Skip to Content

IT/PPS 04.15 - Risk Management

Risk Management

IT/PPS No. 04.15
Issue No. 5
Effective Date: 3/02/2023
Next Review Date: 3/01/2024 (EY)
Sr. Reviewer: Vice President for Information Technology


Texas State University is committed to the management of security risks posed to information resources.

  1. SCOPE

    1. This policy establishes the Division of Information Technology (IT) risk assessment methodology to be applied to information security issues, identified infrastructure deficiencies, audit findings, observations, and recommendations impacting Texas State University information resources.

    1. UPPS No. 04.01.01, Security of Texas State Information Resources

    2. UPPS No. 04.01.11, Risk Management of Information Resources


    1. Impact – the effect a single occurrence of a risk will have upon the achievement of the institution’s goals and initiatives.

    2. Information Resources Manager (IRM) – the vice president for IT.

    3. ISO – Information Security Office.

    4. Probability – the likelihood that a risk will become reality.

    5. Risk Assessment Methodology – a systematic process for describing and quantifying the risks associated with hazardous substances, processes, actions, or events.

    6. Risk Register – a repository for all risks identified, including information about each risk (e.g., nature of the risk, reference and owner, and mitigation measures).

    7. Risk Score – the impact and probability ratings used to create a final risk tally.


    1. As issues in an area arise (e.g., new audit report, new information security risk assessment, or other process or evaluation that surfaces a potential risk), these items should be categorized by their risk score, which is based upon a combination of probability and impact.

    2. Issues will be documented, maintained, and managed by each associate vice president, or equivalent. If the issue is determined to be an information security incident or event, management of the incident will be handled by the ISO or, if classified by the ISO as high risk, the IRM.

    3. The impact shall be classified by one of five values:

      Impact ValueImpact Description
      SevereThe effect will cause the university to not achieve its goals and initiatives; it is an institutional showstopper.
      MajorThe effect will cause the component not to achieve its goals and initiatives; it is a showstopper.
      ModerateThe effect will cause the university or component to operate inefficiently or expend unplanned resources to meet goals and initiatives.
      MinorThe effects should be monitored to determine if action is required.
      InsignificantThe measurable effect upon the achievement of university’s goals and initiatives would be immaterial or insignificant.
    4. The following factors, if pertinent to the risk, may be considered during the assessment of impact: human health and safety, societal or environmental, monetary, business or operations, information technology, information security, public relations, reporting and disclosure, strategic, compliance, and fraud.

    5. The matrix shall classify the probability with one of five values:

      Probability ValueProbability Description
      Almost CertainAn event is inevitable, or there is a great likelihood that an event will occur.
      LikelyAn event will probably occur.
      PossibleThe risk is neither extremely likely nor highly unlikely. The probability of an event is similar to occurrences within the normal course of operations.
      UnlikelyThe risk of an event is not anticipated.
      RareThe risk of an event is extremely unlikely or would require a combination of multiple failures.
    6. The following factors, if pertinent to the risk, may be considered during the assessment of probability:

      1. history;

      2. conflicts of interest;

      3. susceptibility to fraud or theft;

      4. key changes (including leadership, key personnel, regulations, policies, operating processes, computer systems, software applications);

      5. control activities need improvement;

      6. policies and procedures require updates;

      7. training; and

      8. complexity of unit or process.


    1. The impact and probability ratings are used to create a quantitative calculated risk score encompassing a range from 1 to 25 (R = P x I). Higher scores indicate increased risk.

    2. Matrix

      Almost Certain510152025

    3. Risk scores are classified into five categories to assist in determining the need for, or immediacy of, response or action.

      Risk ClassificationAction RequiredCalculated Risk Score
      CatastrophicImmediate Action16 - 25
      CriticalUrgent Action10 - 15
      ModerateAction Needed5 - 9
      LowMonitor3 - 4
      InsignificantNo Action1 - 2


    1. Calculated risk scores should be included, where appropriate, in any risk assessment performed by departments of the Division of IT.

    2. Calculated risk scores should be included in response to any audit finding, recommendation, observation, or area of improvement. When appropriate, this risk score will guide the management response.

    3. Calculated risk scores should be maintained in each IT department’s risk register, which should be updated regularly.


    1. Reviewers of this PPS include the following:

      Special Assistant to the Vice President for Information TechnologyMarch 1 EY
      Associate Vice President, Information Technology Assistance CenterMarch 1 EY
      Director, Information Technology Business Operations/ServicesMarch 1 EY
      Director, Information Technology Business Operations/FinanceMarch 1 EY
      Associate Vice President, Technology Innovation OfficeMarch 1 EY
      Associate Vice President, Technology ResourcesMarch 1 EY
      Chief Information Security OfficerMarch 1 EY
      Executive Assistant, Information TechnologyMarch 1 EY
      Vice President for Information TechnologyMarch 1 EY

    This PPS has been reviewed by the following individual in their official capacity and represents Texas State Information Technology policy and procedure from the date of this document until superseded.

    Vice President for Information Technology; senior reviewer of this PPS