Technology Risk Assessments

WELCOME TO THE TECHNOLOGY RISK ASSESSMENT SITE

Within the pages of this site, you will find information related to Technology Risk Assessments (TRA), who is involved from a committee perspective (TRAC), and when you may need to engage the process. 

This site and the processes captured here are intended for both our Research community as well as our Administrative/Operations functions. 

What is TRA or TRAC?

Largely, the TRA process is concerned with examining a proposed solution being introduced into the Western University technological environment.  This introduction of an initiative might include a platform for an operational group, a digital service for a department, or a suite of tools for a particular researcher.  TRAC is the committee that oversees this process.  These processes will largely use TRAC as the a catchall term.

The TRAC should be considered as a resource for our community to better understand any (potential) risks associated with a technical solution. Due to the diverse nature of the TRA membership (Legal, Privacy Office, WTS, CISO, Procurement, Financial Services, Research Services, and Internal Audit), the various expertise represented can give you a better picture of your proposed solution.

How Do You Submit a Project for Review?

Along the left menu system, you will see two links: TRAC Submission Form and Vendor Information Form.  In most cases, the TRAC Submission Form will be all you need to submit (it contains all of the information required by the various members of TRAC.  However, sometimes the solution is complicated and it is best if the vendor can fill out and send to you the Vendor Information Form as a PDF document, which you can attach with your own submission.  

Please note that the TRAC Submission Form is an internal form that you will need to log into using your Western credentials.  The Vendor Information Form is available to external groups.

More information about the TRAC process can be found here.

What Does the TRAC Provide?

The TRAC process culminates with a document which constitutes an opinion from the committee based on an in-depth assessment. The document is to be used for advisory purposes within the organizational, divisional, departmental, and unit contexts. This assessment is for submitters to better understand where risks might exist within the proposed solution across a variety of vectors. It is important to note that this document is not a decision or an approval of a given project, but rather an articulation of potential risks associated with it.   

Specifically, the TRAC process may conclude with outstanding activities still required by Western Technology Services, Legal Counsel (contract negotiation), the Privacy Office (privacy impact assessment), and Financial Services (Bankcard Committee).  

The diagram below illustrates the sequence of events.

(see diagram)

The TRAC Process runs along a 4-8 week response window whereby a risk profile report will be generated that will assign a risk level along with any pertinent comments from the committee.  This timing is related to the schedules that each member of the TRAC hold and the amount of work required to perform the analysis.

Each of the processes listed separately from the TRAC Process may have variable timelines associated with relevant activities.  Each of these process areas will be informed by the risk report from TRA Committee (TRAC), but will have other concerns that may operate differentially. 

For example, the Bankcard Committee may need to drill more deeply into an eCommerce solution and may challenge the approach. Similarly, Western Technology Services may examine the technological architecture and determine an initiative as not a fit for the organizational technology footprint at large.

The report generated through the process will provide an assessment into one of three categories:

  • LOW RISK
  • MEDIUM RISK
  • HIGH RISK

Solutions that are categorized as LOW RISK should move forward accordingly and the report may be used where required or as requested.

Please see the areas designated for Researchers and Administrative/Operations units for information related to MEDIUM RISK and HIGH RISK assessments.

The TRAC process establishes a risk level.  Processes such as  legal contract negotiation, privacy impact assessments, and ecommerce configurations fall outside the scope of TRA, but may be informed by it. 

PLEASE NOTE: THE TRA PROCESS DOES NOT ABSOLVE WESTERN, DEPARTMENTS/UNITS, OR INDIVIDUALS OF OVERALL RESPONSIBILITY – RISKS THAT ARE ACCEPTED ARE STILL RISKS.


Published on  and maintained in Cascade.