Return to CHAPTER 20

state seal 20.20
Risk Assessment


July 1, 2008

What is risk assessment?

Risk assessment is an ongoing process that includes identifying risks to achieving agency objectives, analyzing the risks, and deciding how to respond to the risks.

In risk assessment, management considers the mix of potential events relevant to the agency and its activities in the context of the agency's public visibility, size, operational complexity, regulatory restraints, and other factors. Because of these variables, the same activity could have very different levels of risk for two different agencies.


July 1, 2008

How does an agency identify risk?

Risk identification is the first step in risk assessment because risk cannot be measured, prioritized, and managed until it has been identified. Every agency faces a variety of risks, both expected and unexpected, from external and internal sources that must be identified.

External risks arise from activities outside the agency. These external risks may not be directly controllable by the agency or they may constrain the way in which the agency is permitted to take or address risk. Technological developments, changing public expectations, legislative directives, natural catastrophes and economic changes all have the potential for creating external risks in an agency.

Internal risks arise from activities inside the agency. Examples of internal risks include disruption of the central computer system or telephone system and turnover in a key managerial position.

The process of identifying risks should consider the following characteristics and attributes: type of risk, source of risk, areas the risk impacts, and level of ability to control the risk.

Risk identification can often be integrated into the planning activities that occur at various levels within the agency. Some risks may be apparent at the agency level, whereas others may be a factor only within a certain function or process. Risks at all levels should be identified and aggregated across the agency. The significant ones will become apparent during the risk analysis process.

Risks can also be identified through ongoing activities. The budget process, audits, and the strategic planning process provide opportunities for managers to conduct quantitative and qualitative reviews and to identify risks. More informal opportunities include senior management planning meetings, meetings with auditors, and everyday interaction with staff.

More important than the specific method used to identify risks is management's careful consideration of factors unique to the agency, including the following:

  • An agency's past experience
  • Staffing levels and quality
  • Statutory framework
  • The significance and complexity of activities in relation to the agency's mission.

Tools related to risk identification and assessment are available online at:


July 1, 2008

How does an agency analyze and measure risk?

Once risks have been identified, they need to be analyzed. This analysis includes estimating the impact of a risk, measuring the likelihood it will occur, and considering how to respond to the risk.


Analysis of the control environment

Analyzing risk begins with analyzing the control environment. The control environment is the foundation for all other components of internal control. Refer to Section 20.15.40.a for a discussion of the control environment.


Analysis of inherent risk

Analyzing risk also includes analyzing the inherent risk. High inherent risk is not necessarily a reflection of management performance or lack of control; rather, high inherent risk points to areas that, due to the nature of their operations, require additional attention. For example, from a safeguarding of assets perspective, activities involving the handling of cash are inherently more risky than activities involving the handling of sand and gravel. However, from a financial reporting perspective, the measuring of cash is inherently less risky than measuring sand and gravel.


Other factors that influence risk

Other factors may influence risk measurement. These factors can be grouped into broad categories such as:

  • Financial
  • Operational
  • Human capital
  • Legal
  • Technology
  • Security
  • Political
  • Environmental
  • Ethics
  • Compliance.

The degree to which these factors influence a specific agency or function will vary depending on the agency’s objectives, the nature of its operations and its control environment.


Measuring risk

A visual matrix can be useful in measuring risk. For each event, determine the likelihood that it will occur and the impact on the agency if it does occur.

Likelihood = the possibility that a given event will occur.
Impact = the result or effect of an event.

















A general guideline for handling the different levels of risk is:

3 = High Risk – Mitigate or reduce the risks
2 = Medium Risk – Manage the risks
1 = Low Risk – Accept the risks


The specific method used to measure risk is not as important as ensuring that management gives careful consideration to factors unique to their agency and that the risk assessment process is well documented.


July 1, 2008

How does an agency respond to risk?

Risk response refers to the actions taken to deal with an identified risk. Possible responses fall into four categories: avoidance, reduction, transferring (sharing), and acceptance.

Avoidance: Risk avoidance involves eliminating the risk-producing activity entirely (or never beginning it). Although avoidance is highly effective, it is often impractical or undesirable, either because the agency is legally required to engage in the activity or because the activity is so beneficial to the public that it cannot be discontinued.

Reduction: Risk reduction strategies reduce the frequency or severity of the losses resulting from a risk, usually by changing operations. For example, routine mechanical maintenance could decrease the likelihood of a major computer hardware failure, while routine backups could decrease the impact of technology equipment failure on the agency's ability to provide services.

Transferring (sharing): Risk transfer strategies turn over or share the responsibility of performing a risky activity to another party. Examples of risk transfer are transferring the liability for losses to an insurance carrier, or outsourcing an activity to a contractor with the stipulation that the contractor assume the risk.

Acceptance:  After all reasonable and cost-effective risk responses have been taken, an agency is left with risk acceptance.


When deciding how to respond to each risk, management should consider the following:

  • The availability and effectiveness of control activities on likelihood and impact (significance).
  • The availability of resources to implement control activities.
  • The cost of the control activity in relation to its benefit.

Limitations on resources will define the way and level to which risks can be managed. Therefore, risk responses must be prioritized based on level of risk and the cost, availability, and effectiveness of control activities.

When considering the cost versus benefit and recognizing interrelationships among risks, management may pool agency responses to address similar risks across an agency's units or programs. Examples include mandating ethics training for all agency employees and centralizing functions, such as contract management and receipting.

Click here if you would like to print a PDF Version of this document.
Return to CHAPTER 20