Small Agency Risk Assessment Instructions
Texas Government Code, Section 2102.013(c), requires certain state agencies to submit a written risk assessment to the State Auditor's Office (SAO) in the form and at the time prescribed by the SAO. In compliance with that statute, the SAO is providing a template and instructions for preparing the small agency risk assessment. If you have questions about completing the template or instructions, please contact Kathryn Hawkins at (512) 936-9658 or Kathryn.Hawkins@sao.texas.gov , or Michael Stiernberg, at (512) 936-9455 or Michael.Stiernberg@sao.texas.gov.
Risk Assessment Instructions
This risk assessment process includes six steps:
Step 1: Identify Agency Activities
Locate the Excel file in the section. Use brainstorming techniques to identify all agency activities and add them to the blank table found in the “Activities” tab of the template. Activities are the processes and procedures used to accomplish agency objectives and goals.
Next, locate the “Consolidated Activities” tab and consolidate related activities in the table provided. At a minimum, the following administrative functions and services must be included in the consolidated activities:
- Finance and accounting.
- Information technology.
- Human resources management.
In the same tab, prioritize the consolidated activities (highest to lowest) according to their effect on achieving agency objectives and goals, and enter the list in the "Prioritized Consolidated Activities" table provided.
Step 2: Identify and Rate Risks for Each Activity—Before Controls
Locate the "Risk Assessment Pre-Controls" tab and enter the prioritized activities, identified in Step 1, in the table provided.
For each of the prioritized activities, identify the various risks (adverse effects or results) associated with that activity and list them in the "Risks" columns to the right of each consolidated activity in the table. The risks identified should include all financial, managerial, and compliance risks, as well as risks related to the use of information technology.
Determine the potential impact of each risk, and rate each risk as high, moderate, or low, based on your own criteria for each rating. Some factors to consider in determining impact include how critical the activity is to the agency's mission, the relative size of the activity, and the sensitivity of data. Assess the rating without considering controls. Enter the impact rating in the columns marked "Impact Rating."
Determine the probability that each risk will occur, and rate each risk as high, moderate, or low, again without controls. Some factors to consider in determining the probability of occurrence include the age of the activity, changes in policies and procedures, personnel changes, and the amount of time since the last review. Enter the probability rating in the columns marked "Probability Rating."
Step 3: Identify Steps Taken to Mitigate Risks
Locate the "Risk Management" tab and complete a separate "Risk Management Table" for each prioritized activity. Add tabs as needed for each risk management table created.
For each prioritized activity, identify the (control) steps the agency has taken to mitigate the associated risks and enter them in the left column of the table. List the associated risks (identified in Step 2) in the top row of the table. The controls entered should be controls that were implemented as of the beginning of the fiscal year.
Indicate with an "X," in each cell, which controls mitigate each risk.
Step 4: Rate Risks for Each Activity - After Controls
Locate the “Risk Assessment Post-Controls” tab. Repeat Step 2, but now rank the impact and probability of each risk after considering the mitigating controls.
Note: Based on the controls in place, the impact or probability of some risks may be lower than they were initially ranked without consideration of mitigating controls.
Step 5: Significant Changes
Locate the “Changes in RA” tab and identify any significant changes in risks or controls (new, revised, or deleted) from the prior year submission. Summarize those changes by activity. They may be changes in the probability or impact of a risk or in the steps taken to mitigate risk.
Note: Significant changes to the risks and controls could result from, but are not limited to, revisions to the agency’s regulatory environment; organizational or procedural changes; management or significant staff turnover; information technology initiatives, such as implementation or updating of a system; entering into a high-dollar contract; and/or contracting for critical functions.
Step 6: Audit History
Locate the "Audit History” tab and identify any audits or reviews conducted of agency activities in the past five years. For each audit/review identified, provide the fiscal year in which the audit/review was conducted, type of audit/review, audited/reviewed activity, and the entity that conducted the audit/review.
Template and Example
The risk assessment template is available in Microsoft Excel. Please use the template to complete the risk assessment. The example is provided with color coding; color coding is not required but is provided as an option.
Submitting the Risk Assessment
Email the completed risk assessment, including all six steps by March 31, each fiscal year, to email@example.com.
Risk assessment steps:
1. Activities (Consolidated and Prioritized).
2. Risk Assessment Pre-controls.
3. Risk Management Tables for Each Consolidated Activity.
4. Risk Assessment Post-controls.
5. Risk Assessment Changes.
6. Audit History.
As the SAO reviews each agency’s risk assessment, we may contact the agency for additional clarifying information.