When you work in local government finance, it’s not a surprise that there is risk. But, is a risk assessment really necessary? And if so, what is it all about?
Risk and Local Governments
Local governments are complex organizations that often include many different business segments, divisions, and functions. Each area often having its own unique set of risks. Change in local government also presents risk. One thing we know is that change is inevitable and constant. Constant change in regulations, programs, personnel, and technology create new considerations for risk. Both complexity and change can make achieving organizational goals and objectives a real challenge. This is especially critical as our goals and objectives are important benchmarks for local government and address community and stakeholder interests.
As we begin to understand the myriad of risks facing local government today, questions arise surrounding risk identification, tracking, and response. How do we not leave the organization unnecessarily vulnerable and leave gaps that could allow for fraud, errors, and noncompliance to occur?
The Green Book
The answer to assist with these questions is through a robust and evolving system of internal control. The Green Book located on the web at https://www.gao.gov/greenbook/overview provides a framework for internal controls for the federal government and includes risk assessments. The Green Book can be used by local governments to enhance its internal controls. Over the years many organizations have realized the benefits of adopting a framework of controls, as described in the Green Book, and includes risk assessments, however there are many that still have not. So, what is a risk assessment all about.
Understanding risks in the organization allow us to develop the right controls to help achieve our goals and objectives. Without knowing risks, controls are likely ineffective.
Key principles of a risk assessment from the Green Book include:
- Clearly defined objectives over operations, reporting, and compliance
- Identification, analysis, and response to internal/external risks to objectives
- Consideration for fraud
- Assessment of significant changes impacting controls
As we consider relevant risks and responses to the organization, it must be coupled with an understanding of the likelihood and significance associated with a risk. There are countless number of possibilities out there of things that could occur in the organization, many of them are highly unlikely and some may even be insignificant too. An understanding of likelihood and significance is critical to a quality assessment of risk.
Another consideration is tolerance levels. Unfortunately, while we may strive for perfection, the organization cannot efficiently operate and support risk responses that ensure zero error or deviation. Management defines acceptable levels of variation in performance objectives for the design of the internal control system.
The result of a quality assessment of risk is better alignment with control activities to mitigate the variety of risks encountered in achieving objectives. It promotes a more efficient and effective system of controls because it results in focusing time and effort where it matters and not wasting time where it does not. When considering all these factors, the question should not be, is a risk assessment necessary, but rather, why have we not implemented risk assessments yet.
For more information on beginning risk assessments for your local government, contact Brea Partner, Bryan Gruber, at (714) 672-0022.
Thinking he would eventually move into private industry, Bryan is now an audit partner at LSL with no sign of slowing down. Overseeing the firm’s multi-faceted government practice, Bryan leads financial and internal audits, working directly with government finance directors and board members. He enjoys the larger responsibility of providing assurance to donors, members and the public – supporting community health and vitality.
You can reach Bryan at 714-672-0022.
Read Bryan’s complete bio.