Agency Risk Assessment Phase II Training Identifying and

Agency Risk Assessment Phase II Training: Identifying and Analyzing Risk Internal Control and Accountability Unit

Where do risk assessment requirements come from? Statute = MMB Commissioner adopts the standards for internal control, including risk assessment. MMB Commissioner adopted Standards for Internal Control in the Federal Government (Green Book). MMB Commissioner established statewide operating policies and procedures. 2

Agency Risk Assessment Procedure • MMB Statewide Operating Policy, 0102 -01, Internal Control System • MMB Statewide Operating Procedure, 0102 -01. 2, Agency Risk Assessment • Form, 0102 -01. 2 F, Agency Risk Assessment Worksheet 4

Agency Risk Assessment Procedure: Implementation Plan Date and Steps Submit: July 31, 2019 (Steps 16 – 21) • Step 21: Use Information to Develop Agency risk Assessment Plan • Steps 19 -20: Prioritize Highest Risk Business Processes • Steps 16 -18: Agency Management Review Establishment of Risk Tolerance Submit: December 31, 2018 (Steps 7 – 15) • Steps 13 – 15: Identify and Analyze Risk to Business Processes to Achieve Agency Goals • Steps 7 – 12: Identify Business Processes to Achieve Agency Goals Submit July 31, 2018 (Steps 1 – 6) • Step 6: Identify and Document Subject Matter Experts • Steps 4 – 5: Identify Individuals Responsible for Agency Goals • Steps 1 – 3: Define and Categorize Agency Goals 4

Core elements of Agency Risk Assessment (1 – 4) 1. Define and categorize agency goals. 2. Identify and assign individuals responsible for overseeing and executing defined agency goals. 3. Identify and document the primary business processes used to achieve agency goals. 4. Identify and analyze risk to primary business processes used to achieve agency goals. 5

Core elements of Agency Risk Assessment (5 – 6) 5. Rank and prioritize risk to agency business processes (consider the potential for fraud when identifying, analyzing, and responding to risks. ) 6. Complete an agency management review of high risk business processes. 6

Core elements of Agency Risk Assessment (7 – 8) 7. Use information from the Agency Risk Assessment procedure to develop, implement, and maintain an Agency Risk Assessment Plan in accordance with MMB Statewide Operating Procedure, 102 -01. 3, Agency Risk Assessment Plan Development 8. Identify, analyze, and respond to significant changes that could affect your internal control system. 7

Agency Risk Assessment: What drives risk assessment and what am I trying to do? • Agency Level Risk Assessment • Define Goals: • What is to be achieved? • Who is to achieve it? • How will it be achieved? • Identify risks • Analyze risk • Respond to risk 8

Agency Risk Assessment: Phase I 9

Agency Risk Assessment: Goals • Unique meaning when used for risk assessment • Based on statute, administrative rules, strategic plan, or other authorizing source • Represents the first agency decision on “risk tolerance” 10

Agency Risk Assessment: Goal Example The commissioner in cooperation with appointing authorities of all state agencies shall maintain an active recruiting program publicly conducted and designed to attract sufficient numbers of well-qualified people to meet the needs of the civil service, and to enhance the image and public esteem of state service employment. Minn. Stat. 43 A. 09 • Goal: Maintain an active recruiting program publicly conducted and designed to attract sufficient numbers of well qualified people to meet the needs of the civil service, and to enhance the image and public esteem of state service employment 11

Agency Risk Assessment: Goal Categories • Operations: Effectiveness and efficiency of operations • Compliance: Compliance with applicable laws and regulations • Reporting: Reliability of reporting for internal and external use • Safeguarding: Provide reasonable assurance to prevent and detect fraud, waste, abuse 12

Agency Risk Assessment: Risk Tolerance • • • Establishes the acceptable level of variation in performance Closely linked to performance indicators Level of precision and accuracy suitable for user needs Consider risk tolerance in context of law, regulations, standards Require ongoing revision and adjustment Balanced against the limited resources of the agency (cost benefit analysis) 13

