Small Agency Risk Assessment Instructions Fiscal Year 2016
Texas Government Code, Section 2102.013(c), requires certain state agencies to submit a written risk assessment to the State Auditor's Office (SAO) in the form and at the time prescribed by the SAO. In compliance with that statute, the SAO is providing a template and instructions for preparing the small agency risk assessment. If you have any questions about completing the template or instructions, please contact Kathryn Hawkins, at (512) 936-9568 or Kathryn.Hawkins@sao.texas.gov, or Michael Stiernberg, at (512) 936-9455 or Michael.Stiernberg@sao.texas.gov.
Template and Example
The risk assessment template is available in Microsoft Excel. Please use the template to complete the risk assessment. The example is provided with color coding; color coding is not required but is provided as an option.
Risk Assessment Instructions
This risk assessment process includes six steps:
Step 1: Identify Agency Activities
Locate the Risk Assessment Template Excel file in the Template and Example section above. Use brainstorming techniques to identify all agency activities and add them to the blank table found in the “Activities” tab of the template. Activities are the processes and procedures used to accomplish agency objectives and goals. (To see an example of a completed template, go to the “Example- Pet Shop Regulation Agency” Excel file that is provided in the Template and Example section.)
Next, locate the “Consolidated Activities” tab and consolidate related activities in the table provided. At a minimum, the following administrative functions and services must be included in your agency’s consolidated activities:
- Finance and accounting
- Information technology
- Human resources management
In the same tab, prioritize the consolidated activities (highest to lowest) according to their impact on achieving agency objectives and goals, and enter the list in the "Prioritized Consolidated Activities" table provided.
Step 2: Identify and Rate Risks for Each Activity—Before Controls
Locate the "Risk Assessment Pre-Controls" tab and enter the prioritized activities, identified in Step 1, in the table provided.
For each of the prioritized activities, identify the various risks (adverse impacts or results) associated with that activity and list them in the "Risk" columns to the right of each activity in the table. That should include all financial, managerial, and compliance risks, as well as risks related to the use of information technology.
Determine the potential impact of each risk, and rate each risk as high, moderate, or low, based on your own criteria for each rating. Some factors to consider in determining impact include how critical the activity is to the agency's mission, the relative size of the activity, and the sensitivity of data. Assess the rating without considering controls. Enter the impact rating in the columns marked "Impact Rating."
Determine the probability that each risk will occur, and rate each risk as high, moderate, or low, again without controls. Some factors to consider in determining the probability of occurrence include the age of the activity, changes in policies and procedures, personnel changes, and the amount of time since the last review. Enter the probability rating in the columns marked "Probability Rating."
Step 3: Identify Steps Taken to Mitigate Risks
Locate the "Risk Management" tab and complete a separate "Risk Management Table" for each prioritized activity. Add tabs as needed for each Risk Management Table created.
For each prioritized activity, identify the (control) steps the agency has taken to mitigate the associated risks and enter them in the left column of the table. List the associated risks (identified in Step 2) in the top row of the table. The controls entered should be controls that were implemented as of September 1, 2016.
Indicate with an "X," in each cell, which controls mitigate which risks.
Step 4: Rate Risks for Each Activity - After Controls
Locate the “Risk Assessment Post-Controls” tab. Repeat the steps from Step 2, but now rank the impact and probability of each risk after considering the mitigating controls.
Note—In the Pet Shop example, the impact or probability of some risks is now ranked lower than they were initially ranked without consideration of controls.
Step 5: Significant Changes
Locate the “Changes in RA” tab and identify any significant changes in risks or controls from your 2016 submission. Summarize those changes by activity. Those may be changes in the probability or impact of a risk or in the steps taken to mitigate risk.
Step 6: Audit History
Locate the "Audit History” tab and identify any audits or reviews conducted of agency activities in the past five years. For each audit/review identified, provide the fiscal year in which the audit/review was conducted, type of audit/review, audited/reviewed activity, and the entity that conducted the audit/review.
Submitting the Risk Assessment
E-mail the completed risk assessment template, including all six steps by March 31, 2017 to firstname.lastname@example.org.
Risk assessment steps:
1. Activities (Consolidated and Prioritized).
2. Risk Assessment Pre-controls.
3. Risk Management Tables for Each Activity.
4. Risk Assessment Post-controls.
5. Risk Assessment Changes.
6. Audit History.
As the SAO reviews each agency’s risk assessment, we may contact the agency for additional clarifying information.