1

Subrecipient Risk Assessment Resource and Tool

Overview 

The Uniform Guidance requires pass-through entities to monitor and manage their subrecipients to ensure compliance (2 CFR 200.330-332). Risk Assessments are not used to make award decisions.  The purpose of a risk assessment is to evaluate a subrecipient’s risk of non-compliance with Federal statutes, regulations, and terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.  A risk assessment tool can be used to evaluate, document, and classify your subrecipients’ fiscal and programmatic capability by determining various criteria to develop a relative risk assessment score.   The level of risk should guide the pass-through entity in determining the level of technical assistance and monitoring required.

NOTE:  Risk Assessments must be completed for all grantees at a minimum for every grant cycle and maintained in the official grant file of record.

Using the Risk Assessment Tool 

Risk Assessments should be conducted after a decision to award, prior to determination of funding level, prior to development of any needed terms and conditions specific to the award. A Risk Assessment should be completed for each subrecipient by the pass-through entity, and subrecipient can be required to include information used to develop the risk assessment as part of the application process, or after selection but prior to award. After completing the risk assessment and determining the score, a pass-through entity should determine any action steps needed to manage and/or mitigate risk.  An entity should have internal controls in place to develop a monitoring plan which is tailored to the level of risk to ensure subrecipient compliance. 

In creating a solid risk assessment, the risk assessment tool should help to discern the following:

  • Past performance on prior grant awards including financial and program performance; Achievement of performance goals and outcomes
  • Audit information - results of previous audits including whether the subrecipient receives a Single Audit
  • Staff adequacy and stability
    • Whether the subrecipient has new personnel or new or substantially changed systems
    • Adequate resources for program/project
  • Ability to provide adequate oversight through governance and management structure
  • The extent and results of Federal awarding agency monitoring if the subrecipient receives federal awards directly from a federal awarding agency
  • Financial stability
  • Accounting system adequate for discretely tracking revenue and expenditures by cost centers
  • Policies and procedures demonstrate internal controls in place
  • Existence of Conflict of Interest Policy
    • Management systems
    • Suspension or debarment
    • Other elements based on specific funding

Helpful hint:  Check your risk assessment tool for explicit or implicit bias in the wording.  The tool needs to elicit honest responses so that an appropriate level of monitoring can be established.  Sometimes wording can lead to responses based on how they think you want them to respond rather than accurate responses. Additionally, it can be helpful to clearly state that responses will not qualify nor disqualify the organization for consideration of funding so accurate responses are important.

Based upon the risk assessment results, an applicant might be low, medium or high risk.  This information can help to determine the level of funding, any special conditions (such as financial submissions monthly rather than quarterly), technical assistance and the overall monitoring plan.

Please use the following checklist to ensure that all critical information is being captured pertinent to the funding purpose. While all items might not apply to each situation, keep in mind that risk assessments should be focused on both financial and management elements.  Additional items specific to the funding or project specific needs should also be considered.

  • Prior experience with federally funded grants
  • Ability to meet management standards of funding source
  • Financial system in place that tracks individual costs centers and conforms to GAAP
  • Stability of personnel and leadership
  • Past history of performance
  • Past history of timeliness of reporting
  • Prior compliance with terms and conditions of awards
  • Results of audits such as findings, unallowable costs, or other weaknesses noted with date resolved
  • Existing policies and procedures in place that comply with 2 C.F.R. 200 (e.g. Conflict of Interest, Record retention, etc.)
  • Evidence of strong internal controls in place including separation of duties, expenditure approvals, etc.
  • Adequate documentation of governance and supervisory structure in place
  • If subawarding grants, existence of adequate process for award determinations in compliance with funding requirements including risk assessments and a monitoring process 

If you do not have an existing Risk Assessment Tool, feel free to use this sample risk assessment tool.