Your Role in Internal Control - Episode 5, Risk Assessment

We've been using a pyramid to illustrate the five interrelated components of internal control. At the pyramid's core is our second component, risk assessment—identifying and analyzing relevant threats to achieving an organization's strategic and operational objectives with a forward-looking focus.

Risk Assessment - A Core Function

WSU has five strategic goals and prominently displays University Dashboards to track public metrics related to their advancement. Additionally, its colleges and departments have goals and objectives of their own. These may directly support the university's goals, diverse academic disciplines, or operations.

Internal Control Pyramid

What is Risk Assessment?

WSU and its colleges and departments face various risks from external and internal sources. Risk assessment is the identification and analysis of relevant risks to achieving objectives. It's recognizing potential problems and determining how to manage the threat they pose.

Why is this important? Problems divert valuable time or financial resources from your vision, mission, goals, or objectives. And unexpected trouble is usually the most frustrating or expensive.

Because change is constant, risk assessment should be considered as an ongoing process.

Many times the real risks associated with college and university operations are not readily identified. Risks often can involve much more than the actual losses of a particular asset.

The more important risk could be the loss of public trust, donor confidence, or violations of laws or regulations.

Consider areas where something could go wrong:

  • Financial matters
  • Health and Safety
  • Human resources
  • Information systems
  • Public relations and reputation
  • Legal and regulatory compliance

External risk factors might include:

  • New technology
  • Economic environment
  • New legislation or regulations
  • Natural disasters, pandemics, criminal or terrorist actions

Internal risk factors might include:

  • New programs
  • New personnel
  • Revamped information systems
  • Change in management responsibilities

When presenting this material in years past, I admittedly did not list pandemics among the external risk factors. Some risks will always be with us, and new ones will emerge.

Risk Analysis

Consider this four-step risk analysis process with a few possible questions to ask:

  1. Identify relevant risks. Assess what could or might happen and encourage diverse opinions. You could have a brainstorming meeting, conduct a survey, or tour facilities.
  2. Consider the likelihood of each risk. Has something similar affected others already? Has it occurred at schools like ours? How often does it happen?
  3. Discuss the possible impact of each risk. Would it affect physical facilities? How many groups would it involve? How long would it take to recover?
  4. Set priorities for action. You're not likely to have all the resources you need for every risk you identify. Which risks make your "short list" for priority support and effort? What can you do to affect the outcome?

Identify From the Top-Down or Bottom-Up?

A top-down approach zeroes in on risk questions that matter most to university strategic objectives (or those of your college or department).

It's the process of considering what future events might prevent or slow their achievement or enhance the prospects of success. Then you develop specific steps to reduce the risks and uncertainties at the top of your list to the extent you can.

A bottom-up approach begins by soliciting input from the front-line management, which has the advantage of proximity.

Who else would know where risks lie that may not be visible to more senior leaders? Brainstorming with your team about the challenges they see in their respective areas brings potential threats to the forefront and raises their overall risk awareness.

Whether you use top-down, bottom-up, or a combination will depend on the focus of your operations, level of responsibility, and day-to-day challenges.

Risk Management - Forward Looking

Of course, problems will invariably crop up. But if the risks are on your radar already, you have a head start because risk management differs from just plain "good management."

The difference is in its forward-looking focus. Even a glimpse of the path ahead can suggest how to best prepare and give campus leaders a little more time to respond. (emphasis mine) 1

Paula Vene Smith, Professor of English and former Director of the Purposeful Risk Engagement Project at Grinnell College 

The WSU Policies and Procedures Manual is a prominent example of forward-looking risk management.

University leaders and constituencies issue guidance for handling routine and emerging risks and regularly update the manual for changing conditions.

Forward-looking risk management gives you a head start in your area of influence to solving problems and attaining university, college, and department goals or objectives. 

Change is the Greatest Challenge

Change is the greatest challenge to systems of internal control. There will always be problems and difficulties because change is inevitable. There will be new threats, opportunities, technology, regulatory requirements, funding challenges, and personnel changes. Changes like these place stress on systems of internal control. Increasing our ability to respond to change better positions us to achieve our objectives. 

Tomorrow is a heck of a thing to keep up with.

Walt Disney

As we look to the future, our mindset must be to keep our arrows pointed in the right direction. Don't expect to always have a perfect set of control activities at your disposal. Internal control is a process!

Person leaping in front of brick wall.

(Pexels/Bernadette Little)

Start where you are, and don't expect a quick fix. Your control system will require continuous monitoring and fine-tuning. But these improvements will compound over time, leading to a giant leap forward! 

1 Paula Vene Smith. Seven Ways to Mitigate Campus Risk, University Business (September 24, 2014)