Agency Risk Assessment: Risk Tolerance Example 14

Agency Risk Assessment: Individual Responsible • Provides oversight for designated agency goals. • Usually director or assistant commissioner level • Required to oversee the execution of Phase II requirements by subject matter experts • Creates mid-level risk tolerance scale from SME Risk ID and Rank Templates and Risk Ranks 15

Agency Risk Assessment: Subject Matter Expert • Executes the agency goal • Usually at the task level • Required to identify business processes and rank against statewide goals • Creates subject matter expert risk tolerance scale and Risk Rank 16

Phase I Submission: July 31, 2018 Phase I: Steps 1 -6 were submitted to MMB. 17

Agency Risk Assessment Procedure: Agency Risk Assessment Worksheet AGENCY MASTER Agency Goals Template Phase I: July 31 BUSINESS PROCESSES AND SME RISK RANK Risk ID and Rank Template Phase II: December 31 18

Agency Risk Assessment Procedure: Steps 7 - 11 Steps 7 – 11 can be done by one individual who can distribute the Risk ID and Rank Templates to Subject Matter Experts IR Step 7: Email to SME Step 8: Save Worksheet SME Step 9: Fill-in Worksheet SME Step 10: ID Goals w/ SME Name SME Step 11: Move Goals 19

Agency Risk Assessment Procedure: Risk ID and Rank Template Agency Goals Template Either one assigned individual or each SME Every SME completes their own Risk ID and Rank Template 20

Agency Risk Assessment Procedure: Step 12 Individual Responsible: Assistant Commissioner Subject Matter Expert: Director of Energy Environmental Analysis Unit (John Smith) Risk ID and Rank Template Goal Number Agency Goals Source Citation (Statute/Rule) 1 Apply for, receive, and spend money received from Minn. Stat. 216 C. 02, Subd. 1(1) federal, municipal, county, regional, and other government agencies and private sources. Individual Responsible Assistant Commissioner Subject Matter Expert Director of Energy Environmental Analysis Unit 3 Apply for, accept, and disburse grants and other aids Minn. Stat. 216 C. 02, Subd. 1(2) from public and private sources. Assistant Commissioner Director of Energy Environmental Analysis Unit 4 Conduct the environmental review required for proposed energy facilities in Minnesota. Assistant Commissioner Director of Energy Environmental Analysis Unit Minn. Stat. 216 E. 04, Subd. 5 21

Agency Risk Assessment Procedure: Worksheet Prompts Environmental Analysis Unit (John Smith) MMB: A business process is a collection of related structured activities or tasks that produce a service or product, usually for a customer(s). A business process can be written or unwritten. Individual Responsible Assistant Commissioner Subject Matter Expert Director of Energy Environmental Analysis Unit Business Process(es) Federal grant application completion process Assistant Commissioner Director of Energy Environmental Analysis Unit Federal grant money receipt process Assistant Commissioner Director of Energy Environmental Analysis Unit Federal grant money distribution process 22

Agency Risk Assessment Procedure: Business Process(es) Individual Responsible: Assistant Commissioner Subject Matter Expert: Director of Energy Environmental Analysis Unit (John Smith) Source Citation Goal Number Agency Goals (Statute/Rule) 1 Apply for, receive, and spend money Minn. Stat. received from federal, municipal, county, 216 C. 02, Subd. 1(1) regional, and other government agencies and private sources. 3 Apply for, accept, and disburse grants and Minn. Stat. other aids from public and private sources. 216 C. 02, Subd. 1(2) 4 Conduct the environmental review Minn. Stat. 216 E. 04, Subd. 5 required for proposed energy facilities in Minnesota. Individual Responsible Assistant Commissioner Primary Business Subject Matter Expert Process(es) Director of Energy Federal grant application Environmental Analysis Unit completion process Director of Energy Grant eligibility and Environmental Analysis Unit application review process Director of Energy Environmental Analysis Unit 23

