You will want to apply resources to control risks in the following order:
- AREA IV - Most Concern
Tip: If Area IV risks have extensive internal controls around them, there is less of a need to put controls in place and more of a need to monitor for exceptions. You should assure that both preventive and detective controls are in place.
- AREA III - Moderate Concern
Tip: Don't forget to monitor and periodically assess whether or not improvements need to be made.
- AREA II - Minimal Concern
Tip: When risks that normally are of lower concern are undergoing changes, they might need more attention now, ahead of the other higher risks that are well controlled.
- AREA I - Least Concern
Tip: For the risks that are of least concern, consider whether or not the area is being over-controlled and whether resources can be re-allocated elsewhere.
Consider risks at all levels within the organization.
The cost of the control, in both time and money, should equal the risk.
Copyright 2014
New York State Governor's Office of Employee Relations