1

2
3
4
5
6
7
8
9
10
11
12
13
14
Identify all corresponding controls currently in place, this information is factored into the graph of
risks (heat map).
Define the applicable Service and Function name in the header for the document. To do this, click
View > Header and Footer. Select Custom Header, and replace the following text with the name of
the service and function: [Enter Service and Function Name].
Complete the Corrective Action Plan section, describing any additional controls that will be put in
place to further reduce or mitigate each risk, as appropriate, and defining a target completion date for
each new control.
When all the objectives and risks have been listed and rated step back and ask yourself if this makes
sense, adjust as needed.
When you think you have all the objectives and risks listed, ask yourself, "What keeps me up at
night?" " What do I worry about?" If you have not included these items already, be sure to include
them.
When ranking the risks, do not be concerned with small differences and complete accuracy in lower-
level rankings. For example, don't spend time deciding if an item is risk 77 or 79. As long as the risk
falls into the appropriate quadrant of the heat map, minor differences between numbers will not have
a big effect. When you are done ranking all of the risks look at the heat map to see if the map
appears reasonable. for example ask yourself "Does it make sense that risk 1 is in this quadrant
while risk 2 is in another?"
Review the existing controls in the context of their risk factor (a factor of likelihood and impact).
Consider if any controls in place are redundant or outdated and could be eliminated.
After the information is complete, sort the risks in descending order by the "Risk Factor
(automatically calculated)" field. The Office of Internal Audit and Management Advisory Services is
available as a resource if you have any questions about how to do this.
If a risk is ranked as" low" or "minimal concern" it may not be necessary to implement any new
controls. If this is the case, indicate that you have considered the risk and the existing controls and
not action is needed. Suggested wording is "Impact and Likelihood are low, existing controls appear
adequate. No additional controls are needed at this time."
If the same risk is identified on more than one of the function's process maps, list each occurrence
separately in the risk assessment. The same risk occurring in different circumstances can have
different likelihood, different impact, and different mitigation controls.
Notes and Tips for using the Excel spreadsheet to complete a function-level risk
assessment
Complete all cells for each line, do not skip cells or leave cells blank. This affects the graph of risks
(heat map).
List the objective for each risk. This is important when you sort and rank the risks.
Number the risks consecutively regardless of the objective. This is necessary for the numbering of
the heat map.
The risk assessment template uses Excel. It is helpful to be familiar with Excel and some simple, but
less common commands. The Office of Internal Audit and Management Advisory Services is
available as a resource if you have any questions about using this template or Excel.
15
After you have completed your risk assessment, be sure to save the document with the appropriate
file name.
Score Description
1 Very small chance of happening.
10 Small chance of happening.
20
30 Moderate chance of happening.
40
50 This will happen about half the time.
60
70 Likely to happen.
80
90 Very high chance of happening.
100 Certainty this will happen!
Score Description
1 Very small impact. Even if the risk becomes reality, there will be
negligible effect on the RF
10
20 Impact is small, and manageable.
30
40
50 Impact is significant and noticeable. If financial risk, dollar amount is
significant but fixable with current resources; if strictly operational, it will
affect operations but can be worked around.
60
75 Very serious impact; challenges with working around it.
80
90
100 Can prevent RF mission from being realized.
Likelihood
Impact
Below is a guidance sheet to help you differentiate between the rating options in your
risk assessment and be consistent when you rate the likelihood and impact of each
risk.
Cheat Sheet for Rating the Likelihood and Impact
[Enter Service and Function Name] -
Risk Assessment and Corrective Action Plan
5/28/2014
x y
Likelihood Impact
Financial Risk
Management
1 Cash 15 10 25
2 Accounts Receivable 84 90 174
3 Advances to Others 55 30 85
4 Investments 52 80 132
5 Fixed Assets 30 30 60
6 Other Assets 20 25 45
7 Accounts Payable and Accrued Expenses (AP) 55 48 103
8
Accounts Payable and Accrued Expenses (IBNR- manily
workers' comp)
50 20 70
9 Accrued Compensation 30 45 75
10 Accrued Vacation 40 45 85
11 Deferred Revenue 25 70 95
12 Deposits Held for Others 25 40 65
13 Post-retirement Obligation 75 90 165
14 Long-term Debt 20 15 35
15 Line of Credit 20 35 55
16 Other Liabilities 55 15 70
17 Net Assets 85 85 170
Risk Assessment and Corrective Action Plan
Category (optional) Function
Risk Factor
(automatically
calculated) Risk # Risk Comment
Page 4 of 5
Notes: For Dec 2010, major changes since September 2010:
*A/R increases reflected in higher impact; NYS holdback reflected in higher likelihood
*made adjustments to other accounts to reflect impact as it relates to the size of the
balance sheet- accts over 50 mil should be at or over the 50 impact; with accrued accts just below.
*accrued exp for self-insured programs- noted likelihood should be higher since amount is
subjectively determined
*similarly, other assets include swap and forward contracts- calcs are based on
estimates. Likelihood was increased, while impact was decreased since balances are
small.
1
2
3
4
5
6
7
8
9 10
11
12
13
14
15
16
17
0
10
20
30
40
50
60
70
80
90
100
0 10 20 30 40 50 60 70 80 90 100
I
m
p
a
c
t

Likelihood
Make do
Monitor
Manage
Mitigate
No Chance Average
Chance
Certain
Low
High

High potential; not likely
Less Risky
Likely; low potential
Make do
Monitor
Manage
Mitigate
No Chance Average
Chance
Certain
Low
High

High potential; not likely
Less Risky
Threatening