Risk management is a process that allows your organization to identify, assess, and prioritize risk to their objectives. In this case, the risk is specifically your organization’s accessible Information and Communications Technologies (ICT) portfolio. Risk management processes help decision makers understand and evaluate risk factors and assess the impact of those risks, if realized, in order to inform decision making and develop ways to minimize risk.
A risk model turns your risk management strategy into an implementable model to measure the degree in which inaccessible ICT will negatively impact your agency. When agencies fail to maintain an accessible ICT portfolio, they are exposed to civil rights and other legal challenges, financial liability, increased remediation or rework, and waste, as well as challenges with recruiting and maintaining a skilled workforce.
Risk models are used across multiple business functions and include: acquisition and procurement, development, testing, remediation, deployment, and maintenance and operation.
Key benefits of implementing a risk model include:
- Ensuring your agency is meeting their legal obligations to accessibility rules and regulations.
- Uniformly assessing ICT products for risk within specific business streams, catching high risk ICT and issues early.
- Aiding in the inclusivity of your agency’s ICT portfolio.
While helpful, a risk model also poses several challenges, including:
- The variance of testing methodologies for accessibility conformance and the overall quality of testing may depend on the qualifications of the accessibility tester, therefore establishing consistent and repeatable methodologies and metrics is important.
- Implementing an effective risk model requires detailed collaboration and participation by numerous stakeholders. Without this stakeholder support, implementation in various business streams may be challenging.
- Regular monitoring and the adoption of new risk factors and mitigation strategies may be necessary to address changes in technology, accessibility standards, and testing methodologies.
- Monitoring, feedback loops, and continuous improvement are necessary for the successful implementation of a risk model.
Risk models provide a standard methodology for gauging the risk of inaccessible ICT and inform your agency’s decision-making.
The FCC has developed a working draft for determining 508 risk levels and developing a risk model, along with a complimentary workbook to calculate risk. The adoption and release of the risk model and workbook, while not yet implemented, is in FCC’s overall program timeline for Acquisitions. Based on FCC’s and other federal agency work, we recommend your agency’s risk model include the items below.
Identification of Risks
Conduct an accessibility audit of your ICT to identify potential accessibility issues that may impact risk of ICT use (e.g., number of defects, impact of defects on users, user base, etc.) Solicit feedback from users, accessibility subject matter experts (SME), and other stakeholders to help identify additional risk areas.
Categorization of Risks
Categorize identified accessibility risks based on severity and potential impact to your users. Numerous factors can influence risk therefore multiple variables should be considered when developing your model. One suggested method is to categorize variables into 5 overarching risk factors:
- Scope of ICT use: Assess your user base for the ICT and type of ICT being assessed.
- Impact of ICT defects: Assess if defects are global in nature or apply to a critical function or feature of the ICT.
- ICT product history: Assess the scope of the ICT update, sufficiency of 508 language in the contract for ICT, and scope of known pre-existing accessibility issues.
- ICT product vendor/developer accessibility expertise: Assess accessibility subject matter expertise of your vendor or developer team and history of remediation.
- Risk Mitigations: Assess mitigating risk factors such as a robust accommodation or alternate means plan and quick remediation timeframe.
Divide your risks into high, medium, and low categories. Within the factors above, additional measures should be added that will help evaluate specific risk levels and either increase or decrease your risk.
- High: Inaccessible content that significantly hampers usability or denies access to critical features.
- Medium: Inaccessible content that limits access to non-critical features.
- Low: Inaccessible content that has minimal impact on usability or affects non-essential features.
Assess each identified risk based on the likelihood of occurrence and potential consequences within your agency. As part of the consequence factor, consider the size of your impacted user base and legal implications of non-compliance to your agency.
Assign numerical scores to each risk based on your risk assessment. Use a scoring system that takes into account both the likelihood and impact, or consequence, of the risk.
Select each risk factor that applies to your ICT to calculate an overall score. Categories may have numerous risk factors that apply.
Below is an example of risk scoring with the score in parenthesis next to each factor. The scores are based on information from risk models used within federal agencies, including the FCC. Your agency should customize your risk model to meet your agency’s needs, taking into consideration agency-specific factors such as specific standards, ICT portfolio, and user base. You should regularly review and update your risk model to address emerging risks and ensure ongoing effectiveness in managing accessibility risks.
