Business Process Library Q Business Process Management

From Q-BPM
Jump to: navigation, search

RCM is a matrix describing risks in businesses and the statuses of corresponding control activities. Risk Control Matrix.

RCM Sample
RCM Sample


Overview of RCM

RCM is a table (matrix) that describes the relations among risks and methodologies to control each risk (countermeasures to deal with each risk) and is deeply related to one of the six factors of Internal Control,

  • "Evaluation and Response to Risks"

Companies are required to analyze and evaluate factors that could disturb the accomplishments of their own goals, which are to be considered as risks, and thereby, based on those results, the companies are required to deal with the risks. RCM is a document that aggregates the statuses of the company's Internal Control over such risks. The primary purpose of RCM is "visualization of risks."

Contents of RCM

RCM (Risk Control Matrix) is one of the three tools recommended for (Japanese) internal control reporting system defined in (Japanese) Financial Products Trading Law (Three-piece Set). The important risk item in RCM is "a risk that could jeopardize the credibility of financial reports," so the control over the important risk items must be intensively considered and practiced as well as elaborated in RCM. The specific contents are shown below.

  1. Risk
    Details of risks
  2. Related account items
    Items in statement of accounts that are affected by the risks
  3. Assertion (Audit Point)
    Assertions about decentness of reports by management statements. They are categorized into five types.
    1. Assertion about existence and occurrence: This is an assertion about the fact that assets, liabilities, and transactions exist during the corresponding financial period. It proves that there is no record about fictitious transactions etc.
    2. Assertion about completeness: This is an assertion that all transactions and issues to be recorded are actually included in the documents.
    3. Assertion about valuation and allocation: This is an assertion that assets, liabilities, capital, profits, and costs are appropriately included in financial documents.
    4. Assertion about rights and obligations: This is an assertion that rights over the assets and obligations about liabilities are pertained to the company.
    5. Assertion about presentation and disclosure: This is an assertion that specific components in financial documents are appropriately classified, described, and disclosed.
  4. Significance of Risk
    Degree of the impact and probability of occurrence of risks
  5. Control
    Control over the risks
    1. Detail: Detail of concrete measures to control risks
    2. Frequency: How frequently the measures are executed (e.g. Monthly, weekly, as needed, etc.)
    3. Object: The part of risk factors to be covered (e.g. Integrity, accuracy, legitimacy, continuity, etc.)
    4. Type: How the control measures influence the risks (e.g. Automated control or manual control, proactive or heuristic, etc.)
  6. Risk Evaluation
    Overall evaluation of risks based on the importance of the risks, controls over them, and so on

Creation of RCM

The process to create RCM is as follows.

  1. Specifying Activities
  2. Identifying Risks
  3. Classifying Risks
  4. Analyzing and Evaluating Risks
  5. Responding to Risks

Specifying Activities

First, we need to specify the range of corporate activities and define all business processes. By doing so, the activity range of the company and the details of activities are clarified. This phase is common with "business flow diagrams" and "business description documents," which are the other two components of Three-piece Set.

Identifying Risks

Risks are the factors that could disturb (negatively impact) the accomplishments of company goals. More specifically, there are external factors shown below.

  • Aggravation of market competition
  • Change of market rates of currency exchange and materials

Also, there are internal factors like the followings.

  • Breakdown or failure of information systems
  • Occurrence of fallacy and dishonest act in bookkeeping
  • Divulgation of personal information or information concerning a top-level decision-making in business

We need to grasp the issues that could affect the accomplishments of company goals, and then we can identify the risks among them. Risks have a variety of phases from company-level ones to business-process-level ones. Therefore, it is important to appropriately identify risks in each phase.

Classifying Risks

Identified risks are classified here. The criteria for the classification are as follows.

  • Company-wide Risks or Business-process Risks
  • Antecedent Risks or Unprecedented Risks

Company-wide Risks or Business-process Risks

Company-wide risks are risks that could disturb the accomplishments of goals of the entire organization. For example, the following risks are included.

  • Abnormal shift in the cash-flow status
  • Dependency on some specific partners, products, technologies, etc.
  • Occurrence of law cases etc.
  • Dependency on the individual executive officer

To counter these risks, it is required to prepare and operate controls over the entire organization, including definition of clear business policies and strategies, reinforcing the functionalities of the board of directors, auditors, and audit committee, and so on.

Business-process risks are risks that affects the accomplishments of a goal of each business process. The following risks are included here.

  • Lack of resources used in the process
  • Dependency on one single task
  • False reports about tasks

We can handle these risks by means of in-business controlling activities, such as the establishment of KPIs that are useful to grasp the status on the way and introduction of BAM that monitors the business execution in a real-time manner.

Antecedent Risks or Unprecedented Risks

Risks can be classified based on the past business history. Responses to "antecedent risks" can be plotted based on the responses taken in the past. We must pay more attention to responses to unprecedented risks. However, sometimes antecedent risks could mutate to novel risks owing to the external changes etc., so we must be careful about them.

Analyzing and Evaluating Risks

Through the analyses of the probability of occurrence of risks above and impacts of them, we then need to estimate the significance of risks. Then, we should evaluate what countermeasures need to be taken, starting from the risk of high priority.

Responding to risks

Responses to risks include the followings.

  • Avoid
  • Mitigate
  • Transfer
  • Tolerate
  • Combination of the above

Avoiding Risks

This means to stop the activities causing risks. If the probability of occurrence of risks or impact is very large or the risk management is difficult, this option is chosen.

Mitigating Risks

This means to establish a new control to reduce the probability of occurrence of risks and impacts.

Transferring Risks

This means to reduce the impacts of risks by transferring the risks to external entities. (E.g. Buying insurance, etc.)

Tolerating Risks

This means not to take any countermeasures and tolerate risks. This option should be taken when the cost for proactive measures outweighs the effects or when countermeasures can be taken even after the risks are actualized.

After the approaches to the risks are determined, the following details should be determined.

  • How often they should be executed
  • Which part of the risk, for example integrity, accuracy, legitimacy, and continuity, are covered
  • Whether countermeasures are executed automatically or manually, and whether they are proactive measures or not

Regarding the format of Risk Control Matrix, the sample presented in "Execution criteria of evaluation and supervision concerning internal control over financial reports" by Financial Service Agency consists of the 6 items shown below.

  • "Business Process Name"
  • "Detail of Risk"
  • "Detail of Control"
  • "Audit Point"
  • "Risk Evaluation"
  • "Detail of Risk Evaluation"

Related Articles

What links here
Related changes
Upload file
Special pages
Printable version
Permanent link
Questetra BPM Suite
Workflow Sample:Hints on Defining Workflows for Business Analysts and Managers.

General nouns | Proper nouns | General-purpose business process | Core business process | Business process for support administration
Q-BPM This website was started by Questetra, Inc. for businesspeople all over the world, who are interested in BPM, but spend a great amount of time on the search of a lot of books, documents, and difficult terms. By saving the trouble of looking up a number of related terms or the time of searching documents, Questetra, Inc. hopes to contribute to businesspeople, interested in BPM, all over the world. Questetra Inc. Q-BPM exemplifies various Sample Processes regarding Business Flow in companies, and support Business Flow Diagram making. (* Business Flow Diagram: Business Flow Chart/Business Diagram/Business Process Diagram) This is Cloud-Source type information sending website that invites collaborators all over the world. In principle, contents in this website are public on the basis of the license called “CC-By SA,” which means “possible to copy under specific conditions.”

Powered by MediaWiki CreativeCommons By SA