Last updated:
Monday, 14 March 2022
Completing a Risk Profile Assessment (RPA) is an essential early step in the investment management process.
What is a Risk Profile Assessment?
The Risk Profile Assessment (RPA) is a tool that calculates the inherent risk of a project or programme based on the answers to a series of multi-choice questions. In its current form, the RPA is an Excel workbook with two tabs that need to be completed; the RPA tab comprising 26 multiple choice questions, and an Authorisation tab with basic project information. A copy of the RPA template can be found at the bottom of this page.
Who needs to complete an RPA?
Agencies must complete an RPA for all significant investments identified on multi-year plans. Agencies must provide to Treasury any RPA for any investment proposal that has a medium or high risk profile.
An RPA must be completed as early as feasible, and no later than during development of a Strategic Assessment. If a project’s scope or cost later changes significantly, another RPA must be completed as soon as possible in the approval process and before work starts on the changed scope; these changes may change the risk profile.
If you are unsure if your initiative meets this criterion, you should complete an RPA.
We’ve completed an RPA – what next?
When completed the RPA provides an indicative risk rating. This is an agency's initial self-assessment of a project's inherent risk. When this initial risk rating is medium or high, the agency must send the completed RPA to the IMAP team in Treasury ([email protected]).
The IMAP team then engages with the appropriate Relationship Lead and Vote Analysts for the agency, as well as relevant system leads, for example:
- NZ Government Procurement (MBIE)
- DPMC (relevant analyst)
- PSC (relevant Assistant Commissioner or Deputy Commissioner)
- Digital Public Service branch within DIA (for ICT-based projects), and
- Monitoring departments (for Crown entities).
After further discussions with the submitting agency (if necessary), the Treasury makes the final decision on whether the project is high risk and hence whether it requires Gateway reviews and/or related assurance processes. This decision will be formally advised to the agency, along with any required guidance and next steps.
Ongoing disclosure requirements
If there is a significant change to a project or programme’s scope, cost or timeframe, agencies should update and resubmit the associated RPA as soon as possible. Any changes may impact the inherent risk level of a project or programme.
The RPA is not an exhaustive risk analysis model, and it does not replace the need for agencies to perform their own detailed risk analysis and management throughout a project's lifecycle.