risk assessment and matrix
DESCRIPTION
asTRANSCRIPT
22
RisksActivities 1 2 3 4 5 6 7
Governance and Leadership HM HM Governance HH HM HL Budgeting MM MM MM
HM Strategic Planning HM HM MM Monitoring
Plant Operations and Maintenance HM Construction HM HM MM Utilities ML LL Transportation
HH Biosafety HM MH MH MH MM MM MM
Student Services HM Financial Aid HM HL Student Records HL HL Registration HL MM Student Life MM
Human Resources Management HM HM MM Compensation MM MM Turnover ML ML Staff Development ML
Asset and Risk Management HM MH Cash Handling MM Investments MM MM Endowments MM MM Risk Management MM
HM HL MH Travel MH Signature Authority MH MM Budget Operation MM MM
University Relations and Alumni Affairs HM Gifts MM Planned Giving MM ML Partnerships ML LL Public Service LL LL
Instruction and Academic Support HH MM MM Library MM MM MM MM MM
Purchasing MH MM MM MM MM LL Central Receiving
Auxiliary and Service Departments ML Housing ML Student Union ML LL Food Services LL Printing LL Bookstore
MM
HH, HM
HL, MH Manage and Monitor (all levels of control, but no traditional audit)
MM, ML, LH Monitor (only execution controls and supervisory controls)
LM, LL Accept (accept the risk and have no controls)
Impact = The effect a single occurrence of that risk will have upon the achievement of org's goals & objectives.
Strategic Planning Process
Organizational Structure
Disaster Recovery Planning for Business Processes (Not IT Disaster Recovery)
Institutional Policies & Procedures
Internal Communications
Information Technology - See Appendix D for detailed risk assessment for IT areas.
Acquisition and Implementation
Delivery and Support
Work Orders & Billings
Organizational Structure - Facilities Management
Contracted Services
Research and Development - See Appendix C for detailed risk assessment for Research.
Contract and Grant Accounting (CGA): Time & Effort Reporting
Engineering & Science Research Enhancement Initiative
Animal Research & Safety Issues
CGA: Allowable Costs
CGA: Cash Management
OSP: Preparation of Research Protocols
Scholarships & Fellowships
Enrollment Services
Admissions Processing
Strategic Plan does not address Human Resources
Human Resources Organization and Staffing
Employment - Recruiting
Employment - Diversity
Campus Safety & Security
Tuition and Fee Collection Process
Fixed Assets / Equipment
Financial Management - See Appendix H for detailed risk assessment for Financial Areas.
Internal Financial Controls
Financial Reporting
Outside Sales by Schools and Division
Organization and Management
Annual Fundraising
Governmental Relations
Continuing Education
Accreditation / Institutional Effectiveness
Deployment of Resources Among Academic Programs
Course Scheduling and Availability
Instructional & Academic Technology
Management of Departments and Programs of Study
Classroom and Building Utilization
Contracting Process
Policies and Procedures
Operations and Bid Processes
Organization and Management
Minority and Small Business Vendors (HUB)
University Police and Parking
Institutional Compliance Program - see Appendix E for listing of high-risk areas.
Compliance Program
Extensive Risk Management & Considerable Risk Management (all levels of control plus traditional audit)
23
RisksActivities 1 2 3 4 5 6 7
High: The effect will cause org not to achieve its goals and objectives.Medium: The effect will cause org to operate inefficiently and/or expend unplanned resources to meet goals and objectives.Low: There will be no measurable effect upon the achievement of org's goals and objectives.
Probability = The probability that a risk will become reality at org.High: The risk will become a reality frequently at org.Medium: The risk will become a reality infrequently at org.Low: The risk will rarely become a reality at org.
24
Activities
Governance and Leadership
Plant Operations and Maintenance
Student Services
Human Resources Management
Asset and Risk Management
University Relations and Alumni Affairs
Instruction and Academic Support
Purchasing
Auxiliary and Service Departments
HH, HM
HL, MH MM, ML, LH
LM, LL
Impact = The effect a single occurrence of that risk will have upon the achievement of org's goals & objectives.
