Risk assessment
The central theme of internal control is to identify risks to the achievement of the University’s objectives and to do what is necessary to manage those risks.
Determine Goals and Objectives
At the highest levels, goals and objectives should be presented in a strategic plan that includes a mission statement and broadly defined strategic initiatives. At the department level, goals and objectives should support the department’s strategic plan. Goals and objectives are classified in the following categories:
- Operations objectives: These objectives pertain to the achievement of the basic mission(s) of a department and the effectiveness and efficiency of its operations, including performance standards and safeguarding resources against loss. Examples of operational objectives may include improving college and departmental operational efficiency, and providing dedicated customer service to the wide variety of internal and external customers. These goals must be specific, measurable, agreed upon, realistic, and time sensitive.
- Financial reporting objectives: These objectives pertain to the preparation of reliable financial reports. Examples of financial reporting objectives may include providing accurate and timely financial reports.
- Compliance objectives: These objectives pertain to adherence to applicable laws and regulations. Examples of compliance objectives may include being complaint with grant restrictions, federal and state regulations in addition to University policies and procedures.
Identify risks after determining goals
Risk assessment is the identification and analysis of risks associated with the achievement of operations, financial reporting, and compliance goals and objectives. This, in turn, forms a basis for determining how those risks should be managed.
To properly manage their operations, managers need to determine the level of operations, financial and compliance risk they are willing to assume. A risk is anything that could jeopardize the achievement of an objective. Asking the following questions helps to identify risks:
- What could go wrong?
- How could we fail?
- What must go right for us to succeed?
- Where are we vulnerable?
- What assets do we need to protect?
- Do we have liquid assets or assets with alternative uses?
- How could someone steal from the department?
- How could someone disrupt our operations?
- How do we know whether we are achieving our objectives?