Texas Government Code, Section 2102.013(c), requires certain state agencies to submit a written risk assessment to the State Auditor's Office (SAO) in the form and at the time prescribed by the SAO. In compliance with this mandate, the SAO is providing templates and instructions for preparing the small agency risk assessment. If you have any questions about completing the template or instructions, please contact Kelly Furgeson Linder, at (512) 936-9327 or KLinder@sao.state.tx.us.
E-mail the completed risk assessment file, including all five steps described in the risk assessment instructions below, by Friday, March 29, 2013, to riskassessment@sao.state.tx.us.
As we review each agency’s risk assessment, we may contact the agency for additional clarifying information.
Risk assessment templates are available in both the 2007 and 2003 versions of Excel. Please choose the version that your agency currently uses, and then use the template to complete the Risk Assessment. The examples are provided with and without color coding; color coding is not required but is provided as an option.
This risk assessment process includes five steps:
Step 1: Identify Agency Activities
Locate the Risk Assessment Template Excel file in the Templates and Examples section above. Use brainstorming techniques to identify all agency activities and add them to the blank table found in the "Activities" tab of the template. Activities are the processes and procedures used to accomplish agency objectives and goals. (To see an example of a completed template, go to the “Pet Shop Regulation Agency” Excel file that is provided in the Templates and Examples section.)
Next, locate the “Consolidated Activities” tab and consolidate related activities in the table provided. At a minimum, the following administrative functions and services must be included as your agency’s consolidated activities:
In the same tab, prioritize the consolidated activities (highest to lowest) according to their impact on achieving agency objectives and goals, and enter the list in the "Prioritized Consolidated Activities" table provided.
Step 2: Identify and Rate Risks for Each Activity - Before Controls
Locate the "Risk Assessment Pre-Controls" tab and enter the prioritized activities, identified in step 1, in the table provided.
For each of the prioritized activities, identify the various risks (adverse impacts or results) associated with that activity and list them in the "Risk" columns to the right of each activity in the table. This should include all financial, managerial, and compliance risks.
Determine the potential impact of each risk and rate each of them as high, moderate, or low, based on your own criteria for each rating. Some factors to consider in determining impact include how critical the activity is to the agency's mission, the relative size of the activity, and the sensitivity of data. This rating should be assessed without considering controls. Enter the impact rating in the columns marked "Impact Rating."
Determine the probability that the risk will occur and rate as high, moderate, or low, again without controls. Some factors to consider in determining the probability of occurrence include the newness of the activity, changes in policies and procedures, personnel changes, and the amount of time since the last review. Enter the probability rating in the columns marked "Probability Rating."
Step 3: Identify Steps Taken to Mitigate Risks
Locate the "Risk Management" tab and complete a separate "Risk Management Table" for each prioritized activity. Add tabs as needed for each Risk Management Table created.
For each prioritized activity, identify the (control) steps the agency has taken to mitigate the associated risks and enter them in the left column of the table. List the associated risks (identified in step 2) in the top row of the table. The controls entered should be controls that were implemented as of September 1, 2012.
Indicate with an "X," in each cell, which controls mitigate which risks.
Step 4: Rate Risks for Each Activity - After Controls
Locate the "Risk Assessment Post-Controls" tab. Repeat the steps from step 2, but now rank the impact and likelihood of each risk after considering the mitigating controls. (Note that in the Pet Shop example, the impact or probability of some risks is now ranked lower than they were pre-controls.)
Step 5: Significant Changes
Locate the "Changes in RA" tab and identify any significant changes in risks or controls from your fiscal year 2012 submission. Summarize those changes by activity. Those may be changes in the probability or impact of a risk or in the steps taken to mitigate risk.
E-mail the completed risk assessment template, including all five steps [Activities (Consolidated and Prioritized); Risk Assessment Pre-Controls; Risk Management Tables for each Activity; Risk Assessment Post-Controls; and Risk Assessment Changes] by Friday, March 29, 2013, to riskassessment@sao.state.tx.us.