To many people, risk assessments (the second component of the COSO Framework) are a mystery. This is not because they do not understand risk—everyone thinks about and assesses risk every day. However, these everyday risk assessments are rarely written down or formalized.
There are many reasons why organizations perform risk assessments. They provide assurance that key business processes have appropriate controls in place and provide a roadmap to guide management in developing standard policies and procedures. They help management identify control gaps and redundancies so that action plans can be formulated to plug control gaps, strengthen existing controls, or remove redundancies where applicable. Risk assessments also provide management with detailed documentation of the control activities in place, including process narratives, flowcharts, and risk grids. This information is useful for staff training and in cases of employee turnover.
For Minnesota state agencies, another reason to perform risk assessments is Minn. Stat. Section 16A.57 Sub. 8, which makes the head of each executive branch agency responsible for designing, implementing, and maintaining an effective internal control system within the agency. Because they are keys to an effective internal control system, completing risk assessments help agencies comply with Minn. Stat. Section 16A.57.
The COSO Framework defines risk assessment as "…the identification and analysis of relevant risks to achievement of the [entity's] objectives, forming a basis for the determination of how the risks should be managed." This means:
- Determining what needs to be done (Objectives/Goals),
- Identifying what can go wrong (Risks),
- Prioritizing what can go wrong (Risk Ranking).
Once a risk assessment has been completed, actions that will reduce the chance of things going wrong must be formulated. These actions are called control activities (the third component of the COSO Framework). The COSO Framework defines control activities as “…the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risk to achievement of the entity’s objectives.”
The information in this guide is provided to help state agencies prepare risk assessments and implement effective control activities.
A word of caution: questionnaires and checklists
Many internal control questionnaires and checklists are available on the internet. These internal control questionnaires and checklists list common risks and control activities for various processes. However, because these questionnaires and checklists were prepared by people who lack knowledge of your specific organization’s operations, standard checklists are unlikely to be sufficient for documenting your organization’s risk assessment process. Nevertheless, these questionnaires and checklists may be useful in validating the completeness of a risk assessment once it has been prepared and provide users with common control activities.