Agency Risk Assessment Procedure: Documenting business processes that are not in writing Individual Responsible: Assistant Commissioner Subject Matter Expert: Director of Energy Environmental Analysis Unit (John Smith) Source Citation Goal Number Agency Goals (Statute/Rule) 1 Apply for, receive, and spend money Minn. Stat. received from federal, municipal, county, 216 C. 02, Subd. 1(1) regional, and other government agencies and private sources. 3 Apply for, accept, and disburse grants Minn. Stat. and other aids from public and private 216 C. 02, Subd. 1(2) sources. 4 Conduct the environmental review Minn. Stat. 216 E. 04, Subd. 5 required for proposed energy facilities in Minnesota. Individual Responsible Assistant Commissioner Primary Business Subject Matter Expert Process(es) Director of Energy Federal grant application Environmental Analysis Unit completion process Assistant Commissioner Director of Energy No written business Environmental Analysis Unit process Assistant Commissioner Director of Energy Environmental Analysis Unit If you have a procedure, but it is not in writing, write “no written process, ” in Column F. 24

Agency Risk Assessment Procedure: Documenting one goal with more than one business process Source Citation Goal Number Agency Goals (Statute/Rule) 1 Apply for, receive, and spend money Minn. Stat. received from federal, municipal, county, 216 C. 02, Subd. 1(1) regional, and other government agencies and private sources. Individual Responsible Assistant Commissioner Primary Business Subject Matter Expert Process(es) Director of Energy Federal grant application Environmental Analysis Unit completion process Assistant Commissioner Director of Energy Federal grant money receipt Environmental Analysis Unit process Assistant Commissioner Director of Energy Federal grant money Environmental Analysis Unit distribution process Note: Same agency goal often supported by more than one business process. Keep information the same in other columns, only business process changes. 25

Agency Risk Assessment Procedure: HLS • Less than 20 goals listed on the Agency Goals Template? • Goals with four or less words? • Do you end up with programs when you try to list business processes? • Do the programs under your goals have multiple business processes within? 26

Finding a balance: Break down to address HLS Goal: Industries and Agencies Energy Financial institutions Industries and Agencies Insurance Unclaimed property Fuel Retailers Goal: Provide information and assistance related to various forms of energy technologies. Scales and meters 27

Agency Risk Assessment Procedure: SGS • Several thousand goals listed on the Agency Goals Template? • Goals read like tasks? • Do you have to repeat the same business process for large sections of goals? • Are your statutory citations broken down to subdivisions, parts, and items? 28

Finding a balance: Consolidate to address SGS Business Process: Procedure to design materials for – indigenous energy resources Technical assistance* Informational materials* Financial services* Disburse loans* Educational services* Evaluate per statute* Solar, wind, hydropower, etc. * Design comprehensive program materials for the development of indigenous energy resources. 29

Ask: Could I complete a project on this? Agency Level Goal: Business Process Ratio 1: 20 Program Level Goal: Business Process Ratio 1: 10 Business Process Level Goal: Business Process Ratio 1: 5 30

Agency Risk Assessment Procedure: Step 13 After you identify which business process(es) are most important to achieve each agency goal, then, answer the risk factor questions on your Risk ID and Rank Template. Make sure you use NUMBERS to respond yes or no as follows: 1 = Yes, the risk factor applies. 2 – No, the risk factor does not apply. 31

Risk Factor 1: Priority critical services Ask: Does the business process support any of the five statewide goals A – E for priority critical services? Yes = 1 No = 2 A. Custodial Care; B. Public Safety and Immediate Health; C. Benefit Payments; D. Preserve the Financial System; E. Provide Necessary Administrative Support 32

Risk Factor 2: Process audited as material to the ACFR Ask: Is the business process audited as material to the financial information presented in the Annual Comprehensive Financial Report (ACFR)? Yes = 1 No = 2 33

