Back to top anchor

Risk profile assessment

Completing a Risk Profile Assessment (RPA) is an essential early step in the investment management process.

What is a Risk Profile Assessment?

The Risk Profile Assessment (RPA) is a tool that calculates the inherent risk of a project or programme based on the answers to a series of multi-choice questions. In its current form, the RPA is an Excel workbook with three tabs that need to be completed; the RPA tab comprising 26 multiple choice questions, a GCIO tab of questions from the Government Chief Digital Officer (GCDO), and an Authorisation tab with basic project information.  A copy of the RPA template can be found at the bottom of this page.

Who needs to complete an RPA?

Agencies must complete an RPA for all significant investments identified on multi-year plans. Agencies must provide to Treasury any RPA for any investment proposal that has a medium or high risk profile.

An RPA must be completed as early as feasible, and no later than during development of a Strategic Assessment. If a project’s scope or cost later changes significantly, another RPA must be completed as soon as possible in the approval process and before work starts on the changed scope; these changes may change the risk profile.

If you are unsure if your initiative meets this criterion, you should complete an RPA.

We’ve completed an RPA – what next?

At completion, the RPA provides an indicative risk rating.  This is an agency's initial self-assessment of a project's inherent risk.  When this initial risk rating is medium or high, the agency must send the completed RPA to the Treasury (  The Treasury consults with other central and related agencies, and after discussions with the submitting agency if necessary, makes the final decision on whether the project is high risk and hence requires Gateway reviews and/or related assurance processes.

Ongoing disclosure requirements

If there is a significant change to a project or programme’s scope, cost or timeframe, agencies should update and resubmit the associated RPA as soon as possible. Any changes may impact the inherent risk level of a project or programme.

The RPA is not an exhaustive risk analysis model, and it does not replace the need for agencies to perform their own detailed risk analysis and management throughout a project's lifecycle.

Last updated: 
Friday, 2 September 2016