Minnesota Management and Budget

Statewide Operating Procedure

Minnesota Management and Budget, Internal Control & Accountability Number 0102-01.2
Issued: April 1, 2013 Revised: March 10, 2016

Risk Assessment

Objective

To assist executive agencies with creating and maintaining a comprehensive risk assessment program.
Applicable agencies must develop a risk assessment plan that identifies the risk assessments that will be
performed with relevant control activities identified, documented, and evaluated. The plan must be
sufficient in scope, carried out as designed, and periodically updated to support the agency head’s annual
internal control system certification, pursuant to Minnesota Statute Section 16A.057, Subivision 8.
Risk assessment is the second component of the Standards for Internal Control in the Federal
Government, also known as the Green Book. Risk assessment is vital to an effective internal control
system. It helps management identify and manage (reduce) potential events that could occur, from both
internal and external sources, to prevent the organization from achieving its objectives. The Green Book
lists four principles that must occur to meet the risk assessment internal control standard. The four
principles are:
 Management should define objectives clearly to enable the identification of risks and define risk
tolerances.
 Management should identify, analyze, and respond to risks related to achieving the defined
objectives.
 Management should consider the potential for fraud when identifying, analyzing, and responding
to risks.
 Management should identify, analyze, and respond to significant changes that could impact the
internal control system.

Control activities is the third component of the Green Book. Control activities are the actions
management establishes through policies and procedures to achieve objectives and respond to risks
identified through risk assessment. The Green Book lists three principles that must occur to meet the
control activities internal control standard. The three principles are:

 Management should design control activities to achieve objectives and respond to risks.
 Management should design the entity’s information system and related control activities to
achieve objectives and respond to risks.
 Management should implement control activities through policies.
The risk assessment and control activities components operate in unison, and for purposes of this
procedure, should be analyzed and evaluated together.
This procedure is applicable to all cabinet level agencies and other agencies as determined via Step 1 of
the Risk Assessment Plan Development and Update section on the following page.
General Procedures

Risk Assessment Plan Development and Update

Step Action Responsible Timeline

Party
1. Determine which executive branch agencies are subject to the Minnesota Completed
risk assessment requirement based upon the following Management February
considerations: and Budget 2013. MMB
 Cabinet level agencies (regardless of size) (MMB) will re-
 Appropriations and/or expenditures > $10,000,000 Internal evaluate as
(based on FY12 – FY13 biennium) Control & needed
 Agency’s level of inherent business risk and scope of Accountability
authority Unit

2. Notify applicable executive branch agencies of their ongoing MMB Annually

responsibilities to develop, maintain, and execute a risk Commissioner
assessment plan.

3. With input from applicable staff, conduct a high level, but Agency Annually
comprehensive, review of the organization’s most significant Head/Agency
business processes and/or risks (for a definition of a business Management
process refer to Risk Assessment Plan: Business Process
Definitions in the “Related Resource” section below).
Consider:
 Processes audited as material to the financial
information presented in the Comprehensive Annual
Financial Report (CAFR)
 Federal programs identified as major in the Financial
and Compliance Report on Federally Assisted
Programs
 Processes relating to the organization’s primary
sources of funding and major expenditures
 Other processes critical to achieving the
organization’s primary mission and objectives

Using qualitative and quantitative factors, further refine the list

of business processes and/or risks that inherently pose the
greatest threats to the organization’s mission and objectives.
(Refer to the “Related Resource” section below for the Risk
Assessment Plan: Business Process Prioritizing Factors.)

Determine which risk assessment projects will be included in

the organization’s risk assessment plan.

4. Document the decisions (i.e., the criteria, rationale, and Agency Annually
reasoning) for the individual risk assessment projects included Head/Agency
in the risk assessment plan. Ensure this information is readily Management
available for inspection by internal and external auditors, or
other applicable third parties.
 Step Action Responsible Timeline
Party
5. Create or update (whichever applicable) the agency-specific Agency Annually by
risk assessment plan. The plan must be sufficient in scope to Head/Agency July 31
support the agency head’s annual certification of the agency’s Management
internal control system, pursuant to M.S. 16A.057, Subd. 8.

6. Assign responsibility to a senior level manager for ensuring Agency Annually

the risk assessment plan is implemented. Specifically, that Head/Agency
individual risk assessment projects: Management

 Are performed within the timeframes specified

in the plan;
 Are sufficiently documented;
 Results and corrective action plans for control
gaps/weaknesses are communicated to
management;
 Are periodically reviewed and updated; and,
 Documentation is readily accessible for third
party (e.g., auditor) review.

