Risk Control Matrix: A common report takes on some uncommon challenges

My dad is a high school teacher.  It’s hard to ask him a “quick question”, because he prefers to teach you how to find the answer rather than to just give it to you.  Sometimes he can be the most frustrating man in the entire world.  (Just ask my mother.  She’ll agree.)

As it turns out, I am a lot like my father.  If you ask me how to create a Risk Control Matrix report in policyIQ, I am likely to ask twenty questions first.  I could give you an answer, but it wouldn’t be the best answer.  When it comes to reporting, it is important to understand what the questions are that you are really trying ask your data to answer.

In all cases below, a Risk Control Matrix report will use the Detail Link report type in policyIQ.  (And remember that we use the terminology of “Risks” and “Controls”, which can easily be substituted for your “Objectives” and “Activities”.)  Let’s think about some of the questions that this common report might answer, including some uncommon perspectives.

What are our Risks and Controls?

Okay, so this is a really basic question, but it needs to be answered.  I think of this as the “big picture” report.  While you can look into your Folders in policyIQ to review the details of the Risks and related Controls, a single report to show all of those linked together is a great way to see the big picture.  Your external auditors might ask to see all of your Risks, sorted by Business Process, and the Controls that you have in place to mitigate them.

For this report, you’ll likely have just two data sets.  Data Set 1 will use a Template filter for all Risks in your organization, while Data Set 2 will filter for the Controls.  Remember to add the appropriate Columns to the report.  Most organizations use policyIQ Folders to capture Business Processes. If you need to sort by Business Process, be sure to include a Column for Folders in your report.

There are lots of variations on this simple question:

    • What are the Risks and the Key Controls in place to mitigate them?
      Filter Data Set 2 further by limiting to the Control Template Field of “Significance” to just those that are “Key”.
    • What are the Significant Risks and the related Controls?
      Filter Data Set 1 to the Template Field of “Risk Significance” to just those that have a “High” or “Significant” value.
    • What are your Risks, Controls and Test Plans across the organization?
      If Test Plans are part of the data request, include Data Set 3 and add a filter for pages from the Test Template. (Some organizations have separate Test Plan pages, which might be included.) Select your Columns to show just the test planning information and not the most current testing results; this data request isn’t about the testing results, just the plans in place to do the testing.
    • What are the Risks and Controls for my Business Process?Process Owners want to review their documentation from time to time.  (Okay, so Audit Directors WANT them to review their documentation from time to time.)  Filter the standard Risk Control Matrix for a single Business Process – and provide an overview for your Process Owner.  Make the process owner an Administrator on the report – and suggest that he/she save it to Favorite Reports for easy access.
    • Am I over-controlled or under-controlled?You can start to answer this question with this simple Risk-Control Matrix.  Make sure that your Risks to Financial Statement Assertions are adequately addressed by your controls (include Financial Statement Assertions as Columns in your results), and in those cases where they are addressed many times over, consider if some of those Controls may be downgraded to non-key.  If you want more information about Control Rationalization, check out our recent Risk Assessment blog post and training session.

All of these reports are coming from a risk-based perspective.  That’s most common, but it’s not unheard of to want to see your reporting from the control perspective.  Get wild and crazy!  Flip around your data sets!  Data Set 1 can filter for Controls, while Data Set 2 might filter for the Risks.

What Risks are vulnerable because of Deficiencies identified in our organization?

Ooh, good question!  This is what your testing is all about, right – where are we left vulnerable?  This can be a fun one to put together, too.

Start with your Deficiencies.  If you don’t have a separate page for Deficiencies, start with Test pages that have a “Failed” status.

Data Set 1: Filter for Deficiencies identified in the designated period of time.  (Likely to be this testing year.)
Data Set 2: Filter for the Test pages.
Data Set 3: Filter for the Control pages.
Data Set 4: Filter for the Risk pages.

This report – with four data sets of linked information and lots of great information – will provide you with the list of Risks that are left exposed by the Deficiencies that have been identified.  But is this the whole picture?  Some of those Risks might have additional or compensating Controls in place.  So…

Data Set 5: Filter for Control pages.

Again? Crazy, I know.  Data Set 3 will only show the Control that is linked to that failed Test.  But with this last data set, you can check to see if there is more than one Control in place that mitigates the Risk.  If so, you might decide that there is no vulnerability here.  You’re covered with another Control.

What is the complete Test Plan for this Business Process?

I’ve heard this question asked by many testers who are tasked with testing a complete process.  Before they dig in and get started, they’d like to take a look at the “big picture”.  Like we mentioned above, they could look page by page, but there’s something about pulling it all together that can make the information easier to digest.

For a tester, though, they rarely want to start at the Risk level.  Instead, they are more interested in the individual Tests that they are expected to complete – and how it rolls up into the big picture.

Data Set 1: Filter for the Test pages in that particular Business Process.  (Again, this is often based on a Folder, so be sure to add the appropriate filters.)
Data Set 2: Filter for Controls.
Date Set 3: Filter for Risks.

When you add Risks or Controls to your report, be sure to add columns that indicate the Business Process that they fall into.  In some cases, a Control or Risk might fall into more than one process.  Your tester will want to know that – and possibly even verify that the Test isn’t duplicative of something someone else is working on.

What do YOU want to know about your Risks, Controls, Tests, Deficiencies or Action Plans?

You’ll often hear us tell you that your ability to report in policyIQ is limited only by your imagination.  We know that’s not entirely true, but there are so many possibilities for powerful reports that we can’t possibly tell you about them all.  Instead, let us work with you.  If you aren’t sure how to create the report you need, contact us by email or give us a call and let us help you to ask the right questions.

Oh, and I apologize in advance if I sound like a 9th grade math teacher as I help you to “learn how to do it on your own next time”.  It’s genetic.

This entry was posted in Features and tagged , by Chris Burd. Bookmark the permalink.

About Chris Burd

Chris is the Managing Director of the policyIQ group at RGP. She gets geeky about compliance and technology, and gets to spend every day working at the crossroads of the two. With policyIQ since 2005, Chris has worked with hundreds of policyIQ clients to implement technology and enhance their internal compliance environment. In the past few years, she's focused on enhancing policyIQ's offering as a Conflict Minerals and Anti-Corruption tool. In past lives, Chris worked as a system implementation consultant, a e-commerce specialist, a customer service call center manager, and - for one short but memorable summer during high school - a machine operator on midnight shift in a plastics factory. In her free time, she spoils her nieces, volunteers at her local food bank, and spends more time than she should taking photos of her cats. She would like to be a rock star when she grows up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s