Notes and Tips for using the Excel spreadsheet to complete a function-level risk assessment

1 The risk assessment template uses Excel. It is helpful to be familiar with Excel and some simple, but less common commands. The Office of Internal Audit and Management Advisory Services is available as a resource if you have any questions about using this template or Excel. Complete all cells for each line, do not skip cells or leave cells blank. This affects the graph of risks (heat map). List the objective for each risk. This is important when you sort and rank the risks. Number the risks consecutively regardless of the objective. This is necessary for the numbering of the heat map. If the same risk is identified on more than one of the function's process maps, list each occurrence separately in the risk assessment. The same risk occurring in different circumstances can have different likelihood, different impact, and different mitigation controls. Identify all corresponding controls currently in place, this information is factored into the graph of risks (heat map). When all the objectives and risks have been listed and rated step back and ask yourself if this makes sense, adjust as needed. When you think you have all the objectives and risks listed, ask yourself, "What keeps me up at night?" " What do I worry about?" If you have not included these items already, be sure to include them. When ranking the risks, do not be concerned with small differences and complete accuracy in lowerlevel rankings. For example, don't spend time deciding if an item is risk 77 or 79. As long as the risk falls into the appropriate quadrant of the heat map, minor differences between numbers will not have a big effect. When you are done ranking all of the risks look at the heat map to see if the map appears reasonable. for example ask yourself "Does it make sense that risk 1 is in this quadrant while risk 2 is in another?" If a risk is ranked as" low" or "minimal concern" it may not be necessary to implement any new controls. If this is the case, indicate that you have considered the risk and the existing controls and not action is needed. Suggested wording is "Impact and Likelihood are low, existing controls appear adequate. No additional controls are needed at this time." After the information is complete, sort the risks in descending order by the " Risk Factor (automatically calculated)" field. The Office of Internal Audit and Management Advisory Services is available as a resource if you have any questions about how to do this. Review the existing controls in the context of their risk factor (a factor of likelihood and impact). Consider if any controls in place are redundant or outdated and could be eliminated. Complete the Corrective Action Plan section, describing any additional controls that will be put in place to further reduce or mitigate each risk, as appropriate, and defining a target completion date for each new control. Define the applicable Service and Function name in the header for the document. To do this, click View > Header and Footer. Select Custom Header, and replace the following text with the name of the service and function: [Enter Service and Function Name].

2 3 4

6 7

10

11

12

13

14

15

After you have completed your risk assessment, be sure to save the document with the appropriate file name.

Cheat Sheet for Rating the Likelihood and Impact

Below is a guidance sheet to help you differentiate between the rating options in your risk assessment and be consistent when you rate the likelihood and impact of each risk.

Likelihood
Score 1 10 20 30 40 50 60 70 80 90 100 Description Very small chance of happening. Small chance of happening. Moderate chance of happening. This will happen about half the time. Likely to happen. Very high chance of happening. Certainty this will happen!

Impact
Score 1 10 20 30 40 50 Impact is small, and manageable. Description Very small impact. Even if the risk becomes reality, there will be negligible effect on the RF

Impact is significant and noticeable. If financial risk, dollar amount is significant but fixable with current resources; if strictly operational, it will affect operations but can be worked around. Very serious impact; challenges with working around it.

60 75 80 90 100

Can prevent RF mission from being realized.

[Enter Service and Function Name] Risk Assessment and Corrective Action Plan

2/9/2014

Risk Assessment and Corrective Action Plan

Cate gory (opti onal) Risk # 1

x
Risk Poor planning and/or inadequate process Likelihood 15

y
Impact 75

Function Project management Risk Management

Risk Factor (automatically calculated) 90

Actual arrive Risk Factor

Inefficient way to document and track progress

84

90

174

Comment Poor planning and/or inadequate process planning is central to the success of a project. It is important to define what constitutes project success or failure at the earliest stage of the process. It is also essential to drill down the big picture to smaller tasks. Inefficient way to document and track progress this is an oversight on the part of the project manager. Tracking milestones is a crucial way to see if 200 expectations are being met. Documentation and tracking also lets the manager identify which areas require more resources to be completed on time. 120 Poor leadership at any level the leader is usually identified as the project manager. However, the management-level executive also has a responsibility of ensuring the projects success. He/she should work together with the manager to ensure that the companys exact requirements are understood. Failure to set expectations and manage them in working in a team setting, it is critical that youre able to manage people. If and when expectations are not met, there should be clearly-defined consequences. The task should then be prioritized and possibly reassigned to a more competent individual.

Poor leadership at any level

55

50

105

105

Failure to set expectations and manage them

32

80

112

130

Inadequately-trained project managers

30

90

120

Inaccurate Time estimation

20

70

90

Lack of communication at any level

35

86

121

Inadequately-trained project managers the project manager is taking on a heavy responsibility. It is important to assign management roles only to 120 individuals who have the capabilities to meet requirements. In some cases, poorly-trained managers are assigned to complex projects; this is a recipe for failure. Inaccurate Time estimation there are instances when the cost of an undertaking is grossly underestimated. When it runs out of resources, the 50 project cannot be completed. This can be mitigated when the lack of resources is identified early by the project manager. Lack of communication at any level communication between the management executive and the project manager, and between the latter and 170 the team members are always important. Everyone should feel free to come forward to state their concern or give suggestions. Culture or ethical misalignment the culture of the company must prize competence, pro-activeness, and professionalism. If it doesnt, the team members may not have the motivation to do their best. In essence, everyone involved must be concerned about the success of their undertaking.

Culture or ethical misalignment

50

60

110

150

Competing priorities

30

30

60

Competing priorities when a companys resources are stretched, there will 40 be competing priorities in terms of manpower and financing. Having good cost estimation at the start will eliminate this problem. Disregard of project warning signs when a project is on the verge of failing, 190 there will always be warning signs. Taking action immediately can save the project. Otherwise, the whole endeavor can just go down the drain.

10

Disregard of project warning signs

70

100

170

Page 4 of 5

High potential; not likely

High

Threatening

100 90 80

10
5 7 4 1 6

Mitigate Manage

200

180 160 140 120 100

70

I m p a c t

Risk Factor (automatically calculated) Actual arrive Risk Factor

60 50

Monitor

8 3

80

60
Likely; low potential

Less Risky

40 20 0 1 2 3 4 5 6 7 8 9 10 11

40 30

Make do
20
10
Low

10

20

30

40

50
Average Chance

60

70

80

90

100

No Chance

Certain

Likelihood

Notes: For Dec 2010, major changes since September 2010: *A/R increases reflected in higher impact; NYS holdback reflected in higher likelihood *accrued exp for self-insured programs- noted likelihood should be higher since amount is subjectively determined *similarly, other assets include swap and forward contracts- calcs are based on estimates. Likelihood was increased, while impact was decreased since balances are small. *made adjustments to other accounts to reflect impact as it relates to the size of the balance sheet- accts over 50 mil should be at or over the 50 impact; with accrued accts just below.