Now that we are several years into the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), it is always surprising to learn that organizations are still not familiar with this regulatory regime and several of its requirements (see 2 C.F.R. Part 200). We recently discussed procurement and the need to implement the Uniform Guidance's procurement standards by the start of your 2018 fiscal cycle; thus, in this month's newsletter, we'll review another of the somewhat overlooked requirements, namely, the need for grant recipients to perform a risk analysis of potential subgrantees.
Section 331 of the Uniform Guidance provides that grant recipients must:
Evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring …
2 C.F.R. § 331(b). Furthermore, this assessment:
[M]ay include consideration of such factors as:
(1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F—Audit Requirements of this Part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Id. But this list is neither required nor exhaustive, thereby leaving many prime grant recipients with little clear direction in terms of what must they do to sufficiently protect their organization.
Methods for Assessing Risk
First, prime grant recipients (or higher-tiered grantees) should factor in the amount at issue. After all, one of the primary tenets of the Uniform Guidance is to curtail waste, fraud, and abuse. That being the case, pass-through entities should not expend a comparatively large amount of resources to assess risk relative to the size of the potential award, which would be wasteful. Accordingly, grantees should develop a policy that establishes general thresholds commensurate with the typical sizes of awards and the required level of diligence for varying award sizes. Complicating this a bit further is that generally risky awards, regardless of their dollar value, should also receive greater attention. For example, a subaward that involves cash advances to international hot spots for corruption should be viewed differently than an environmental study performed domestically.
Second, some methods for assessing risk are simple and inexpensive and should be done for all awards, regardless of size. Some diligence may also be mandatory, such as determining whether any potential subrecipients have been federally suspended or debarred. From this baseline, the organization can then develop tiers of assessments. Examples of simple and inexpensive diligence efforts include an interorganizational database, whereby the organization keeps records on past subrecipients so that it can use its own past history with an organization to determine its risk-worthiness. Additional methods include reference checks (speaking to other organizations that have worked with the prospective subrecipient), requiring submission of the previous years' audit reports, and simple Internet searches for positive or negative publicity. Of course, the sources of the latter must be factored into the veracity of this information.
Moderate-level assessment should include each of the factors noted from the rule (some of which form the baseline assessment), additional inquiries directed to organizations with which you have worked (to see if others have had a positive experience with the prospective subrecipient), and requests for the organization's relevant policies and procedures relative to the award.
Finally, heightened assessment (which is reserved for your organization's highest value and most risky subgrant awards) should include the procedures of the prior two stages, inquiries specific to the nature of the grant, and even credit or business checks to ensure the organization is creditworthy and does not have a poor business record. This may involve in-country inquiries and background investigations.
Again, none of the above is required per se, but rather suggestions and ideas for how an organization may be able to cost effectively meet the risk analysis requirement of the Uniform Guidance. At bottom, it is critical that organizations think creatively to develop effective and administratively efficient processes, which it must then apply consistently across its operations.
Recording and Analyzing Risk
Importantly, no matter what you do to perform your risk assessment, it is absolutely critical that you document all of your actions and keep that information in the subrecipient file. We often see organizations reflexively perform risk assessments, but because these actions are second nature, they fail to document the fact that they made telephone inquiries or performed Internet searches. Documenting all of these efforts contemporaneously will undoubtedly serve you well should an auditor later review the award, which will begin with the Uniform Guidance's required pre-award assessment.
However, recording risk is not necessarily enough—how does one actually interpret the risk? A simple matrix can often help organizations review the risks across potential subrecipients. First there are certain items that are simply disqualifiers, such as having been suspended or debarred. These should be listed in a risk assessment document. Any fails, and the subrecipient is too risky (or not qualified) and should be set aside. The other risk assessment factors can then be scored on a sliding scale (e.g., from 1 to 5 or 1 to 10). After tabulating all the scores for all the factors for each potential subrecipient, the organization will determine a risk score for this potential subgrant. The organization's policy, however, should note that the award need not go to the least risky potential subrecipient; rather, the organization simply needs to factor the risk score into its monitoring plan.