Information Technology - See Appendix D for detailed risk assessment for IT areas.
Research and Development - See Appendix C for detailed risk assessment for Research.
Financial Management - See Appendix H for detailed risk assessment for Financial Areas.
Institutional Compliance Program - see Appendix E for listing of high-risk areas.
8 9 10 11 12 13 14 15
Facility Planning MM MM MM MM Compliance Office ML
MM MM MM MM MM ML Research Training ML
Administration MM Recruiting MM Student Health MM ML ML LM LL
ML ML LL
MM MM MM ML Internal Auditing LM Records Retention
Accounts Payable MM Payroll MM MM
LL Alumni Relations
MM MM Special Programs ML ML LL K-16 Issues LL
Office of the President
Meetings & Committees
Upward Evaluation of Administrators
Performance Measures
OSP: Research Integrity (objectivity, scientific misconduct)
Institutional Review Board
Office of Sponsored Projects (OSP): Negotiation of Agreements
CGA: Financial Reporting
CGA: Cost Sharing
Technology Transfer
CGA: Facilities and Administrative Cost Accounting
International Students
Student Organizations & Activities
Student Counseling
Activities Center Operations
Student Grievances
Employee Relations
Employment - Hiring
Faculty Credentials
Policy and Procedure
Cash Management
Bonded Indebtedness and Issuance
Accounts Receivable
Organization and Management
Contract and Grant Accounting
Budget Preparation Process
News and Information
Deferred Maintenance
Distance Education
Program Development & Program Evaluation Process
Faculty (recruitment, tenure, development, turnover, workload, productivity)
Institutional Affiliations
Page 24
FISCAL YEAR 20**
RisksActivities 1 2 3 4 5 6
HM HM HM
Time and Effort Reporting
HH HH HM HM HL ML
MH MH
Records Archiving
MH MH MH
HL HL
HL
MH
Technology Transfer HL HL
Training - Research
HL HL
Animal Research - Safety
HL HL HL
Protection of Animal Subjects
HL HL HL
Institutional Review Board (IRB)
HL HL HL
Protection of Human Subjects
HL HL HL HL
Protection of Researcher
HL HL
Protection of Research
HL HL HL HL
APPENDIX C: Risk Assessment for Research Areas
Laboratory Safety (Biosafety, Chemical Safety,Controlled Substances, Laser/Radiation Safety)
Financial, criminal, and/or physical harm from misapplication of laboratory procedures and parctices.
Inappropriate disposal of hazardous waste resulting in fines and criminal charges.
Financial of physical harm to the University, its students, faculty and staff.
Loss of Federal/State funding and incurrence of penalties due to PI over-committing his time-not charging minimum or charging more than maximum,
Loss of Federal/State funding and incurrence of penalties due to RAs not knowing the name of the project they're working on, the funding source, and the link between their work and the project.
School Effort Coordinators not performing independent reviews.
Loss of Federal/State funding and incurrence of penalties due to lack of documentation for hourly time changes in the school departments.
Loss of Federal/State funding and incurrence of penalties due to someone other that a knowledgeable person signing the certification form.
Loss of Federal/State funding and incurrence of penalties due to signed certification reports not being returned to C&GA in a timely fashion.
Coordination of Gifts and Grants with Development Office Improper classification of
grants or contracts as an unrestricted gift.
Funding agency sends confusing award letters as to if the award is a gift or a grant.
Improper maintenance of records.
Noncompliance with record retention.
Noncompliance with University or applicable sponsor policies.
International Initiatives (Export Control)
Export of controlled information not properly processed and reported.
Unauthorized foreign nationals working on restricted research.
Research Integrity - Objectivity of Research
Research protocols are not reviewed and approved by IRB and IACUC committees for scientific merit.
Research Integrity - Scientific Misconduct
PI or research staff reports invalid and inaccurate data to funding agency.
