Conducting a Risk Assessment

Finance departments are being asked to conduct risk assessments more frequently these days. It may be because of:

• A request from the independent auditors for an entity-wide risk assessment
• The need for an entity-wide risk assessment before developing an annual internal audit plan
• During the planning phase of an internal audit, a risk assessment is needed to efficiently allocate audit time
• Senior management requests a risk assessment of a new vendor or subrecipient prior to entering into a large agreement

​​Regardless of whether the risk assessment being conducted is at the entity-wide level or for a particular business process, department, or program, the process for conducting it is the same. The steps to go through can be more or less formal depending on the importance of the risk assessment and who the ultimate users are. Some steps can even be handled on a “gut feel” basis.
 
The steps to go through are the following:

​Each of these six steps is described in more detail below:

(For an in-depth explanation on how to conduct proper risk assessment for implementation projects, see this blog post.)

1. Identify objectives: For every objective that a government sets, there are risks that must be managed to maximize the probability of meeting that objective. For example, a government’s objective to provide daycare services will expose it to risks (such as threats to health and safety of children, non-compliance with state laws, and inability to collect fees) that are far different from those it would be exposed to if its objective is to improve the condition of roads (safety of workers, environmental safety, engineering design safety, compliance with grant provisions).

2. Identify risks: Once you know your objectives, brainstorm the related risks. What could keep you from accomplishing the objectives?  Identification of risk is best done by the “employee experts”.

3. Research risk history, controls, and consequences: Once you have identified the risks, you will need to understand each risk thoroughly. Therefore, you will need to research the following:

• Has this risk occurred before?  If so, what were the consequences? Have internal controls been improved since then that reduces the likelihood of recurrence?
• What internal controls are in place that help to reduce each risk?
• What are the likely consequences if this risk occurs?  How bad would it be?

You should then be able to document your risks and related controls like shown in the diagram below:

4. Determine impact and likelihood: In order to identify which risks are most in need of being managed, you need a way to quantify (or at least prioritize) those risks. A common method is to ask employee experts (after they have fully understood the risk history, consequences, and controls) to rank on a scale of 1 – 10 the likelihood of each risk occurring and then to rank on a scale of 1 – 10 the impact that risk would have if it occurred. The resulting rankings can be graphed on a chart like this:

​5. Determine whether the exposure is acceptable: For each risk, consider whether internal controls in place reduce the risk to an acceptable level of exposure.

This is done by thinking/discussing/understanding the risk’s likelihood of occurring, impact, and internal controls. This step is frequently conducted in a facilitated meeting with employee experts to assure all knowledge and points of view are considered.

• Risks in the upper right quadrant are likely to occur and will be bad when they do. Therefore, it is vital that management assure itself that these risks are adequately understood and managed. Examples of these risks could be police misconduct lawsuits and threats to cybersecurity.
• Risks in the upper left quadrant might not happen often but will be bad when they do; therefore, management should still assure someone is monitoring these risks, and either managing them or at least preparing for mitigation when they occur. Examples of these risks could be natural disasters and workplace violence.
• Risks in the lower right quadrant are risks that occur frequently but don’t have a huge impact when they do. However, these risks cumulatively can substantially adversely impact the organization because they keep recurring. These risks often include things like computer bugs and business process inefficiencies. These risks should be managed primarily by assuring internal controls and procedures are adequate.
• Risks in the lower left quadrant don’t happen often and don’t have a significant impact when they do. Therefore, many of these risks can simply be ignored or accepted as part of the cost of operations.

6. Develop a risk mitigation plan: For any risks that management considers the exposure to be unacceptable, an action plan should be developed to reduce the exposure to an acceptable level. Below is a list of actions that can be taken to reduce exposure to a risk:

• Avoid – Change the objective so the government is no longer exposed to the risk. “Avoid” is best used for risks that are not related to the government’s core activities (i.e., it is easier to avoid risks related to non-core activities). For example, a city may stop providing child care services but not police services.
• Control – Enhance internal controls so the resulting exposure is managed to an acceptable level. “Control” is best used for risks with high occurrence rates (upper two quadrants). If the government implements too few internal controls to manage a risk, it remains exposed to that risk. Alternatively, if it implements so many controls or such stringent controls beyond those needed to reduce the exposure to an acceptable level, then it hinders organizational efficiency (i.e., exposes it to the risk of “red tape”).
• Transfer – Transfer the risk to another party through contract, ordinance, insurance, or public-private partnership. “Transfer” is frequently used when activities are being provided jointly with a contractor, subrecipient, or partner.
• Accept – Revise the government’s tolerance for risk and conclude that the resulting exposure is acceptable. “Accept” is best used for risks related to the government’s core activities. There are certain risks that are just inherent in what a government does, and if you manage/control them as best you can, you may just accept the remaining exposure.

Once you go through the six steps above, you will have a good understanding of your primary risks, controls, and exposures. You will know which risks are being effectively managed and, for the risks not being effectively managed, you will have a high-level action plan to improve the management of those risks.

For an in-depth explanation on how to conduct proper risk assessment for implementation projects, please see this blog post.

---

If you have more questions about risk assessment, feel free to reach out to Kevin directly:
​
kharper@kevinharpercpa.com
(510) 593-5037