RISK ASSESSMENT MATRIX - Texas Council for Developmental Disabilities

Document Sample
RISK ASSESSMENT MATRIX - Texas Council for Developmental Disabilities Powered By Docstoc
					                                                                             RISK ASSESSMENT MATRIX - Texas Council for Developmental Disabilities -U pdated for FY10 Internal Audit Plan




                                                                                                                                                                                                                                                                                                                                                                          ING
                                                                     ING




                                                                                                               ING




                                                                                                                                                         ING




                                                                                                                                                                                                     G




                                                                                                                                                                                                                                            ING




                                                                                                                                                                                                                                                                                      ING




                                                                                                                                                                                                                                                                                                                                ING
ACTIVITYP RIORITY
  TIVITY P IORITY
ACTIVITY PRIORITY




                                                                                                                                                                                                  TIN
                                                                                                             AT




                                                                                                                                                       AT




                                                                                                                                                                                                                                                                                                                                                                        AT
                                                                   AT




                                                                                                                                                                                                                                          AT




                                                                                                                                                                                                                                                                                    AT




                                                                                                                                                                                                                                                                                                                              AT
                                                                                                                                                                                               RA
                                                                ING




                                                                                                          ING




                                                                                                                                                    ING




                                                                                                                                                                                                                                       ING




                                                                                                                                                                                                                                                                                 ING




                                                                                                                                                                                                                                                                                                                           ING




                                                                                                                                                                                                                                                                                                                                                                     ING
                                                               YR




                                                                                                         YR




                                                                                                                                                   YR




                                                                                                                                                                                                                                                                                                                                                                    YR
                                                                                                                                                                                                                                      YR




                                                                                                                                                                                                                                                                                YR




                                                                                                                                                                                                                                                                                                                          YR
                                                                             RISKS                                     RISKS                                     RISKS                                    RISKS                                       RISKS                                     RISKS                                     RISKS                                     RISKS




                                                                                                                                                                                                 Y
                                                            AT




                                                                                                      AT




                                                                                                                                                AT




                                                                                                                                                                                                                                   AT




                                                                                                                                                                                                                                                                             AT




                                                                                                                                                                                                                                                                                                                       AT




                                                                                                                                                                                                                                                                                                                                                                 AT
                                                                                                     ILIT




                                                                                                                                               ILIT




                                                                                                                                                                                                                                                                                                                                                                ILIT
                                                           ILIT




                                                                                                                                                                                             ILIT




                                                                                                                                                                                                                                  ILIT




                                                                                                                                                                                                                                                                            ILIT




                                                                                                                                                                                                                                                                                                                      ILIT
                                                    TR




                                                                                             TR




                                                                                                                                       TR




                                                                                                                                                                                                                          TR




                                                                                                                                                                                                                                                                    TR




                                                                                                                                                                                                                                                                                                              TR




                                                                                                                                                                                                                                                                                                                                                        TR


                                                                                                                                                                                                                                                                                                                                                             AB
                                                        AB




                                                                                                  AB




                                                                                                                                            AB




                                                                                                                                                                                          AB




                                                                                                                                                                                                                               AB




                                                                                                                                                                                                                                                                         AB




                                                                                                                                                                                                                                                                                                                   AB
                                                                                                                                                                                 T
                                                  AC