Patent and agreement violations occur.
PI fails to report earning returned from technology.
PIs and research staff are not properly trained and record of training is not on file with research compliance.
Funding opportunities are missed because documentations are not provided to the funding agency.
Lack of training for PI and Research Staff.
Lack of independent monitoring of research activity by PI and animal resources staff.
Incidences of non-compliance are not properly reported to research compliance.
Lack of training for PI and Research Staff.
Lack of independent monitoring of research activity by PI and animal resources staff.
Incidences of non-compliance are not properly reported to research compliance.
IRB Committee is not familiar with state and federal regulations concerning human participant research.
Proper measures are not taken to review and approve research protocols thoroughly.
Protocols are not pre-reviewed by research compliance.
Lack of training for PI and Research Staff.
Proper measures are not taken to ensure confidentiality of research participants.
Consent forms and research data are not stored properly.
Non-compliance issues and adverse effects are not reported to research compliance.
Lack of training for PI and Research Staff.
Non-compliance issues and adverse effects are not reported to research compliance.
Lack of training for PI and Research Staff.
Research data is not stored properly.
Access to research data by unauthorized personnel.
Issues of non-compliance are not reported to research administration.
Page 25
FISCAL YEAR 20**
RisksActivities 1 2 3 4 5 6
APPENDIX C: Risk Assessment for Research Areas
OSP - Negotiation of Agreements
HL HL HL
Preparation of Research Protocols
HL HL HL
Cost Estimates
MH MH
Cost Sharing
MH MH MH MH
Financial Reporting
HL
Allowable Costs
HL HL
Training - Post Award Research
HL HL HL HL
Sub-Contractor monitoring
MH MH MH MH MH
Cash Management
MH MH ML MM
HL MM MM IDCs not charged, if required. MM MM
Invention Disclosure
ML ML ML PI does not patent invention. ML
ML ML
MM MM MM
Lack of expertise when negotiating other than System approved contracts and agreements.
Lack of knowledge of System rules and regulations regarding contracts.
Lack of knowledge about intellectual property agreements.
Animal subject and human participant research protocols are not pre-reviewed by research compliance.
Protocols will not get approved by IACUC and IRB.
Funding opportunities are missed because of delay in protocols approvals.
Faculty does not have any idea of how to calculate the actual cost of the research project.
Faculty underestimates what the research will cost and will be unable to complete the research.
Disallowed costs due to inability to get cost share documentation from schools on closed federal grants.
Unallowable costs due to separately identifiable cost share account does not get opened and budgeted before grant is opened, per org policy.
Loss of Federal/State funding and public embarrassment due to inaccurate reporting of or failure to provide mandatory cost sharing per contract.
Sponsor disallowed costs due to charging unallowable costs to mandatory cost share accounts.
Disallowed costs due to inaccurate or incomplete reporting requirements reflected on contract documents.
HL
Loss of Federal/State funding and public embarrassment due to reports not done in a timely fashion.
Disallowed costs due to PIs doing major purchases at end of grant to use up funds.
Unallowable costs incurred and not reimbursed by sponsors.
Disallowed costs and damage to reputation due to training programs not being tailored to the individual needs of faculty/staff/management.
Disallowed costs and damage to reputation due to lack of training programs offered.
Disallowed costs and damage to reputation due to lack of training policy and plan for continuous improvements.
Disallowed costs due to lack of participation in program.
org sub-contracts may not include clause requiring sub-contractors to comply with applicable laws & regulations.
Subcontractors may not be in compliance with Federal and other applicable regulations.
Subcontracts are not reviewed annually per new org policy. Effective approximately 8/06.
Annual sub-contractor risk assessments not being done, per new policy.
Sub-contractor invoice certification not included on sub-contractor purchase orders and invoices.
Overspending Sponsored Programs Budgets resulting in unreimbursed costs.
Schools not handling Petty Cash per org policy
Letter of Credit draws not made in timely fashion
Not collecting all billed revenue.
