Understanding an organization’s risk profile and tolerance is a critical factor for ensuring processes and controls are aligned with its mission and goals. Each organization and its risk environment is unique, depending on different factors, including:
- Business type
- Business size
- Laws or regulations
Equally unique is the organization’s strategy for accepting certain levels of risk or choosing to put measures in place that will prevent, or at least detect negative events. The success or failure of a business can be directly linked to whether the organization truly understands and manages its risk exposure. Therefore, it is essential to have a holistic understanding of an organization’s risk environment to provide Management with the information necessary to make sound and informed business decisions.
What is a RACM?
A Risk and Control Matrix (RACM) is a powerful tool that can help an organization identify, rank, and implement control measures to mitigate risks. A RACM is a repository of risks that pose a threat to an organization’s operations, as well as the controls in place to mitigate those risks. Put simply, a RACM serves as a snapshot of an organization’s risk profile, measuring the organization’s risks against the formalized actions taken to prevent negative events from occurring.
The Building Blocks of a RACM
Identify Risks and Controls
At its core, a RACM depends on an organization’s ability to develop a comprehensive list of risks (internal and external) that may negatively impact the organization, along with the controls in place to defend against those risks. Not all risks affect organizations equally, so it is important to identify and document each risk and related control to understand how each risk can truly affect the organization. Common risk types include:
- Financial risks
- Operational risks
- IT risks
- Regulatory risks
- Fraud risks
- Reputational risks
Assess Risks and Controls
Before assessing risks, an organization needs to understand the definition of risk, the difference between inherent and residual risk, and the criteria used to rank each risk. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides the following definitions in its 2017 update to the Integrated Framework:
- Risk: The possibility that events will occur and affect the achievement of strategy and business objectives.
- Inherent vs. Residual Risk: Within a RACM, each risk has both an inherent and residual risk ranking.
- Inherent risk is the risk to an entity in the absence of any direct or focused actions by management to alter its severity. Each risk or event identified in a RACM is ranked on a scale to determine the likelihood that the event will take place and the impact, or potential damage, that would occur if that risk materialized and occurred. For example, the likelihood of a power outage bringing down a network is extremely low, but the impact the outage would have on business operations is extremely high. Based on the likelihood and impact ranking, each risk is assigned an overall inherent risk ranking.
- Residual risk is the risk remaining after management has taken action to alter its severity. Residual risk can be thought of as a weighted risk ranking, considering both the inherent risk, and the impact of implemented controls in addressing the risk. Using the above example, the residual risk would be the remaining chance of a power outage occurring after implementing controls such as a universal power supply or battery backups to address the risk of an outage occurring.
- Criteria to Rank Inherent and Residual Risk: To rank risks, an organization needs to establish ranking criteria for both the likelihood and impact of risks, as well as the control strength associated with each risk. Establishing ranking criteria allows the organization to apply a measured, uniform, and unbiased evaluation for each risk identified in the RACM. Typically, ranking criteria are applied to either a 3 or 5-point scale, ranging from low to high. Each point on the scale has a unique criteria description that applies to each potential risk type and implemented control. For example:
- Is a risk likely to happen once a day or once every few years?
- Will the risk affect your organization financially, operationally, or legally?
- Will the control in place significantly reduce the risk or is the control weak or non-existent?
Benefits of a RACM for Your Organization
Developing and maintaining a RACM for an organization has multiple benefits. Most notably, a RACM will identify and highlight gaps that pose a threat to an organization that may not have been previously considered.
The exercise of documenting the full environment of risks related to an organization provides a valuable opportunity to properly consider the organization’s risk appetite and ensure that the organization has a plan to mitigate risks that it’s not prepared to accept. Additionally, a RACM can allow management to effectively prioritize risks that need to be addressed. Mitigating all risks that could affect an organization is impractical. However applying a resource like a RACM will offer management information to allocate resources toward those risks that pose the greatest, or more immediate, threats.
An organization striving to optimize its risk profile – identifying the amount of risk the business can tolerate while simultaneously achieving strategic goals – should consider leveraging a RACM as a powerful tool to clearly identify, understand, and manage its risk environment.