Scope of ICT use
- Public Users (High +5)
- Mandatory Use (High +5)
- Known users with disabilities (High +5)
- Platform (High +5)
- 50% or more of employees use (High +4)
- Between 15%-49% of employees use (Medium +3)
- Authoring tool (Medium +3)
- Less than 14% of employees use (Low +1)
- No mandatory use (Low +1)
Impacts of ICT defects
- Defect impact 3 or more disability groups (High +5)
- Defects relate to critical features (High +5)
- Global issue (High +4)
- Defects do not relate to critical features (Medium +3)
- Defects impact two or less disability groups (Medium +3)
- Issues but not global issues (Low +1)
ICT product history
- ICT product has large number of pre-existing accessibility defects (High +5)
- No Section 508 language included in contract (High +5)
- New ICT product (High +4)
- Major update to previously approved ICT product (High +4)
- Releases are large in scope (High +4)
- ICT product has medium number of pre-existing accessibility defects (Medium +3)
- Moderate update to previously approved ICT product (Medium +2)
- Releases are medium in scope and frequent (Medium +2)
- General Section 508 language included in contract (Medium +2)
- Minor update to previously approved ICT product (Low +1)
- Releases are small in scope and frequent (Low +1)
- ICT product has few to no pre-existing accessibility defects (Low 0)
- Applicable Section 508 language included in contract (Low -1)
ICT product vendor/developer accessibility expertise
- ICT product owner has no history of remediation or reputation for deficient history of remediation (High +5)
- Product team (managers, developers, testers) has no training in accessibility or accessibility expertise unknown (High +4)
- ICT product owner has reputation for average history of remediation (Medium +2)
- ICT product owner has reputation for excellent history of remediation (Low 0)
- Product team (managers, developers, testers) has in-depth training in accessibility (Low -1)
- Remediation of defects completed in more than 12 months (High +5)
- No Accommodation plan and/or alternate means plans (High +5)
- No sufficient market research to support ICT selection (High +5)
- Remediation of defects completed in more than 6 months (High +4)
- Remediation of defects completed in 2-6 months (Medium +2)
- Partial Accommodation plan and/or alternate means plan addresses all major defects (only minor issues unaddressed) (Medium +1)
- Remediation of defects completed in less than 2 months (Low 0)
- Market research supports ICT selection (Acquisitions) (Low -1)
- Accommodation plan and/or alternate means plan addresses all defects (Low -1)
Your agency may choose to take the risk scoring a step further to decide a total score for the level of risk. Your agency should determine the risk score that best fits the risk level. For example:
|Risk Level||Total Score|
Additionally, your agency may generate a risk workbook to perform simple calculations based on risk factor selections to easily determine risk.
Prioritization of Risk
Prioritize ICT based on their risk scores, addressing high-scoring ICT (and thus most risky) first.
For example, for high risk acquisitions, prioritize having an accessibility SME as part of the acquisitions process. For high risk ICT development projects, prioritize accessibility SME(s) resourcing as part of or working closely with the development team. Furthermore, tackle higher risk factors first. For example, prioritize remediating defects that relate to critical features and functions, thus ensuring efforts are focused on addressing the most critical accessibility issues.
Develop and document mitigation strategies for each of your identified risks and specify the actions required to address and reduce the impact of the risk, including any escalation processes. This will likely result in a multifaceted approach and involve multiple business streams and stakeholders at the same time.
- Development and implementation of [strong accessibility policies and guidelines] ensure accessibility throughout the business lifecycle, from acquisitions to deployment.
- Incorporating accessibility into program management processes will ensure it stays top of mind.
- Mandatory and public use of ICT products will always be high risk; consider strategic guidance for acquisitions professionals and development teams to ensure accessibility is a priority for these ICT products.
- Implementation of accessibility best practices during ICT design and development will help ensure an accessible product with little to no defects prior to deployment.
Assignment of Roles and Responsibilities
Assign clear roles and responsibilities to individuals or teams to implement your mitigation strategies. Ensure there is accountability for addressing accessibility and accessibility risks.
Training and Awareness
Educate stakeholders on the importance of accessibility and your agency’s risk management approach. Raise awareness on roles and responsibilities and incorporate applicable accessibility training into specific roles within your agency. Offer accessibility training to acquisitions professionals, designers, developers, content creators, and testers. Education may not be a one-time training and will be more effective if it is ongoing. Solicit buy-in from all stakeholders to ensure your risk model is effectively implemented and keep stakeholders informed about progress and improvements in accessibility.
Monitoring and Tracking
Implement a system to monitor the progress of your risk mitigation efforts and track the completion and overall success of your mitigation actions. Periodically revisit your risk factors and risk scoring to determine if new factors should be identified or if modifications to risk scoring is appropriate. Metrics will help inform improvements to your risk model.
Review and Update
Regularly review your risk model and update it as needed. Consider changes in operational and business need, accessibility guidelines and best practices, regulations, and technology when updating the model.
Foster a culture of continuous improvement in accessibility efforts and risk mitigation by encouraging ongoing assessment and enhancement of ICT accessibility.
Maintain comprehensive documentation of your risk model, risk assessments, mitigation strategies, and progress tracking and track any changes or updates made to your risk model.
Integration with overarching agency risk management
Consider aligning your accessibility risk management with your agency’s broader risk management processes by incorporating accessibility risk considerations in overarching agency policies and collaborating with your agency’s risk management team.
Additional risk resources:
- U.S. Department of Health and Human Services Risk Management Guide for Information Technology Systems
- National Institute of Standards and Technology’s Risk Management Framework (RMF)
- Department of Homeland Security’s Risk Management Fundamentals
- Department of the Interior’s Playbook: Enterprise Risk Management for the U.S. Federal Government
Reviewed/Updated: September 2023