RCM

RCM is a matrix describing risks in businesses and the statuses of corresponding control activities. Risk Control Matrix.

Overview of RCM
RCM is a table (matrix) that describes the relations among risks and methodologies to control each risk (countermeasures to deal with each risk) and is deeply related to one of the six factors of Internal Control, Companies are required to analyze and evaluate factors that could disturb the accomplishments of their own goals, which are to be considered as risks, and thereby, based on those results, the companies are required to deal with the risks. RCM is a document that aggregates the statuses of the company's Internal Control over such risks. The primary purpose of RCM is "visualization of risks."
 * "Evaluation and Response to Risks"

Contents of RCM
RCM (Risk Control Matrix) is one of the three tools recommended for (Japanese) internal control reporting system defined in (Japanese) Financial Products Trading Law (Three-piece Set). The important risk item in RCM is "a risk that could jeopardize the credibility of financial reports," so the control over the important risk items must be intensively considered and practiced as well as elaborated in RCM. The specific contents are shown below.


 * 1) Risk
 * Details of risks
 * 1) Related account items
 * Items in statement of accounts that are affected by the risks
 * 1) Assertion (Audit Point)
 * Assertions about decentness of reports by management statements. They are categorized into five types.
 * Assertion about existence and occurrence: This is an assertion about the fact that assets, liabilities, and transactions exist during the corresponding financial period. It proves that there is no record about fictitious transactions etc.
 * Assertion about completeness: This is an assertion that all transactions and issues to be recorded are actually included in the documents.
 * Assertion about valuation and allocation: This is an assertion that assets, liabilities, capital, profits, and costs are appropriately included in financial documents.
 * Assertion about rights and obligations: This is an assertion that rights over the assets and obligations about liabilities are pertained to the company.
 * Assertion about presentation and disclosure: This is an assertion that specific components in financial documents are appropriately classified, described, and disclosed.
 * 1) Significance of Risk
 * Degree of the impact and probability of occurrence of risks
 * 1) Control
 * Control over the risks
 * Detail: Detail of concrete measures to control risks
 * Frequency: How frequently the measures are executed (e.g. Monthly, weekly, as needed, etc.)
 * Object: The part of risk factors to be covered (e.g. Integrity, accuracy, legitimacy, continuity, etc.)
 * Type: How the control measures influence the risks (e.g. Automated control or manual control, proactive or heuristic, etc.)
 * 1) Risk Evaluation
 * Overall evaluation of risks based on the importance of the risks, controls over them, and so on

Creation of RCM
The process to create RCM is as follows.
 * 1) Specifying Activities
 * 2) Identifying Risks
 * 3) Classifying Risks
 * 4) Analyzing and Evaluating Risks
 * 5) Responding to Risks

Specifying Activities
First, we need to specify the range of corporate activities and define all business processes. By doing so, the activity range of the company and the details of activities are clarified. This phase is common with "business flow diagrams" and "business description documents," which are the other two components of Three-piece Set.

Identifying Risks
Risks are the factors that could disturb (negatively impact) the accomplishments of company goals. More specifically, there are external factors shown below. Also, there are internal factors like the followings. We need to grasp the issues that could affect the accomplishments of company goals, and then we can identify the risks among them. Risks have a variety of phases from company-level ones to business-process-level ones. Therefore, it is important to appropriately identify risks in each phase.
 * Aggravation of market competition
 * Change of market rates of currency exchange and materials
 * Breakdown or failure of information systems
 * Occurrence of fallacy and dishonest act in bookkeeping
 * Divulgation of personal information or information concerning a top-level decision-making in business

Classifying Risks
Identified risks are classified here. The criteria for the classification are as follows.
 * Company-wide Risks or Business-process Risks
 * Antecedent Risks or Unprecedented Risks

Company-wide Risks or Business-process Risks
Company-wide risks are risks that could disturb the accomplishments of goals of the entire organization. For example, the following risks are included. To counter these risks, it is required to prepare and operate controls over the entire organization, including definition of clear business policies and strategies, reinforcing the functionalities of the board of directors, auditors, and audit committee, and so on.
 * Abnormal shift in the cash-flow status
 * Dependency on some specific partners, products, technologies, etc.
 * Occurrence of law cases etc.
 * Dependency on the individual executive officer

Business-process risks are risks that affects the accomplishments of a goal of each business process. The following risks are included here. We can handle these risks by means of in-business controlling activities, such as the establishment of KPIs that are useful to grasp the status on the way and introduction of BAM that monitors the business execution in a real-time manner.
 * Lack of resources used in the process
 * Dependency on one single task
 * False reports about tasks

Antecedent Risks or Unprecedented Risks
Risks can be classified based on the past business history. Responses to "antecedent risks" can be plotted based on the responses taken in the past. We must pay more attention to responses to unprecedented risks. However, sometimes antecedent risks could mutate to novel risks owing to the external changes etc., so we must be careful about them.

Analyzing and Evaluating Risks
Through the analyses of the probability of occurrence of risks above and impacts of them, we then need to estimate the significance of risks. Then, we should evaluate what countermeasures need to be taken, starting from the risk of high priority.

Responding to risks
Responses to risks include the followings.
 * Avoid
 * Mitigate
 * Transfer
 * Tolerate
 * Combination of the above

Avoiding Risks
This means to stop the activities causing risks. If the probability of occurrence of risks or impact is very large or the risk management is difficult, this option is chosen.

Mitigating Risks
This means to establish a new control to reduce the probability of occurrence of risks and impacts.

Transferring Risks
This means to reduce the impacts of risks by transferring the risks to external entities. (E.g. Buying insurance, etc.)

Tolerating Risks
This means not to take any countermeasures and tolerate risks. This option should be taken when the cost for proactive measures outweighs the effects or when countermeasures can be taken even after the risks are actualized.

After the approaches to the risks are determined, the following details should be determined.
 * How often they should be executed
 * Which part of the risk, for example integrity, accuracy, legitimacy, and continuity, are covered
 * Whether countermeasures are executed automatically or manually, and whether they are proactive measures or not

Regarding the format of Risk Control Matrix, the sample presented in "Execution criteria of evaluation and supervision concerning internal control over financial reports" by Financial Service Agency consists of the 6 items shown below.
 * "Business Process Name"
 * "Detail of Risk"
 * "Detail of Control"
 * "Audit Point"
 * "Risk Evaluation"
 * "Detail of Risk Evaluation"

Related Articles

 * Internal Control
 * J-SOX
 * Internal Control Reporting System
 * Three-piece Set
 * Business Flow Diagram