FY 1999 Risk Assessment Process
INSTRUCTIONS FOR PREPARING
A RISK ASSESSMENT PACKAGE
Conducting a Threat Assessment
The first step in the macro risk assessment is to identify and document the potential threats to effective operations in the selected auditable areas. Potential threats should be documented under each of the headings in Attachment 1.
Research and Documentation
Research should be conducted on each of the eight risk factors for each auditable sub-area. The following eight risk factors and associated rankings are defined in Attachment 2.
The information obtained should be evaluated and summarized in concise narrative summaries that will be used to assign risk rankings. The data sources and specific information obtained from the research should be included in these documents. Examples of the formats to be used in documenting your research are provided in Attachments 3 and 4.
Using Your Results to Assign Risk Rankings
After documenting your research you should prepare an overall narrative containing the rationale and justification for assigning specific risk rankings to each of the auditable areas. An example of the format to be used is included as Attachment 5.
To provide the data necessary for the Strategic Planning Staff to complete the risk assessment spreadsheets, your narrative should include the specific rankings to be assigned to each risk factor, as discussed in Attachment 2. You will need to include the appropriate numeric ranking of 1, 2, or 3 (high, medium and low), for each of the eight risk factors.
The auditors assigned from the field will not be required to complete the spreadsheets. The Strategic Planning Staff will use the rankings from your narrative to complete the ranking spreadsheets. We will input your assigned rankings to the spreadsheets. The spreadsheets will multiply your rankings and the risk weights to calculate the Total Risk Score field. The major business processes and control objectives with the lowest calculated Total Risk Score will be selected for initiating audit work.
Controlling the Results of the Assessments
We have established a series of directories on a network server in the National Office. Subdirectories have been established for each of the 20 major areas, along with a directory for procedures and templates.
To access these directories, you will need to setup a network connection to NO-SERVER-11\RISK. If possible we suggest that you set this as your 'R' drive, for ease of reference in future communications.
You will need to copy your files to the appropriate subdirectory as they are completed. We have also prepared a list of naming conventions, which will be required for each of the file types, as provided in Attachment 6.