Incomplete/inaccurate contract/grant documentation or no documentation received.
Delay in filing financial reports to the sponsor(s).
Sponsor billing does not take place, or is not done per the contract. Negative effect on cash flow.
Risk of not being reimbursed in a timely fashion. Negative cash flow.
Contract versus grant designation incorrect on brief. Some federal contracts do not require quarterly reporting.
PI does not accurately list the percentage of work spent on agreement or work with other inventors.
PI does not disclourse an invention.
PI does not disclose royalty revenues.
Preparation of Certifications and Assurances PIs and research staff do not
have proper certifications and assurance on file with research administration.
Funding opportunities are missed because documentations are not provided to the funding agency.
Facilities and Administrative Cost Accounting
Incorrect IDC rate/base entered into FINS due to incorrect paperwork.
IDC rate changes during term of grant and separate account is not opened. (The only way FINS can handle this).
Loss of Federal/State funding and public embarrassment due to incorrect calculations in F&A rate proposal.
Page 26
FISCAL YEAR 20**
RisksActivities 1 2 3 4 5 6
APPENDIX C: Risk Assessment for Research Areas
MM MM MM
Records Archiving
MM MM
MM MM
MM MM
MM MM MM
MM MM MM MM MM
= Extensive Risk Management & Considerable Risk Management (all Levels of Control* plus a traditional audit)
= Manage and Monitor (all Levels of Control but no traditional audit)
= Monitor (only Execution Controls & Supervisory Controls)
= Accept (accept the risk and have no controls)
Impact = The effect a single occurrence of that risk will have on org.High: The effect will cause org to materially misrepresent its financial position.Medium: The effect will cause org to misrepresent its financial position.Low: There will be no measurable effect upon financial statement reporting.
Probability = The probability that a risk will become reality at org.High: The risk will become a reality frequently at org.Medium: The risk will become a reality infrequently at org.Low: The risk will rarely become a reality at org.
Minority and Small Business Vendors
Loss of Federal/State funding and damage to reputation due to PI not using small business/minority and women owned business to fullest extent practicable.
Loss of Federal/State funding and damage to reputation due to PI not making information on forthcoming opportunities available to encourage and facilitate participation by small business/minority and women owned business.
Loss of Federal/State funding and damage to reputation due to vendor being on debarment list
Loss of Federal/State funding and public embarrassment if org Accounts Payable and the Schools cannot produce receipts for contract/grant expenditures.
Untimely closing of grants creating increased risk for unallowable costs due to audits.
Administration/creation of contract and grant documentation: Lack of clarity between sponsor & org regarding carry-forward of funds
Unreimbursed costs due to opening and budgeting sponsored programs accounts before obtaining official sponsor commitments.
Excessive cost transfers may affect the audit trail of transactions which in turn may result in unsubstantiated costs leading to disallowances.
Authorized spending of contract/grant funds without signed pre-award or signed agreement.
Funds expended before official contract date may be disallowed by the sponsor(s)).
Negative effect on cash flow until funds can be reimbursed, if and when signed contract is received.
Purchase Orders for services are treated as sub-contracts in violation of OMB Circular A-133, sect $___.210.
Loss of Indirect Cost revenue due to expenses charged to sub-contractor expense instead of M&O. Breakdown on invoices and financial reporting by expense category are incorrect.
Incorrect breakdown of costs on invoices and financial reporting by expense category.
Vendors providing services are treated as sub-contractors in violation of OMB A-133, section $___.210.
Data input to systerm not accurate and/or differs from paperwork received.
Lacking CFDA # - required for Federal reporting.
Accurate contract/grant start/stop dates cannot be counted on leading to inaccurate financial reporting of grants.
Missing Sponsor or PI ID numbers-leading to inaccurate reporting.
Pre-award specialist assigns grant number from wrong range (fed., state, pvt., or local)- Reporting category is in error.
Sponsor/sub-sponsor switched on brief.
HHHM
HLMH
MMMLLH
LMLL