Risk / threat assessment matrix

What is it?

  • Assessing risks for victim identification, offender targeting and to mitigate against technology infrastructure and broader online risks.

Why is it important?

  • Children face a range of individual and combined risks[1], including those relating to sexual exploitation and abuse, when interacting in digital environments. The risks can manifest online and offline and come from a range of actors. Systematic and coordinated identification, assessment, management and mitigation of all risks is crucial to strengthening the safeguarding of children online and offline and to reducing the possibility of unintended (or intended) harms coming to life.
  • Risk management is standard good practice in (offline) project management and operations. Therefore, all actors planning, delivering, supporting, strengthening and advocating to change a specific online or digital project should also identify and manage the associated risks.

How can it be implemented?

  • Technologies and behaviours can change and issues can emerge and change over time. To reflect the shifting environment, all actors should have a clear risk assessment template enabling them to assess, re-assess and add risks on a systematic basis. A thorough risk assessment process includes:
    • Defining and agreeing risks;
    • Identifying online and offline risks, including data and privacy-related risks;
    • Assessing the likelihood and severity of those risks (e.g. scale 1-5);
    • Identifying measures to avoid, eliminate, mitigate and manage risks;
    • Re-assessing the likelihood and severity of those risks with mitigation measure in place;
    • Documenting measures that are needed, associated responsibilities and timeframe; and
    • Reassessing risks at set timeframe.
  • Risk assessments can be separated into broad areas/themes for analysis including: content risks; contact risks; conduct risks; and contract (or commercial) risks; excessive use risks and societal risks.  Analysis should also cover perpetrator tactics/techniques, vulnerability scans, penetration testing and at-risk focus.  Intersectional analysis is advised where possible and where not against confidentiality or privacy legislation.
  • Input from stakeholders with varied expertise (e.g. technology engineers, criminal justice staff, and child protection professionals) across organisations, sectors and countries will strengthen the risk assessment quality.

Further resources:

Australian eSafety Commissioner, Industry self-assessment tools

[1] Risk is defined here as a chance or possibility that an individual will be harmed.