5.8 Information Governance Risk Assessment in Procurement

Owned by Brody Smith (Unlicensed)
Last updated: May 12, 2021
1 min read

What is an Information Governance Risk Assessment?

An Information Governance Risk Assessment (IGRA) is a tool to identify and manage risk to information.

IGRA stands for Information Governance Risk Assessment. The purpose of an IGRA is to identify and manage risk to information, it has two elements:

  • Understanding and controlling information security risks
  • Understanding and controlling privacy risks where personal data is processed

The process can be initiated by any RoS colleague on behalf of the RoS Information Asset Owner (IAO). It allows the IAO to understand the risks arising from a proposal and to agree on any controls they wish put in place to manage that risk.

The IGRA helps RoS colleagues to:

  • Understand and manage the risk to their objectives
  • Control those risks proportionately and appropriately
  • Comply with our legal obligations to protect information
  • Evidence that risk has been considered, and that the IAO has given approval
  • Ensure risks and control actions are appropriately owned and understood

Proportionality and appropriateness are key principles. We try to ensure that the process is proportionate to risk and in line with the risk appetite for the information / system in question.

More information on the Information Governance Risk Assessment process can be found here