding
same model customer numbers not regularly
Incentive schemes
explore

Inability to attract High turnover of staff Significant Occasional Unacceptable No database in Keep database of
quality staff risk place to retain staff
details of potential
Be an employer of
staff
choice

© Sydney City College of Management Pty Ltd RTO: 45203 CRICOS: 03620C Date Revision date Version
Page 21 of 21
File Name: ICTCYS608 Student Resources October 2023 October 2024 2