                                                                                           AC




                                                                                                                                     AC




                                                                                                                                                                               AC




                                                                                                                                                                                                                        AC




                                                                                                                                                                                                                                                                  AC




                                                                                                                                                                                                                                                                                                            AC




                                                                                                                                                                                                                                                                                                                                                      AC
                                                     OB




                                                                                               OB




                                                                                                                                         OB




                                                                                                                                                                                       OB




                                                                                                                                                                                                                            OB




                                                                                                                                                                                                                                                                      OB




                                                                                                                                                                                                                                                                                                                OB




                                                                                                                                                                                                                                                                                                                                                          OB
                                              IMP




                                                                                       IMP




                                                                                                                                 IMP




                                                                                                                                                                           IMP




                                                                                                                                                                                                                    IMP




                                                                                                                                                                                                                                                              IMP




                                                                                                                                                                                                                                                                                                        IMP




                                                                                                                                                                                                                                                                                                                                                  IMP
                                                   PR




                                                                                             PR




                                                                                                                                       PR




                                                                                                                                                                                     PR




                                                                                                                                                                                                                          PR




                                                                                                                                                                                                                                                                    PR




                                                                                                                                                                                                                                                                                                              PR




                                                                                                                                                                                                                                                                                                                                                        PR
                    CONSOLIDATED
                    ACTIVITY                                                1                                         2                                        3                                        4                                         5                                         6                                         7                                         8
                                                                  Insufficient                              Providing                                 Non-compliance                            Inappropriate use
                                                                  monitoring of                             inadequate or                             with federal or                           of federal funds
 5                  Grant Administration       H         M        grant                  H          L       inappropriate         H           L       state regulations     H          L
                                                                  expenditures                              guidance to                               (OMB or UGMS)
                                                                                                            grantees
                                                                  Violation of state                        Inadequate                                Inadequate                                Insufficient                             Ineffective
                                                                  and/or federal                            monitoring of                             monitoring of                             succession                               governance
                    Executive and                                 rules                                     funding                                   fiscal reporting                          planning for                             functions
 1                                             H         M                              M           M                             M          M                              M          L                              L          L
                    Administrative                                                                          obligations and                           system                                    executive
                                                                                                            liquidations                                                                        management
                                                                  Violation of state                        Inaccurate                                Negatively                                Social networking
                                                                  or federal rules                          interpretations                           impact                                    - lack of control
                    Public Policy and
 4                                             H         M                              M           L       provided to           M           L       relationships with    M          L        over mis-
                    Information
                                                                                                            constituents                              policy makers                             information

                                                                 Unauthorized                               Loss of data /                            DD Suite                                  Unauthorized                             Increased
                                                                 access to data                             data integrity                            implementation                            access to                                volume related to
 6                  Information Technology     H          L                              H          L                             M          M                              M          L                              L         M
                                                                 set                                                                                                                            websites                                 social networking

                                                                  Non-compliance                            Poorly planned;                           Documentation
                                                                  with federal                              plan not                                  processes are
                    Planning, Evaluating,                         requirements                              representative of                         insufficient for
 2                                             H          L                             M           L                              L          L
                    and Reporting                                                                           constituency                              reporting
                                                                                                            needs                                     requirements

                                                                 Non-compliance                             Poorly planned;
                                                                 with approved                              Inadequate
 3                  Project Development        M         M       procedures             M           L       research in
                                                                                                            planning stages

                                                                  Fair                                      DSA / Council                             Inaccurate
                                                                  reimbursement                             Separation of                             accounting
                    Designated State
                                                                  for DSA support                           Authority                                 information
                    Agency (DSA)
 9                                             M         M                              M           L                              L          L       reported to State
                    Operational
                                                                                                                                                      and/or Federal
                    Relationship
                                                                                                                                                      Government

                                                                 Non-compliance                             Non-compliance                            Insufficient
                                                                 with state and                             with Council                              logistical support
 7                  Council Support            M          L                             M           L                             M           L
                                                                 federal                                    policies and
                                                                 requirements                               procedures
                                                                 Contract                                   Hiring unqualified                        Non-compliance                            Overspend or                             Inaccurate                                Improper /                                Lack of                                   Property Mgmt:
                                                                 Administration &                           employees;                                with current HR                           under spend                              reports to                                unauthorized                              segregation of                            Loss of Assets
                    Administrative Support:                      Management                                 inadequately                              policies &                                budget                                   management                                procurements                              duties
                    Finance & Accounting,                                                                   addressing                                reporting                                                                          and board
 8                                             M          L                             M           L       employee              M           L       requirements           L         L                              L          L                              L          L                              L          L                              L          L
                    Human Resources,
                    Purchasing                                                                              performance /
                                                                                                            productivity
                                       Texas Council for Developmental Disabilities (TCDD)

                                                        RSA Update FY10


                               CONSOLIDATED ACTIVITIES                            PRIORITIZED CONSOLIDATED ACTIVITIES



                    Executive and Administrative                          1    Executive and Administrative


                    Grant Administration                                  2    Planning, Evaluating, and Reporting


                    Public Policy and Information                         3    Project Development


                    Council Support                                       4    Public Policy and Information


                    Project Development                                   5    Grant Administration


                    Planning, Evaluating, and Reporting
                           g           g        p     g                   6    Information Technology
                                                                                                   gy


                    Information Technology                                7    Council Support

                    Administrative Support: Finance & Accounting,              Administrative Support: Finance & Accounting,
                    Human Resources, Purchasing                           8    Human Resources, Purchasing

