Proper risk management gives agency management reasonable assurance that the agency will:
- Achieve its goals
- Operate effectively and efficiently
- Protect itself from loss
- Provide reliable financial data
- Comply with applicable laws/regulations and policies/procedures
Risk Assessment from a project/program/process perspective involves a three step process that includes:
- Identification of risk
- Measurement of risk
- Risk Management
1. Risk Identification
Risk identification is key to risk assessment because risk cannot be measured, prioritized or managed until it has been identified. The three main approaches to risk identification are:
| |
a) Exposure Analysis – Identification of risks that could affect assets.
b) Environmental Analysis – Identification of risks that could affect operations.
c) Threat Scenarios – Specialized risk identification of frauds and/or disasters. |
| |
|
| |
Exposure Analysis is best for processes that depend heavily on assets for goal achievement. This approach takes into consideration the size, type, portability and location of assets. These assets include: physical assets such as plant and equipment, financial assets such as cash and investments, human assets (including the knowledge and experience of the staff), and intangible assets such as information and reputation. |
| |
|
| |
Environmental Analysis is used to explore risks that could effect the accomplishment of objectives by considering risks arising from various states of the environment, such as physical environment, economic environment, government regulation, competition, customers, technology, etc. |
| |
|
| |
Threat Scenario is mostly used for dealing with fraud or security issues. Examples of threats could be Errors, Delays, Omissions or Fraud. |
Risk assessment starts with management defining the risks to the processes and programs for their particular agency. Therefore, risk assessment starts with management answering questions such as,
- How do we define success? Then, what must we do to succeed?
- What could happen to cause failure to meet objectives?
- Where is our greatest exposure?
- On what information do we most rely?
- Where are we most vulnerable?
- What is our greatest asset? Then, how do we protect these assets?
Risks consist of both external and internal risks. External risks arise from activities outside of the agency. Technological developments, changing public expectations, legislative directives and economic changes all have the potential for creating external risks in an agency. Internal risks arise from activities inside the agency. An example would include disruption of a critical computer system or telephone system, which would cause obvious operational problems.
2. Measurement of Risk
Based upon management’s identification of different risks to their agency, consideration must be given to the likelihood that these risks will be realized, and if so, the significance/impact that it would have on the agency. Once management has identified key risks to their agency, it is their responsibility to monitor and control these risks.
More important than the specific method used to identify risks is management’s careful consideration of factors unique to their own agency. However, it is important that management document their risk assessment process. One method is the use of a simple Risk Assessment and Control Activities Worksheet to ascertain that control activities are present to manage risk. This method uses subjective measures to measure the likelihood that risks will be realized and the significance/impact that it would have on the agency.
Another method to measuring risk is the use of observable risk factors for measuring a specific risk or class of risks. Using risk factors for measuring risk is useful when agency divisions or units share a lot in common, such as local health units, state parks, DHS county offices, etc. The completion of a systematic risk assessment reveals units/areas within an agency that comprise the highest risk; therefore, deserve the most attention by management to ensure that control activities are present to manage risk. Generally, the more that a risk factor is present, the higher the risk and/or consequence. This approach involves the establishment of risk factors that can be evaluated by each division/unit and provide a quantitative measurement of risk. Examples of risk factors may include:
- Human Resources/Employee Turnover
- Information Technology – Security and Integrity
- Level of Centralization
- Regulatory Oversight
- Contractual Relationships
- Consumer Impact
- Complexity of Business Processes
- Extent of Audit Coverage
- Etc.
Click here for an example of a risk assessment questionnaire. This is simply an example; each agency must determine the risk factors that they choose to use in their evaluation. Once all agency areas are evaluated, the scores from the questionnaires are entered into a worksheet to tally the results. The higher total scores indicates areas of the agency that should be reviewed to determine that proper control activities are present to manage risk. Click here for an example of a risk assessment questionnaire worksheet.
The use of a subjective versus the more objective measurement tool depends on the specific risk identified; therefore, it is likely that both methods would be used during an overall agency risk assessment.
3. Risk Management
Risk management is the act of doing something with the information generated by the risk assessment. This involves making decisions on how to deal with the risks assessed, which may include:
- Avoiding the Risk by designing the process to eliminate the particular risks, minimizing the risks, or change the nature of the risks to be faced.
- Controlling the risk by instituting procedures to control the process that minimizes the consequences and severity of risk occurrence. This includes accepting some risk.
- Sharing the risk through contractual arrangements with suppliers, customers, constituents, or third parties.
|
