The Importance of Risk ManagementElements of risk are found within every organization, including government organizations, and, therefore, an organization should calculate its risks and understand that risk management needs to be built into the core infrastructure of the organization. Risk is broadly defined as "what can go wrong." It is the possibility of an event occurring that will have an impact on the achievement of objectives. "Risk" is not synonymous with "problem," and the risks that are identified in this report are a combination of risks that exist within and can be controlled by the County, and risks that are inherent to the County as a local government entity. These inherent risks may or may not be controlled by
the County but can be an exposure risk to the County, and therefore be considered in the countywide risk assessment.
To maintain alignment between risk exposures and organizational objectives, a risk intelligent organization draws on the coordinated efforts of three levels of risk management responsibility:
Risk governance, including strategic decision-making and risk oversight, led by the Governing Board, the County Administrator, the Chief Financial Officer, and other executive management
Risk infrastructure and management, including designing, implementing, and maintaining an effective risk management program, led by executive management and/or facilitated by the Chief Auditor
Risk ownership, including identifying, measuring, monitoring, and reporting on specific risks, led by the departments and management in these areas including political, high profile programs, external oversight reviews, etc.
The more clearly an organization can state its mission and priorities, as well as understand its strengths and capabilities, the more directly it can navigate to identify key risk areas to develop mitigation plans. Recent changes, including department reorganization, implementation of a new payroll, budget, and financial system, and other emerging changes, have placed the County in a unique position to evaluate its strategies, key business processes, supporting technology, people, and their related elements of risks, to further help ensure success.
The Division of Internal Audit Facilitates the Countywide Risk Assessment process
The Division of Internal Audit is the facilitator of the countywide control and performance risk assessment process in accordance with the Statement on Standards for Consulting Services issued by the AICPA. Additionally, the Institute of Internal Auditors Section 2120- Risk Management specifies that as part of the internal audit function, the internal auditor’s internal audit activity must include evaluating the effectiveness and contribute to the improvement of risk management processes, etc.
These services did not constitute an engagement to provide audit, compilation, review, or attestation services as described in the pronouncements on professional standards issued by the AICPA, and, therefore, no opinion will be expressed or other form of assurance with respect to the services. It is further understood that the County’s Management is responsible for, among other things, identifying and assessing risk, and complying with laws and regulations applicable to various government code, statutes, and other authority that govern various county activities.
Methodology and Approach
The Division of Internal Audit (division) used an industry standard approach in developing the risk assessment methodology that gave consideration to the key strategies, operational, compliance, financial and other risks associated with a large local government organization such as Yolo County.
The following processes and factors are considered in the assessment:
- Operational processes, which are those related to the Department’s key mission of collecting and accounting for public funds and other fiduciary duties.
- Infrastructure processes, which are those that relate to the support and management of the department’s (County’s) (information systems, financial reporting, human resources, etc.)
- Risk ownership, including identifying, measuring, monitoring, and reporting on specific risks, led by the business areas, including political, high profile programs, external oversight reviews, etc.
Among the critical inputs to the development of the risk assessment and the creation of a continuous internal audit plan was the information obtained from the Yolo County management and other departmental staff that responded to a computer based self-risk assessment survey prepared by the division, or those that were interviewed in person by the engagement team.
For each department assessed, a detailed report is generated with the results of the assessment. The report should be used as a starting point for the department’s ongoing monitoring of risk that is now a requirement under various state and federal laws and regulations to help ensure local government accountability. The department should refer often to the assessment in effort to monitor risk; including risk reduction and mitigation of identified risk, as well as updating any additional risk that may arise. The report is organized in a manner that identifies risk and mitigating factors at various levels of consideration by staff, county management, auditor’s analysis, and other factors. The department director and staff should review the report and consider the risk and mitigating factors identified, and ensure that the deficiencies are incorporated into the department’s strategic plan.
Departments and JPA Completed Risk Assessment Report