                    Designated State Agency (DSA) Operational                  Designated State Agency (DSA) Operational
                    Relationship                                          9    Relationship




TCDD Risk Assessment Update - FY10                                                                    Consolidated and Prioritized Activities
                                                                          Texas Council for Developmental Disabilities

                                                                                     RSA FY10 Update


  Collaborate with other
  agencies and advocacy               Evaluate impact of TCDD                  Publish Requests for Proposals                                                  Coordinate Council members
1 organizations                    13 activities                            25 (RFP) in Texas Register                37 Training of staff                  49 travel and reimbursement
                                      Formally respond to agency               Recruitment of grantees / expand          Approval of reimbursements to         Act as liaison with State
2 Develop project ideas            14 initiatives                           26 applicant base                         38 grantees                           50 Auditor's office
                                                                                                                         Coordinate with designated
                                                                                                                         agency on administrative and
                                        Formally respond to legislative        Review applications received from         Information Resource                  Conflict of interest disclosures
3 Evaluate project ideas           15   initiatives                         27 RFP                                    39 functions                          51 and management
   Put projects out for bids or                                                Appoint review panels for RFP                                                   Coordinate with Feds on ADD
4 issue intent awards              16   Informal dialog with agencies       28 applications                           40   Database development             52 issues
                                        Informal dialogue with                                                                                                 Oversight of open records /
5 Select grantees                  17   legislative staff                   29 Hold bidder conferences                41   Support for Council activities   53 open meetings issues
                                        Develop and adopt position             Make recommendations to                                                         Contract Administration &
6 Develop the State Plan           18   statements (goals)                  30 Executive Committee                    42 Develop LAR                        54 Management
  Complete federal and state            Develop and adopt public               Notify applicants of award or non-        Develop annual operating
7 reporting requirements           19   policy priorities (how to)          31 award                                  43 budget                             55
                                        Coordination with advocates at                                                   Monitor annual operating
8 Gather public input              20   state and national levels           32 Execute grant agreements               44 budget                             56
  Provide technical assistance          Outreach and development of            Monitoring grants: programmatic           Monitor reimbursement of
9 to grantees                      21   constituent base                    33 and budget                             45 operating budget                   57
                                        Publication of Public Policy           Monitoring independent audits and
10 Monitor best practices          22   Alerts                              34 desk review of grants                  46 Supervision of staff               58
                                                                               Assure obligation and liquidation of      Lead staff reporting to
11 External policy review          23   Advocacy skills training            35 funds within federal deadlines         47 Executive Committee                59
                                                                                                                         Coordinate with Governor's
   Evaluation of grant                                                           Keep grants manual current and          office for Board member
12 effectiveness                   24   Public information activities       36   accurate                             48 appointments and policies          60




      TCDD Risk Assessment Update - FY10                                                                                                                                    Brainstorming Activities
            RISK MANAGEMENT TABLE -- Texas Council for Developmental Disabilities

Consolidated Activity 1:                 Executive and Administrative
                                                                                                        Insufficient
RISKS                                                            Inadequate                             succession
CONTROL STEPS                            Violation of state      monitoring of     Inadequate           planning for   Ineffective
                                         and/or federal rules or obligations and   monitoring of fiscal executive      governance
                                         regulations             liquidations      reporting system     management     function
Trained and experienced staff with
extensive knowledge base                           x                      x                x                  x              x
Internal Audit function (contracted) &
external Quality Assurance Review
(QAR)                                              x                      x                 x
Oversight provided by Council's
Executive Committee                                x                      x                x                  x
Administrative support of designated
agency                                             x                      x                x                  x

Office of Attorney General appointed
General Counsel for TCDD                           x
Internal Operating Policies &
Procedures                                         x                      x                 x                 x
Documented Council Policies                                                                                                  x
Council member orientation & training;
mentoring                                          x                                                                         x

Conflict of interest disclosures                                                                                             x




 TCDD Risk Assessment Update - FY10                                                                                                  Activity 1
                     RISK MANAGEMENT TABLE -- Texas Council for Developmental Disabilities

Consolidated Activity 2:                           Planning, Evaluating, and Reporting
                                                                                               Documentation
RISKS                                              Non-compliance with   Poorly planned; plan processes are insufficient
CONTROL STEPS                                      state or federal      not representative of for meeting reporting
                                                   requirements          constituency needs requirements
Trained and experienced staff with extensive
knowledge base                                              x                     x                       x
Written operating procedures in place that
address reporting requirements                              x                                             x

