Creating a Risk Matrix in a spreadsheet

A mechanism used in the Risk Assessment process is to create a Risk Matrix. Typically organizations use Excel for this matrix since they are familiar with excel, and no additional costs are involved. However, Risk Assessments are fairly complex and can involve Monte Carlo simulations, analysis of detail transactional information, etc and a more robust (relational) tool should be considered. This paper will consider focus on using a spreadsheet for the Risk Matrix. If you are creating a matrix for enterprise risk assessments, typically you have the risk as rows and the control activities as columns. In the SOX (Sarbanes Oxley) world, typically the Controls are rows since you have to collect additional information on the Control. This paper focuses on an Enterprise Risk Management approach.

To have your matrix in line with the COSO ERM framework, you should organize your risk events in the categories as identified in the COSO framework. If you have regulatory requirements, you should also identify additional risk events in categories that will correspond to the regulation which will facilitate any audit for meeting that regulation.

The columns should have an area to rating the risk. The risk is rated by probability of that risk happening and the impact of risk on your organization. There should be an area for Inherent Risk (before any mitigation activities) and Residual Risk (after any mitigation activities).

The columns should also have an area for Control Activities: Entity Level Controls, Information and Communication, and Monitoring. The COSO framework identifies some generic activities which can be included, but any regulation you are following is usually more specific and additional Control Activities should be identified as a separate activity (column).

Although the COSO framework does not identify Risk Response as a higher level component, it is a good idea to include an area for Risk Response in your matrix, since the better your Risk Response is designed, they less impact that risk will have on your organization and ultimately reduce your Residual Risk score. Regulatory auditors will more than likely interested in your Risk Response.

All Risks Factors (impact) and Controls are not necessarily created equally, a weighting factor should be used which will allow you to identify a Risk Factor that is more important to your organization. It will also allow you to identify which Control Activities are designed stronger and therefore reduce more risk than others. This weighting factor should have some non subjective logic behind it, rating Risk Factors or the strength of a control as High Low or Medium is subjective and usually will not pass an audit. You will also need evidence or proof that support whatever weighting you use.

Once you have designed your matrix, you should review the structure with your auditor to ensure you are meeting the requirements. Be prepared to identify how you expect to be able to support the scores in your matrix.

The matrix should be designed so it will allow you to compare Risk Scores (ones that have the highest probability and impact) so you can concentrate of the events that have the highest risk to your organization or meeting your regulatory requirement. It will also allow you to identify the Controls you have designed effectively or more importantly, ones that can be improved. The Matrix should be able to identify some anomalies in your scoring system by identifying risks or events that do not necessarily pass that ‘gut feel’ test. Remember using the matrix will be an iterative process and it will take a couple of cycles before the Risk Matrix is accurately reflecting your Risk Tolerance and Risk Culture.

Mapping regulations to your matrix can be difficult since sometimes it identifies the Risk, sometimes the Control and sometimes what could be considered a weight of your control activity (how effective is the control). As and example, we will look at what the Federal Financial Institutions Examination Council (FFIEC) has identified “A successful risk assessment program can be based on an effective scoring system. In establishing a scoring system, the board of directors and management should ensure the system is understandable, considers all relevant risk factors, and, to the extent possible, avoids subjectivity” The following table reflects the FFIEC recommendation and how the requirement can be implemented in a Risk Matrix.

FFIEC Requirement

Implemented Strategy

The adequacy of internal controls

Reflect this in the Weightings of each column (Control). These weighting reflect the current control effectiveness against industry standards.

The nature of transactions (for example, the number and dollar volumes and the complexity

Reflect this as a  “Volume/Complexity” Risk Factor

The age of the system or application

This should be reflected as score in the Risk Event against the Control Activity.

The nature of the operating environment (for example, changes in volume, degree of system and reporting centralization, sensitivity of resident or processed data, the impact on critical business processes, potential financial impact, planned conversions, and economic and regulatory environment);

This is implemented by a combination Risk Events ,Risk Factors, individual Control Activities and the weighting system. A higher Risk Factor score should be given for new implementation, impact, etc.

The physical and logical security of information, equipment, and premises

A number of Control and Monitoring activities should reflect this requirement.

The adequacy of operating management oversight and monitoring

This is reflected as a “Management Oversight” Monitoring activity.

Previous regulatory and audit results and management’s responsiveness in addressing issues

A higher score should be given to the Regulatory Risk Factor if the event was identified in previous audits as lacking.

Human resources, including the experience of management and staff, turnover, technical competence, management’s succession plan, and the degree of delegation

The Human Risk factor should address this requirement

Senior management oversight

A separate Control activity of “Management Oversight” should be identified.

 

As you can see, the regulation requirements are a mixture of risk event, impact analysis, mitigation strategies and risk responses. The important thing is to make sure the risk is mitigated, the next thing you should strive for is to make it easy to communicate to the auditor your compliance with the requirement.

 

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. 

Our Value 

    • Utilizing our proprietary SingleVue™ compliance and OpsAudit™ methodologies, we tailor comprehensive, cost-effective and flexible solutions to our clients.
    • Our solutions enhance your current business processes, rather than adding unnecessary overhead, thus creating measurable long-term value.
    • We involve your executive team, including your internal and external advisors, to guarantee solutions are absolutely consistent with your requirements.

    • We allow you to concentrate on managing your business.

            For More information, visit our home page:  www.visagesolutions.com
 


To subscribe to our newsletter. Enter your Email ID in the box below.

If you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2008 Visage Solutions, LLC.