Notes and Tips for using the Excel spreadsheet to complete a function-level risk assessment

1 The risk assessment template uses Excel. It is helpful to be familiar with Excel and some simple, but less common commands. The Office of Internal Audit and Management Advisory Services is available as a resource if you have any questions about using this template or Excel. Complete all cells for each line, do not skip cells or leave cells blank. This affects the graph of risks (heat map). List the objective for each risk. This is important when you sort and rank the risks. Number the risks consecutively regardless of the objective. This is necessary for the numbering of the heat map. If the same risk is identified on more than one of the function's process maps, list each occurrence separately in the risk assessment. The same risk occurring in different circumstances can have different likelihood, different impact, and different mitigation controls. Identify all corresponding controls currently in place, this information is factored into the graph of risks (heat map). When all the objectives and risks have been listed and rated step back and ask yourself if this makes sense, adjust as needed. When you think you have all the objectives and risks listed, ask yourself, "What keeps me up at night?" " What do I worry about?" If you have not included these items already, be sure to include them. When ranking the risks, do not be concerned with small differences and complete accuracy in lowerlevel rankings. For example, don't spend time deciding if an item is risk 77 or 79. As long as the risk falls into the appropriate quadrant of the heat map, minor differences between numbers will not have a big effect. When you are done ranking all of the risks look at the heat map to see if the map appears reasonable. for example ask yourself "Does it make sense that risk 1 is in this quadrant while risk 2 is in another?" If a risk is ranked as" low" or "minimal concern" it may not be necessary to implement any new controls. If this is the case, indicate that you have considered the risk and the existing controls and not action is needed. Suggested wording is "Impact and Likelihood are low, existing controls appear adequate. No additional controls are needed at this time." After the information is complete, sort the risks in descending order by the " Risk Factor (automatically calculated)" field. The Office of Internal Audit and Management Advisory Services is available as a resource if you have any questions about how to do this. Review the existing controls in the context of their risk factor (a factor of likelihood and impact). Consider if any controls in place are redundant or outdated and could be eliminated. Complete the Corrective Action Plan section, describing any additional controls that will be put in place to further reduce or mitigate each risk, as appropriate, and defining a target completion date for each new control. Define the applicable Service and Function name in the header for the document. To do this, click View > Header and Footer. Select Custom Header, and replace the following text with the name of the service and function: [Enter Service and Function Name].

2 3 4

6 7

10

11

12

13

14

15

After you have completed your risk assessment, be sure to save the document with the appropriate file name.

Cheat Sheet for Rating the Likelihood and Impact

Below is a guidance sheet to help you differentiate between the rating options in your risk assessment and be consistent when you rate the likelihood and impact of each risk.

Likelihood
Score 1 10 20 30 40 50 60 70 80 90 100 Description Very small chance of happening. Small chance of happening. Moderate chance of happening. This will happen about half the time. Likely to happen. Very high chance of happening. Certainty this will happen!

Impact
Score 1 10 20 30 40 50 Impact is small, and manageable. Description Very small impact. Even if the risk becomes reality, there will be negligible effect on the RF

Impact is significant and noticeable. If financial risk, dollar amount is significant but fixable with current resources; if strictly operational, it will affect operations but can be worked around. Very serious impact; challenges with working around it.

60 75 80 90 100

Can prevent RF mission from being realized.

[Enter Service and Function Name] Risk Assessment and Corrective Action Plan

4/21/2013

Risk Assessment and Corrective Action Plan x

Function Financial Risk Management Category (optional) Risk # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Cash Accounts Receivable Advances to Others Investments Fixed Assets Other Assets Accounts Payable and Accrued Expenses (AP) Accounts Payable and Accrued Expenses (IBNR- manily workers' comp) Accrued Compensation Accrued Vacation Deferred Revenue Deposits Held for Others Post-retirement Obligation Long-term Debt Line of Credit Other Liabilities Net Assets Risk Likelihood 15 84 55 52 30 20 55 50 30 40 25 25 75 20 20 55 85

y
Impact 10 90 30 80 30 25 48 20 45 45 70 40 90 15 35 15 85

Risk Factor (automatically calculated) 25 174 85 132 60 45 103 70 75 85 95 65 165 35 55 70 170

Comment

Page 4 of 5

High potential; not likely

High

Threatening

100 90 80
70

Mitigate
Manage
11 4

13

2 17

I m p a c t

60 50

Monitor
7
Likely; low potential

Less Risky

9 12 15

10

40 30

Make do 6
20

5 8

14
10
Low

16

1
0 10 20 30 40 50
Average Chance

0 60 70 80 90 100
No Chance

Certain

Likelihood

Notes: For Dec 2010, major changes since September 2010: *A/R increases reflected in higher impact; NYS holdback reflected in higher likelihood *accrued exp for self-insured programs- noted likelihood should be higher since amount is subjectively determined *similarly, other assets include swap and forward contracts- calcs are based on estimates. Likelihood was increased, while impact was decreased since balances are small. *made adjustments to other accounts to reflect impact as it relates to the size of the balance sheet- accts over 50 mil should be at or over the 50 impact; with accrued accts just below.