Federal and Regional office support and guidance            x

Federal and state reviews                                   x                                             x
Electronic submittal with good instructions and
edit checks                                                 x

Pro-active plan and design                                  x                     x
Database monitoring                                         x                                             x
Trained, experienced staff                                  x                     x                       x
Individual grantee training                                 x                                             x
Performance Measure procedures                              x                                             x

Management oversight                                        x                     x                       x

Council / Committee oversight                               x                     x

Relationships with other Councils                           x                     x                       x
Constituent input                                           x                     x


PLANNED: DD Suite implementation                            x                                             x




  TCDD Risk Assessment Update - FY10                                                                                       Activity 2
            RISK MANAGEMENT TABLE -- Texas Council for Developmental Disabilities

Consolidated Activity 3:                 Project Development

RISKS
CONTROL STEPS                                                  Poorly planned;
                                         Non-compliance with   Inadequate research
                                         approved procedures   in planning stages
Trained and experienced staff with
extensive knowledge base                          x                     x

On-going employee training                        x                     x

Independent Review Panel                                                x
Risk assessment on recommended
projects                                          x                     x

Management oversight                              x                     x

Council / Committee oversight                     x                     x

Updated operating procedures for staff
U d t d      ti        d     f    t ff            x                     x




   TCDD Risk Assessment Update - FY10                                                Activity 3
   RISK MANAGEMENT TABLE -- Texas Council for Developmental Disabilities

Consolidated Activity 4:                  Public Policy and Information

RISKS                                                             Inaccurate
CONTROL STEPS                                                     interpretations   Negatively impact Social networking
                                          Violation of state or   provided to       relationships with - mis-information;
                                          federal rules           constituents      policy makers      lack of control
Trained and experienced staff with
extensive knowledge base                             x                      x               x                  x

Background research                                  x                      x               x                  x
Active, on-going collaboration with
Advocacy groups                                                             x               x                  x

On-going employee training                           x                      x               x                  x

Collaborative relationships with state
and federal agencies                                 x                      x               x                  x

Written administrative operating
p
procedures                                           x                                      x                  x

Written operating procedures for Public
Information's external communications                                       x               x                  x

Management oversight                                 x                      x               x                  x
Council's Public Policy Committee
oversight                                            x                      x               x                  x

Office of Attorney General appointed
General Counsel for TCDD                             x




  TCDD Risk Assessment Update - FY10                                                                                        Activity 4
             RISK MANAGEMENT TABLE -- Texas Council for Developmental Disabilities

Consolidated Activity 5:              Grant Administration

RISKS                                                                              Non-compliance
CONTROL STEPS                         Providing inadequate   Insufficient          with federal or     Fraud and/or
                                      or inappropriate       monitoring of grant   state regulations   Inappropriate use
                                      guidance to grantees   expenditures          (OMB or UGMS)       of federal funds
Trained and experienced staff with
extensive knowledge base                        x                     x                     x                  x
Trained back-up for each position               x                     x                     x                  x

Grants Manual available online                  x                                           x                  x

Database monitoring                                                   x                     x                  x

Desk review of all grantees                     x                     x                     x                  x

On-going employee training                      x                     x                     x                  x

Internal audit function & QAR                                         x                     x                  x
                     p
Written and online policies and
procedures for grantees                         x                                           x                  x

Performance Measures                                                  x                     x                  x

Management oversight                            x                     x                     x                  x

Council / Committee oversight                   x                     x                     x                  x
Grantee Risk Assessment Tool &
Monitoring Strategies                                                 x                     x                  x

Individual Grantee Training                     x                                           x
Written Administrative Operating
Procedures for staff                            x                     x                     x                  x


PLANNED: Implement DD Suite, an
electronic data reporting system                                      x                     x

 TCDD Risk Assessment Update - FY10                                                                                        Activity 5
RISK MANAGEMENT TABLE -- Texas Council for Developmental Disabilities

Consolidated Activity 6:                 Information Technology

RISKS                                                                                                             Increased
CONTROL STEPS                                                                                      Unauthorized   vulnerability from
                                         Unauthorized access   Data loss / data   DD Suite         access to      social network
                                         to data set           integrity          implementation   websites       users
Trained and experienced staff with
extensive knowledge base                          x                      x               x               x                x
Memorandum of Understanding
between Council and designated state
agency                                            x                      x
Established protocols of designated
state agency                                      x                      x                                                x
Multi-level access security systems in
place (firewalls; passwords)                      x                      x               x               x                x

