A risk assessment is the identification and analysis of relevant risks to the achievement of an organization's objectives to determine how those risks should be managed. Risk assessment implies an initial determination of operating objectives, then a systematic identification of those things that could prevent each objective from being attained. In other words, it is an analysis of what could go wrong.
Not all risks are equal. Some are more likely than others to occur, and some will have a greater impact than others if they occur. So once risks are identified, their probability and significance must be assessed.
Finally, having identified and assessed risk, management must decide how to deal with it. In some cases, the decision may be to control it; in others, it may be to accept it.
As a good business practice, the risk assessment process is an ongoing one. Internal and external threats constantly develop, presenting new hazards to the organization. Change itself is a risk, and management must continually adapt its policies and procedures to manage its changing risks to a comfortable level.
Each operating unit at the University faces its own challenges and risks and must assess how it will manage its risks to meet its objectives. A good internal control system can mitigate those risks.
The State Administrative and Accounting Manual, issued by the Office of Financial Management, defines internal control, basic internal control requirements, and agency responsibilities for assessing and minimizing risk through internal control assessment. The requirements include participation by all levels of the organization in an annual risk assessment and internal control evaluation. At WSU, this process is currently managed through the General Accounting Office.
In compliance with Internal Control BPPM 10.04, each University area assesses risk on at least an annual basis through completion and submission of the Risk Evaluation. The questions on the Risk Evaluation assess risk based on factors determined by industry standards and guidelines presented by the Office of Financial Management.
The completed Risk Evaluations are a significant tool used by Internal Audit to assess enterprise-wide University risks. In addition, input is sought from key administrators, staff, faculty, students and external auditors on possible risks and their likelihood or importance. The results of the assessment are used to assess the adequacy of existing processes, policies and procedures, and prepare future annual audit plans.
The risk assessment process itself is an opportunity for management and directors to look at their operations, determine the areas of significant risk, and evaluate what actions can be taken to minimize the risk and enhance the effectiveness and efficiency of the operation, while following applicable laws and regulations. This risk assessment and internal control evaluation can be integrated into a department's or area's strategic planning process and program review.
As noted, the risk assessment process is an ongoing one and does not necessarily end with submission of the annual Risk Evaluation. Although the formal process may be complete, managers should make themselves continually aware of potential risks.
Internal Audit has been requested to provide tools for units to assess internal controls in their unit. To that end, we have developed a generic self-assessment guide (below) for units to utilize in assessing internal controls in their unit outside of the formal risk evaluation process. This assessment is not to be submitted in lieu of the risk evaluation, but is provided as a resource for University units to self-assess the controls in their unit. Note that many of the questions and form is similar to the annual risk evaluation.
If you have any questions on the annual Risk Evaluation process or questions on internal controls and self-assessment, please contact Internal Audit.
BPPM 10.04 - Internal Control
SAAM 20.20 - Risk Assessment
Self-Assessment - currently under development