Skip to main content

Oregon State Flag An official website of the State of Oregon »

Oregon Housing and Community Services

Risk Assessments for the New Year – A Practical Reset for 2026

This features is part of an ongoing series from OHCS' Fiscal Compliance Monitoring staff. Each month, we'll post helpful new helpful tips!

When was your last risk assessment?

If you can’t remember, that’s your signal. Risk assessments are one of the most practical tools for preventing compliance issues before they happen. A clear, updated risk assessment helps you identify where problems are most likely to arise and prioritize your internal controls accordingly.

Start 2026 on stronger footing

  • Review: Pull your most recent risk assessment or risk matrix. Does it reflect your current programs, funding sources, and staffing? 
  • Refresh: Consider what changed this year (new awards, staff turnover, policy updates, or audit findings) and update risk levels accordingly. 
  • Refile: Make sure your documentation is current, dated, and accessible. If an auditor asks for it in February, you shouldn’t be scrambling to recreate it.

Why risk assessments matter

Risk assessments are required under federal regulations (2 CFR 200) and are powerful internal tools that help you:

  • Prioritize staffing needs 
  • Strengthen internal controls 
  • Prevent compliance issues before they happen

Federal and state requirements

Under 2 CFR 200.332(b), pass-through entities must evaluate subrecipient risk before issuing a subaward and monitor throughout the award period. This includes:

  • Reviewing prior audit results 
  • Assessing financial stability 
  • Evaluating internal controls 
  • Considering past performance and capacity

States often mirror these requirements, emphasizing documentation and monitoring plans for high-risk subrecipients.

When to refresh your risk assessment

  • Annually 
  • After staff turnover in finance or program roles 
  • When managing new awards 
  • Following policy updates or monitoring results

What to review for 2026

  1. Risk matrix: Update categories like financial management, procurement, subrecipient monitoring, performance tracking, and internal controls. 
  2. Audit findings or monitoring reports: Any finding, however minor, should adjust your risk profile. 
  3. Changes to systems or staff: New accounting software, organizational shifts, or vacant roles all impact risk.

Document your rationale

A risk assessment isn’t complete without clear explanations for each score:

  • Why the rating applies 
  • Steps your team is taking to mitigate risk

Bottom Line: A thoughtful risk assessment now sets your team up for a smoother, more compliant 2026.

OHCS wants to ensure that everyone has access to its information and programs. If you would like this information in a different language, please email Language.Access@hcs.oregon.gov.