Data recovery systems in place                                           x               x               x                x
Regular backups of data by agency and
by designated state agency                        x                      x               x                                x

On-going employee training                                               x               x               x                x

Management oversight                              x                      x               x               x                x

Internal audit involvement                                                               x
DD Suite Protocols: approvals and
authorizations                                                                           x
Active participation in development /
design of DD Suite with other DD
Councils                                                                                 x               x

Restricted access to social networks              x                      x                               x                x




  TCDD Risk Assessment Update - FY10                                                                                                   Activity 6
              RISK MANAGEMENT TABLE -- Texas Council for Developmental Disabilities

Consolidated Activity 7:                       Council Support

RISKS
CONTROL STEPS                                  Non-compliance with   Non-compliance
                                               state and federal     with Council policies Insufficient
                                               requirements          and procedures        logistical support
Trained and experienced staff with extensive
knowledge base                                          x                      x                    x

On-going employee training                              x                      x                    x

Written policies and procedures                         x                      x                    x

Management oversight                                    x                      x                    x

Council / Committee oversight                           x                      x                    x

Organization of meeting materials                       x                                           x

Solicit input from Council members                                                                  x




   TCDD Risk Assessment Update - FY10                                                                           Activity 7
RISK MANAGEMENT TABLE -- Texas Council for Developmental Disabilities

Consolidated Activity 8:                 Administrative Support: Finance & Accounting; HR; Purchasing

RISKS                                                                                                   HR: Non-                                                    Purchasing:
CONTROL STEPS                                               Inaccurate                                  compliance with                                             Improper /
                                         Contract                        Lack of          Property                                                   Overspend or
                                                            reports to                                  current HR                                                  unauthorized
                                         Administration &                segregation of   Mgmt: Loss of                   HR: Hiring unqualified     under spend
                                                            management                                  policies &                                                  procurements;
                                         Management
                                                            and board
                                                                         duties           assets
                                                                                                        reporting         employees; inadequately budget            incorrect
                                                                                                        requirements      addressing employee                       postings
                                                                                                                          performance / productivity
Memorandum of Understanding
between Council and designated state
agency (DSA)                                                                                    x               x                     x                                   x
DSA's procedures, controls, and
oversight                                        x               x               x              x               x                     x                    x              x
Follow state mandated Accounting
policies and procedures                          x               x               x              x
Follow State Procurement Manual and
state purchasing procedures.                     x                                                                                                                        x
Follow DSA and Council HR policies
and procedures                                                                                                  x                     x
Grants monitoring and technical
assistance to grantees                           x               x                              x                                                          x

Database monitoring                                              x                                                                                         x
Data review and authorization prior to
posting or payment                               x               x                              x                                                          x

On-going employee training                       x               x               x              x                                     x                    x              x

Annual performance evaluations                                                                                  x                     x
Required timesheet signatures and
approvals                                                                                                       x                     x
Employee Training Manual and
Orientation                                                                                                     x                     x
Management oversight                             x               x               x              x               x                     x                    x              x
Written administrative operating
procedures                                       x               x               x              x               x                                          x
Internal Audit function & QAR                    x               x               x              x                                                          x              x
Trained, experienced staff with strong
knowledge base                                   x               x               x              x               x                     x                    x              x




     TCDD Risk Assessment Update - FY10                                                                                                                                       Activity 8
                                 Significant Changes in Risk Assessment - Texas Council for Developmental Disabilities

                                  Activity 1: Executive & Administrative: added risk of insufficient succession planning to the matrix
                                  Activity 1: Executive & Administrative: added risk of ineffective governance function
New Risks Identified in FY 2010 - Activity 4: Public Policy & Information: added social networking risks: risk of mis-information / lack of control over information after posting
 List by Consolidated Activity or Activity 6: Information Technology: risk of increased vulnerability from social network users
          Building Block


                                      Activity 1: Executive & Administrative: added Council policies, member training & orientation, conflict of interest disclosures
                                      Activity 4: Public Policy & Information: added operation procedures to address external communications for Public Information
                                      Activity 6: Information Technology: Added control of restricting access to social networks to specific staff
Changes, Additions, Deletions in
    Control Steps - List by
Consolidated Activity or Building
             Block




       TCDD Risk Assessment Update - FY10