Employment and Training Administration
Washington, D. C. 20210






October 6, 1997




October 31, 1998











Unemployment Insurance Service




The Risk Analysis Project - Advanced Training

  1. Purpose. To provide information to State Employment Security Agencies (SESAs) on the Risk Analysis Project Advanced Training.

  2. References. ETA Handbook No. 376, Guidelines for Internal Security in UI Operations; UIPL No. 12-95, Risk Analysis Project; Unemployment Insurance Program Letter (UIPL) No. 08-97, Risk Analysis Training.

  3. Background. Since fiscal year 1982, the Department of Labor (DOL) has allocated resources for the Internal Security program. In concert with the Internal Security program, the Employment and Training Administration (ETA) has recommended through UIPLs that SESAs complete a risk analysis of Unemployment Insurance (UI) program operations whenever major system changes occur, but not less than once every three years.

    The primary purpose of Internal Security is to reduce fraud, waste, and abuse in the UI program. Risk analysis is a specific activity to be performed under the overall Internal Security function. Each SESA is allocated resources to maintain an Internal Security Unit (ISU). The ISU is responsible for reviewing the adequacy of existing controls, and for recommending to management the institution of controls where none exist, and/or the strengthening of controls where they are weak.

    Along with its other internal security activities, the ISU is required to perform a risk analysis to determine an economic balance between the affect of threats and the costs of protective measures. In performing a risk analysis, the ISU must identify assets, threats to the system (both program and computer related), vulnerabilities, and cost effective safeguards.

  4. Risk Analysis Training. Four fundamental/intermediate risk analysis training classes have been held. National Office and Regional Office (RO) personnel attended these classes along with SESA staff including internal auditors, information security officers, investigators, and other internal security personnel responsible for the performance of the DOL required SESA risk analysis. A total of 59 individuals (51 SESA participants and 8 DOL participants) attended the risk analysis training.

    UIPL No. 08-97 provided information concerning Advanced Training and User Group Forums. Some information is repeated here.

      a.  Advanced Training Course.  The advanced training is a two-day course that will build on the combined fundamental and intermediate risk analysis training courses. One class will be held February 24-25, 1998, in Sacramento, California, and the other will be held March 3-4, 1998, in Annapolis, Maryland. Information on logistics for the sessions will be distributed closer to the training dates.

      The California Employment Development Department's (EDD) Unemployment Insurance Risk Analysis Project staff will develop and distribute to SESA personnel who attended one of the fundamental/intermediate risk analysis training sessions a survey to identify specific topics for discussion at the advanced training. Speakers will then be selected to lead discussions on the topics given the highest priority by the survey respondents. Through these presentations, as well as through group discussions, participants will learn to identify, review and resolve advanced level risk analysis issues and concerns.

      b.  Participation Requirements.  Participants in the advanced training course should have an understanding of the risk analysis process and methodology, and should have completed, or be in the process of completing, a full or partial risk analysis using the RiskWatch software prior to attending training. Solicitation of nominations for participation will be made closer the training date.

      c.  User Group.  Information concerning the scheduling of UI User Group Forums will be provided later.

  5. RiskWatch Software Upgrades. RiskWatch version 6.4 was distributed to most SESAs that attended the fundamental/ intermediate risk analysis training. Version 7.1 should be available prior to September 30, 1997; however, SESAs should continue to use version 6.4 if 7.1 is delayed. Lack of the latest software version should not delay beginning and/or conducting a risk analysis.

  6. Action. SESA Administrators are requested to:

      a.  Ensure that the advanced training survey is completed and returned to EDD by November 15, 1997. EDD will send the survey early in October 1997 to SESA personnel who attended the fundamental/intermediate risk analysis training.

      b.  Determine the status of efforts to conduct a risk analysis including the development of a risk analysis action plan that includes the scope of the review, resources to be used in conducting the risk analysis, and anticipated date of completion.

      c.  Ensure that a full or partial risk analysis is completed using the automated RiskWatch Software .

      d.  Consider who will be attending the up-coming advanced training based on their understanding of the risk analysis process and methodology and participation in completing risk analyses.

      e.  Provide copies of this UIPL to appropriate Internal Security staff.

  7. Inquiries. Inquiries should be directed to the appropriate RO.