Escolar Documentos
Profissional Documentos
Cultura Documentos
1 The risk assessment template uses Excel. It is helpful to be familiar with Excel and some simple, but less common commands. The Office of Internal Audit and Management Advisory Services is available as a resource if you have any questions about using this template or Excel. Complete all cells for each line, do not skip cells or leave cells blank. This affects the graph of risks (heat map). List the objective for each risk. This is important when you sort and rank the risks. Number the risks consecutively regardless of the objective. This is necessary for the numbering of the heat map. If the same risk is identified on more than one of the function's process maps, list each occurrence separately in the risk assessment. The same risk occurring in different circumstances can have different likelihood, different impact, and different mitigation controls. Identify all corresponding controls currently in place, this information is factored into the graph of risks (heat map). When all the objectives and risks have been listed and rated step back and ask yourself if this makes sense, adjust as needed. When you think you have all the objectives and risks listed, ask yourself, "What keeps me up at night?" " What do I worry about?" If you have not included these items already, be sure to include them. When ranking the risks, do not be concerned with small differences and complete accuracy in lowerlevel rankings. For example, don't spend time deciding if an item is risk 77 or 79. As long as the risk falls into the appropriate quadrant of the heat map, minor differences between numbers will not have a big effect. When you are done ranking all of the risks look at the heat map to see if the map appears reasonable. for example ask yourself "Does it make sense that risk 1 is in this quadrant while risk 2 is in another?" If a risk is ranked as" low" or "minimal concern" it may not be necessary to implement any new controls. If this is the case, indicate that you have considered the risk and the existing controls and not action is needed. Suggested wording is "Impact and Likelihood are low, existing controls appear adequate. No additional controls are needed at this time." After the information is complete, sort the risks in descending order by the " Risk Factor (automatically calculated)" field. The Office of Internal Audit and Management Advisory Services is available as a resource if you have any questions about how to do this. Review the existing controls in the context of their risk factor (a factor of likelihood and impact). Consider if any controls in place are redundant or outdated and could be eliminated. Complete the Corrective Action Plan section, describing any additional controls that will be put in place to further reduce or mitigate each risk, as appropriate, and defining a target completion date for each new control. Define the applicable Service and Function name in the header for the document. To do this, click View > Header and Footer. Select Custom Header, and replace the following text with the name of the service and function: [Enter Service and Function Name].
2 3 4
6 7
10
11
12
13
14
15
After you have completed your risk assessment, be sure to save the document with the appropriate file name.
Likelihood
Score 1 10 20 30 40 50 60 70 80 90 100 Description Very small chance of happening. Small chance of happening. Moderate chance of happening. This will happen about half the time. Likely to happen. Very high chance of happening. Certainty this will happen!
Impact
Score 1 10 20 30 40 50 Impact is small, and manageable. Description Very small impact. Even if the risk becomes reality, there will be negligible effect on the RF
Impact is significant and noticeable. If financial risk, dollar amount is significant but fixable with current resources; if strictly operational, it will affect operations but can be worked around. Very serious impact; challenges with working around it.
60 75 80 90 100
[Enter Service and Function Name] Risk Assessment and Corrective Action Plan
4/21/2013
y
Impact 10 90 30 80 30 25 48 20 45 45 70 40 90 15 35 15 85
Comment
Page 4 of 5
Threatening
100 90 80
70
Mitigate
Manage
11 4
13
2 17
I m p a c t
60 50
Monitor
7
Likely; low potential
Less Risky
9 12 15
10
40 30
Make do 6
20
5 8
14
10
Low
16
1
0 10 20 30 40 50
Average Chance
0 60 70 80 90 100
No Chance
Certain
Likelihood
Notes: For Dec 2010, major changes since September 2010: *A/R increases reflected in higher impact; NYS holdback reflected in higher likelihood *accrued exp for self-insured programs- noted likelihood should be higher since amount is subjectively determined *similarly, other assets include swap and forward contracts- calcs are based on estimates. Likelihood was increased, while impact was decreased since balances are small. *made adjustments to other accounts to reflect impact as it relates to the size of the balance sheet- accts over 50 mil should be at or over the 50 impact; with accrued accts just below.