Risk Assessment Plan Implementation

Step Action Responsible Timeline

Party
1. Perform and document risk assessment projects as outlined in Agency staff Ongoing
the risk assessment plan. This step includes the following as assigned
phases for each individual risk assessment project to be
performed:

 Coordinating the risk assessment project;

 Documenting the business process;
 Identifying risks;
 Prioritizing risks;
 Identifying and evaluating control activities;
 Creating action plans to address control gaps
and redundancies; and,
 Communicating results to management (and
oversight bodies, if applicable).

(NOTE: For additional information about each of these risk

assessment phases, review the “Conducting a Risk
Assessment” section of the Guide to Risk Assessment and
Control Activities referenced in the “Related Resources”
section below.)

2. Develop formal corrective action plans to address all control Agency Ongoing
weaknesses and gaps identified during each risk assessment project team
project. for each
individual risk
assessment
3. Communicate results of each risk assessment project, Agency Ongoing
including any proposed corrective action measures, to senior project team
leadership. for each
 Step Action Responsible Timeline
Party
individual risk
This step also requires giving senior leadership periodic assessment
updates on the status of any corrective action measures.

Ongoing Risk Assessment Review and Update

Step Action Responsible Timeline

Party
1. Determine if changes to the internal and external business Agency Annually, at
environment require updates to the completed risk Head/Agency a minimum
assessment(s). To guide this determination, complete the Management/
Ongoing Change Indicators for Completed Risk Assessments Agency Staff
Questionnaire for each risk assessment project included in the
agency’s risk assessment plan. (Refer to the “Related
Resources” section below for the questionnaire.)

Communicate results to management. Maintain all completed

questionnaires and documentation. Ensure these records are
readily available for review by internal and external auditors,
or other applicable third parties.

2. For all risk assessments completed pursuant to the risk Agency staff Minimum of
assessment plan, periodically verify that risk assessment as assigned every three
documentation remains accurate, that control activities years from
continue to operate as intended and as described in the risk the date risk
assessment documentation, and that control activities are assessment
effectively mitigating the applicable risks. was initially
completed
(NOTE: For additional information, review the “Sustainable or from the
Risk Assessments” section of the Guide to Risk Assessment date of last
and Control Activities referenced in the “Related Resources” revision /
section below.) update

3. Based upon the results from steps 1 and 2, or if other Agency On-going
significant change events have occurred, update/revise the Head/Agency
risk assessment documentation accordingly. Management

Annual Certification

Step Action Responsible Timeline

Party
1. Certify to the status of the risk assessment plan Agency Head Annually by
implementation, mitigation of identified control July 31
weaknesses/gaps, and ongoing review/update of completed
risk assessment documentation via the annual agency head
internal control system certification process, pursuant to Minn.
Stat. Section 16A.057, Subd. 8.
Forms

Internal Control System Certification Form

(http://mn.gov/mmb/internalcontrol/executivebranchagencyrequirements/
annualinternalcontrolsystemcertification/)

Ongoing Change Indicators for Completed Risk Assessments Questionnaire

(http://mn.gov/mmb/images/2014%2520RA%2520Ongoing%2520Change%2520Indicators
%2520Wksht.docx)

Related Policies and Procedures

MMB Statewide Operating Policy 0102-01 Internal Control System

(http://mn.gov/mmb-stat/documents/accounting/fin-policies/chapter-1/0102-01-internal-control-
policy.docx)

Related Resources

Risk Assessment Plan: Business Process Definitions (http://mn.gov/mmb/images/2014%2520RA

%2520Business%2520Process%2520Definitions.docx)

Risk Assessment Plan: Business Process Prioritizing Factors (http://mn.gov/mmb/images/2014%2520RA

%2520Business%2520Process%2520Prioritizing%2520Factors.docx)

Risk Assessment and Control Activities Webpage – Includes the Guide to Risk Assessment and Control
Activities, risk assessment examples, and questionaires, among other resources.
(http://mn.gov/mmb/internalcontrol/internalcontrolframeworkandtools/riskassessment/)

Guide to Risk Assessment and Control Activities – This document discusses the theory and rationale for
completing risk assessments, and includes detailed instructions for developing a risk assessment plan,
completing individual risk assessment projects, and for periodically updating risk assessment plans and
individual risk assessment project documentation. (http://mn.gov/mmb/images/2014%2520Risk
%2520Assessment%2520Guide.docx)