Creating a Risk-Based Monitoring System:
Key Takeaways
By Tiffany Kesslar, Esq., CGMS and Madelaine Cleghorne, Esq., The Bruman Group, PLLC

In March 2023, NGMA hosted the webinar "Creating a Risk Based Monitoring System" with speakers Tiffany Kesslar and Madelaine Cleghorn, attorneys specialized in federal grants management and education law. Attendees learned about risk assessment requirements under the Uniform Grant Guidance (“UGG”) and how to develop both an internal and external (or subrecipient) risk assessment. The presenters also walked attendees through the step-by-step process of creating and conducting a risk assessment using an example from the Indiana Department of Education. Missed the webinar? View the recording HERE. (Member login required)


Risk assessments are required at all levels of grants management. Federal awarding agencies are required to conduct a pre-award evaluation of an applicant’s risk—the results of which may impact an applicant’s eligibility for an award or prompt the awarding agency to issue specific conditions with an award. Additionally, pass-through entities (PTEs) are required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. However, PTEs may conduct this assessment either pre- or post-award. In addition, the UGG requires that all non-federal entities (NFEs) monitor and evaluate their own internal controls, which include a risk assessment to ensure compliance with applicable rules and progress towards program objectives. As such, at every level of the grant application and administration process, it is critical that NFEs establish a robust risk assessment framework.
The key risk assessment principles, as identified by the Government Accountability Office (GAO), include:
1) developing clear objectives to enable the identification of risks and risk tolerance levels; 2) identifying risks to achievement of objectives across the entity and analyzing risks as a basis for determining how the risks should be managed; 3) considering the potential for fraud; and 4) identifying and assessing changes that could significantly impact the system. See Standards for Internal Control in the Federal Government, United States Government Accountability Office, September 2014, at 34-43. While internal and external risk assessments include different elements, the baseline requirement is the same: are there elements within the recipient’s system that can prevent them from being successful in meeting program goals and general compliance requirements? Then the NFE conducting the risk assessment must determine whether additional action is needed to prevent those risks from occurring.  
When conducting an external risk assessment for the purpose of subrecipient monitoring, PTEs should include, at a minimum, a review of the NFE’s grant systems (financial management, procurement, and inventory management) and a review of how the entity ensures the allowability of costs (or plans to review it). PTEs should also review other factors, including the amount of funding a subrecipient receives, prior monitoring or audit findings, repeat findings, staff turnover, changes in laws or regulations, new technology, financial stability, and lack of policies and procedures. Once the review is completed and a subrecipient’s level of risk is identified, then the PTE can determine how much oversight and subrecipient monitoring is required in order to ensure compliance. This could include additional reporting, desk reviews, or even in-person monitoring visits.
The goal of the internal risk assessment is to make sure there are enough controls in place to prevent any identified risks from affecting the program goals and objectives and/or ensuring corrective actions are timely taken to address any identified areas of noncompliance. In the case study presented for the Indiana Department of Education (IDOE), the speakers outlined the five steps used in developing and implementing an internal risk assessment. The first step in creating a risk assessment tool for IDOE was information gathering. This step involved gathering documentation and data from IDOE, including existing policies and procedures and recent audit and monitoring reports, as well as conducting interviews with key staff who could speak to each step of IDOE’s grants administration process. Step two was the identification of the areas of risk to be evaluated. For IDOE, the areas of risk ultimately fell into five categories: operations, financial management, allowability, procurement and asset management, and compliance. Step three was the identification of additional documentation or information needed from IDOE to assess each risk factor identified in step two. Step four was the development of the scoring rubric. This scoring rubric was unique to each risk factor evaluated and factored in things such as the likelihood of the risk occurring, the potential impact, and internal IDOE priorities. Finally, step five was the scoring of the risk assessment. Using all the documentation collected and information from IDOE staff, each risk factor was evaluated using the scoring rubric developed in step four and color coded to reflect high, moderate, and low areas of risk. In one column of the completed risk assessment, the speakers also identified specific risk mitigating strategies that IDOE could use as next steps to correct the areas of high risk identified in the assessment.
Creating and conducting a risk assessment—whether internally or for subrecipient monitoring—is only half of the equation. The second half involves prioritizing highest areas of risk and taking affirmative steps to correct any areas of noncompliance. Two action items that will almost always mitigate risk for grantees or subrecipients are 1) to develop and/or update your non-federal entity’s written grants administration policies and procedures to align with current practices and applicable rules; and 2) to conduct regular trainings for staff involved with grants administration on those written policies and procedures as well as general training on requirements under the UGG. A risk-based monitoring system can be a powerful tool for NFEs to evaluate their own internal controls and/or guide subrecipient monitoring. While there are any number of ways to conduct a risk assessment, the most important step is the first one—the decision to get started!