Authority/Reference(s) Human Resource Code, Subtitle D, §40.058
Revision Date September 1, 2021

Policy

Assessing risk throughout the contract lifecycle is a primary function of contract management. Contract staff are responsible for identifying and documenting changes to risks by investigating unusual patterns of activities and conducting formal risk assessments using applicable DFPS tools.

Contract staff must:

  1. Identify and utilize mechanisms to manage risk by targeting specific areas where technical assistance may be needed;
  2. Proactively coordinate and communicate to determine risks; and
  3. Perform oversight and monitoring activities.

Types of Risk

Risk is the possibility or likelihood that an event may occur that could adversely affect an organization. Performing continuous risk analysis allows a contract manager to identify and take action before an adverse event affects DFPS or its clients.

There are two types of risk:

  • Inherent Risk. Risk that exists when controls have not been put in place
  • Residual or Controlled Risk. Risk that remains after controls are put in place

Risk Management Approach

Effective risk management includes managing risk by implementing appropriate controls, requiring that contract staff stay informed about the status of the contractor's relationship with DFPS throughout the life of the contract, and maintaining on-going awareness of all risks for each contract.

Assessing risk associated with each contractor is critical as risk changes over time. Effective risk management activities include, but are not limited to reviewing:

  • Procurement documents identifying contractor requirements.
  • Required checks (including Vendor Performance Tracking System (VPTS) reports).
  • Annual insurance coverage requirements and insurance coverage documentation to verify coverage.
  • The Internal Control Structure Questionnaire (ICSQ) and attachments, ensuring updates are properly documented.
  • The contract file, including monitoring reports, performance reports, billing or budgetary trends.
  • The Risk Assessment Instrument (RAI) or Risk Assessment Analysis (RAA).
  • Internal and Independent Audits.
  • If applicable:
    • The Risk Assessment Questionnaire (RAQ)
    • Continuous Quality Improvement Plans
    • Corrective Action Plans
    • Credential information e.g. licensure documentation and required trainings.
    • Case worker or client complaints; researching law enforcement, school or other community complaints.

RAA Risk Factors see SSCC Risk Assessment Analysis

RAI Risk Factors

Risk factors are identified through effective risk management and helps determine the areas of risk to DFPS for contracted goods and services.

Client Service Contracts. Risk factors that have been identified to affect DFPS contracted client service delivery are generally classified into the following categories:

    • Contractor growth. For example, significant increase in revenue, clients served, or number of foster homes, which could impact contractor’s ability to effectively perform their contractual requirements.
    • Organizational Changes. For example, start-up business, new management, major change in key staff, new programs or services added, material changes in existing programs, implementation of new technology.
    • Client Safety. For example, actions taken, or lack of action, by a contractor that has caused or could cause physical, mental, or emotional injury to the client.  
    • Service Delivery and Quality. For example, services or history of services provided by a contractor that include failure to provide needed services, provision of inappropriate services to clients, or provision of services to ineligible clients.
    • Resource Management. For example, misappropriation of funds, a fixed asset that is not used for its intended purpose, seemingly disproportionate amount of contracted resources dedicated to administrative costs instead of direct care (without prior approval), dedicated resources used for other clients or services outside of the contracted intent, resources used for unallowable expenditures.
    • Internal Controls. For example, a contractor's ability to protect DFPS' assets, confidential information, and perform contractual requirements.
    • Data and System Security. For example, a contractor’s ability to protect its devices, networks, and related computing infrastructure.

Administrative Contracts. Risk factors that have been identified that may affect DFPS contracted administrative needs are generally classified into the following categories:

    • Organizational Changes. For example, start-up business, new management, major change in key staff, implementation of new technology.
    • Resource Management. For example, misappropriation of funds, a fixed asset that is not used for its intended purpose, dedicated resources used for other services outside of the contracted intent, resources used for unallowable expenditures.
    • Internal Controls. For example, a contractor's ability to protect DFPS' assets, and confidential information, and perform contractual requirements.
    • Data and System Security. For example, a contractor’s ability to protect its devices, networks, and related computing infrastructure.