Every unit throughout the university must assess how to best utilize their limited resources when it comes to responding to the risks that have been identified during the development of an internal control plan.
Typically, there are four approaches that can be taken in responding to risks:
A unit may determine that the resources and associated costs necessary to mitigate a potential risk outweigh the potential benefit that could be derived. In the case of risk avoidance, the unit will decide to eliminate these practices in order to avoid the potential risk.
For example, a unit may decide to turn down an opportunity to propose on a small-dollar grant that contains numerous compliance and reporting requirements, because the benefit would not outweigh the additional costs associated with hiring additional staff support to fulfill the requirements.
Although potential risks have been identified, a process or activity leading to such risks may not be avoidable due to regulatory requirements, operational needs, etc. In these cases, units will design and implement the necessary control activities to reduce the level of risk to an acceptable level.
For example, a unit may identify a lack of segregation of duties with respect to accepting incoming payments, posting to the accounting system, and making bank deposits. If the unit cannot hire additional staff to more fully separate these duties, it may implement additional mitigating controls, such as:
A unit may determine that an activity must be undertaken, but that it is not feasible to implement the necessary control activities to reduce the risk to an acceptable level. In these instances, the unit may be able to meet its risk tolerance threshold by sharing the associated risk with another entity by forming a joint venture or consortium to pool resources and, thereby, spread risk among the participating entities.
When properly structured and monitored, a risk sharing arrangement may allow a unit to engage in activities that would otherwise be outside its risk tolerance.
The unit may determine that the potential benefit derived from a process or activity sufficiently outweighs the risks identified, or that those risks are deemed to be immaterial. In these cases, the unit may decide to accept the existing level of risk without implementing additional control activities. The accepted level of risk is what remains after all efforts to control, share, or avoid the risk have been exhausted, and it is ultimately a necessary part of operating.
For example, a unit may have an operational need for petty cash, which has been identified as an area of risk within the internal control plan. The unit does not have the resources to implement additional control activities to address this risk, but the operational need for the petty cash outweighs the risk associated with the immaterial balance. As another example, a unit may decide to accept sponsored award funding from a corporation or foreign government after carefully evaluating the applicable requirements and considering (and, if necessary, reinforcing) the unit’s administrative capabilities, business practices, and internal controls that are in place to mitigate identified risks.