Authority/Reference(s) HRC, Subtitle D, §40.058
Revision Date August 1, 2017


Client Services contract staff must complete a Risk Assessment Instrument (RAI) at least annually, unless exempt. The RAI is a standard tool maintained by the Contract Oversight and Support (COS) division to evaluate certain characteristics of DFPS contractors in order to identify and predict associated risk to the agency and client receiving services. The RAI helps DFPS prioritize contract monitoring activities based on identified risk

in an effort to effectively allocate agency resources. In order to accomplish this, the RAI must be completed for all client service contracts except for the following:

  • Child-Specific Residential Care
  • CPS TPASS Drug Testing
  • APS Residential Care Placement
  • Non-financial
  • Program Direct Purchases (PDPs)
  • Purchase Order for Placement Services (POPS)
  • STAR Health

Classifying risk

Risk is defined as the uncertainty or likelihood that an event could adversely affect an organization.

DFPS assesses risk by proactively evaluating certain characteristics of contracts and contractors to forecast the likelihood of future events or behaviors. DFPS then attempts to prevent and mitigate risk by further examining (monitoring) the highest risk contracts.

Risk for DFPS contracted client service delivery is classified in the following categories.

  • Harm to Clients: Actions (or lack of action) taken by a contractor which have caused or could cause physical, mental, or emotional injury to the client;
  • Inadequate Services: Services or history of services provided by a contractor that include failure to provide needed services, provision of inappropriate services to clients, or provision of services to ineligible clients; and
  • Diverted Resources: A contractor's misuse of resources provided by the agency for a designated need to any other activity not within the purpose or intent of the purchased services (e.g., misappropriation of funds, a fixed asset stolen or not used for its intended purpose, majority of contracted resources dedicated to administrative costs instead of direct care, dedicated resources used for other clients or services outside of the contracted intent, resources used for unallowable expenditures).

Risk factors were specifically identified to determine which conditions might indicate risk to DFPS for contracted client service delivery. The number of risk factors was determined based on two criteria:

  • Large enough to provide the risk assessor with confidence that the assessment is effective; and
  • Not so large as to hinder meaningful, consistent, and cost-effective risk assessment

Two basic types of factors that affect risk are represented in the risk factors:

  • Inherent (exposure) Risk: The tendency for material non-compliance with state or federal rules and regulations, assuming there are no related internal control problems (e.g., type of contract, type of related-party transactions, quality of services, experience level of management).
  • Control Risk: The risk that material error or irregularities will not be prevented or detected by the internal control structure; the degree to which the entity's internal control structure may not reasonably be expected to ensure compliance with governmental requirements (e.g., percentage of monetary change in contract from prior period, percentage of disallowance in relation to total amount expended for contract, review of internal controls, date of last on-site monitoring visit, history of non-compliance).

Once the risk factors are determined, weights are assigned to each risk factor based on their relative impact on overall risk.