City of Houston’s Risk Assessment Process
Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Houston Texas is one of the few local governments in the United States with an Enterprise Risk Management (ERM) based risk assessment approach. This policy was reviewed and updated in 2016. This was the latest step in the city’s use of risk assessment.
From 1996 to 2004, the city outsourced risk assessment. The assessment was performed every five years. Beginning in 2009, the city’s audit department took over the assessment. This article discusses the risk assessment process used by the City of Houston.
ERM is the basis for developing the annual audit plan. The development of the plan starts with the auditor taking the following steps:
- Update the number of areas which need to be audited.
- Update the missions, goals, and objectives associated with the auditable areas.
- Determine the risk related to the potential failure of achieving those stated goals and objectives (including fraud considerations).
These steps are used to establish the auditor’s annual work plan. Table 1 shows the criteria used to weight the risks for prioritization. The highest weighted risk is financial impact. Other important risks are complexity, human resource and regulatory, technology, mission critical activities and safety. The combined weight prioritizes the risk assessment work plan. Department risk assessments are conducted on 4-6 departments per year. The risk assessment of entire City is completed every four to five years.
Risk Assessment Process
Once the audit work plan has been determined, the risk assessment audit uses two approaches to determine the department’s risk level. These are quantitative and qualitative analysis.
The city has eight steps to its quantitative analysis. These are:
- Identify Risks Criterion
- Assigning a weight (in percentage) to each attribute identified, thereby, ranking the significance.
- Define the range of assessment value (e.g. 1-5, High, Medium, Low, etc..) for the overall process.
- Calculating/Measuring each attribute relative to the auditable entities (areas) identified using data analysis and other relevant and reliable information.
- Multiply the raw attributes score for the auditable entity resulting in the Quantitative Component of the auditable area.
- Repeat the process for each auditable area.
- Aggregate results by Department and Key Business Process.
- Repeat the process for each auditable within each department.
- Input from the Audit Department team, directives from the City Council, and concerns expressed by other stakeholders.
- Potential impact of significant/notable structural, economic, legislative or environmental changes.
The 2010 risk assessment identified 145 total key business processes, it was discovered that 19 of these were common throughout most departments. Based on the overlaps, the following areas were considered to have high risk: Compliance, Disaster Recovery, Fleet Maintenance, Grant Management, Project/Contract Management, Public Safety and Security. In addition, to benefit of identifying the level of risk associated with various activities, the connection of risk to resource allocation has become more completely understood. Moreover, the process has enhanced visibility, transparency and accountability.
The City of Houston is one of a few United States municipalities with an ERM related risk management policy. However, its current risk assessment approach is limited to four or five departments a year. This makes it different from a full ERM, which covers the whole organization consistently. In this respect U.S. municipalities lag the global contemporaries.
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. email@example.com