How to assess and mitigate risk as you design and deliver an online service.
Why you need a risk register
You should assess the risks of every online service or digital method you use to engage your users. You should do this before any risks arise, then design in such a way as to reduce or prevent those risks. If you don’t, then you can’t have confidence in your ability to fulfill your duty of care when delivering online.
A policy alone isn’t enough. You must be more proactive. Risks change and new ones emerge. So carry out a risk assessment and generate a risk register. Then use this register as a live, proactive dashboard to track all risks in a dynamic, real-time way.
Your register will generate a list of mitigations. Use these mitigations to inform your service’s design requirements and the digital tools you choose to run it with.
You should also use what you learn in your risk assessment to update your safeguarding policy.
And as your service design gets clearer it will make you aware of risks you hadn't considered before. So cycle back and add these to your register. In this way you’ll be building a culture of risk management as a dynamic, iterative process rather than a singular event.
Risk assessment is a process not an event. It should run in parallel to your service design process and continue after the service has gone live. It will influence your delivery plans, generating design requirements and items for your safeguarding policy. As your plans evolve you’ll need to cycle back and check, add or adjust risks and mitigating actions. In this way your risk register will become a live dashboard. It won’t ever be a finished document.
Step 1: Research the risks
Set up a document to record your risk assessment activities. That way you are evidencing your process from the beginning. This could be a tab on your risk register or a note somewhere else.
List all the risks you can think of:
Use Chapter 4 to identify universal risks of using digital technology to run your services
Use Chapter 5 to identify the specific risks your service will create. It's OK if you don’t have a clear idea of its design yet. As the design becomes clearer keep cycling back to assess and add risks to your register
Chapter 6 will help you think about how to mitigate some risks through educating your staff
Involve your colleagues, and research outside your organisation. Use DigiSafe’s case studies and ‘Dive Deeper’ links
Risks are likely to fall into three main categories:
Delivery practice: protecting people when using online technology to engage them. Think video calls, messaging apps, interactive chat spaces etc.
Privacy and consent: respecting and ensuring people’s privacy and choice when engaging them digitally. Because activity and details can be more visible online
Information security: protecting your systems and people’s data from misuse and unauthorised access. Technical security is important but staff behaviour makes the biggest difference
Step 2: Assess the risks
Take your list and create a risk register. We recommend doing this in a shareable drive like Google Drive or Microsoft OneDrive so others can collaborate dynamically and in real time.
There are many different ways of recording a risk assessment. Your column headings could include:
Risk (description of something going wrong)
Impact (rating 1-5)
Likelihood (rating 1-5)
Risk rating (Impact x Likelihood)
Existing control measures (mitigation activities already being done)
Control measures (mitigation activities you will do)
Who is responsible?
Accepted? (whether the risk, with its control measures in place, has been accepted by your organisation)
Actioned (date you implemented mitigations)
Keep cycling back to your register as your service design evolves.
Your risk assessment’s outputs will help you decide which tools to use to deliver your service. As you make decisions, note each one and your rationale. State the reasons why, in the context of your risk assessment, you are choosing to deliver in this way.
Make sure you are not the only one making big decisions. Get sign off from senior managers in your organisation. If you are a senior manager ask another to sign off with you.
Step 4: Describe your approach
You need to create a working protocol describing your approach. This will help your staff understand how to deliver the service in a safe, effective way. Some of the protocol may also form part of your safeguarding policy.
Include the following as a minimum:
Summary of platforms to be used and how the service will work
What you or staff will do to minimise risk (look at the mitigation actions on your risk register)
The guidance and support you will give staff in relation to safe practice (e.g. passwords, policy briefing, training etc.)
Any new policies you will be creating
There are many ways of doing this. You’ll find an example at the end of this article.
Step 5: Review as often as necessary
Describe your risk review process. Review more often early on. Add the process to your safeguarding policy.
In your protocol state your Plan B for if this platform doesn’t work out. State Plan C if you have one.
Revisit your risk register as your service design and planning evolve.