Risk Factor 3: Process in major federal programs Ask: Does the business process support any major federal programs included in the Financial and Compliance Report on Federally Assisted Programs (Single Audit)? Yes = 1 No = 2 34

Risk Factor 4: Funding source related Ask: Is the business process critical to obtaining or accounting for the primary funding of the agency? Yes = 1 No = 2 35

Risk Factor 5: Sensitive data Ask: Does the process include collection, dissemination, use or maintenance of sensitive data, including data classified as private or confidential under the Minnesota Government Data Practices Act? Yes = 1 No = 2 36

Risk Factor 6: Process is in need of documentation or update Ask: Does the business process need documentation or does the documentation need an update? Yes = 1 No = 2 37

Risk Factor 7: Process with personnel change Ask: Have there been any recent personnel changes in leadership or key staff positions within the business process (last year)? Yes = 1 No = 2 38

Risk Factor 8: Process impacted by technology change Ask: Have there been any significant changes to the information technology, including hardware, software, applications, subsidiary systems, or operating systems used in the business process? Yes = 1 No = 2 39

Risk Factor 9: Process prone to fraud, waste, and/or abuse Ask: Is the business process inherently prone to fraud, waste, and/or abuse? Yes = 1 No = 2 40

Risk Factor 10: Process prone to reputational risk Ask: If the business process cannot achieve its goals will there be substantial impact on the agency reputation? Yes = 1 No = 2 41

Risk Factor 11: Operating environment and legal change Ask: Have there been recent changes to the business process operating environment, laws, or regulations that impact the business process (last year)? Yes = 1 No = 2 42

Risk Factor 12: Complex business process Ask: Is the business process complex in nature (does it require the interpretation of complex laws, regulations, or complex manual calculations? ) Yes = 1 No = 2 43

Risk Factor 13: Process with recent audit findings or internal control weakness Ask: Have there been recent (last year) audit findings by either the Office of the Legislative Auditor (OLA) or agency internal audits or known internal control weaknesses associated with the business process (“ 3” on CESAT)? Yes = 1 No = 2 44

Agency Risk Assessment Procedure Risk Factors: Total “Yes” responses 45

Agency Risk Assessment Procedure Subject Matter Expert Risk Scale: Step 14 Identify the highest number in the Total “Yes” Response Column. Assign a range for: “High” risk business processes = 1 RED “Medium” risk business processes = 2 YELLOW “Low” risk business processes = 3 GREEN 46

Agency Risk Assessment Procedure SME Risk Rank of high, medium, or low: Step 14 47

Agency Risk Assessment Procedure: Step 15 Subject matter experts save their completed Risk ID and Rank Template, replace “Template, ” with last name of SME or other unique identifier. Save and submit your completed Risk ID and Rank tab back to your assigned Individual Responsible. 48

Phase Two Submission: December 31, 2018 Submit the Agency Risk Assessment Worksheet to MMB (Steps 7 - 15) 49

Agency Risk Assessment Procedure Individual Responsible review of SME Risk Ranks: Steps 16 - 18 50

Agency Risk Assessment Procedure Agency Risk Rank high, medium, low: Step 19 51

Agency Risk Assessment Procedure: Overview of Risk Tolerance Scales: SME, IR, and Agency 52

Agency Risk Assessment Plan Identify Projects: Step 20 • Agency Risk Assessment Plan • Project 1 • Project 2 • Project 3 55

Agency Risk Assessment Plan: Step 21 Use MMB Statewide Operating Procedure 0102 -01. 3, Risk Assessment Plan Development and 0102 -01. 3 F, Agency Risk Assessment Plan Template to develop or update your Agency Risk Assessment Plan based on the information from your completed Agency Risk Assessment Worksheet. 54

Phase Three Submission: July 31, 2019 Submit the Agency Risk Assessment Worksheet to MMB (Steps 16 - 21) 55

Questions? Internal Control & Accountability Unit Internal. Control. MMB@state. mn. us 56