Each organization and its risk environment is unique, depending on different factors, including: business type, size, resources, and laws or regulations. Hence, Risk Control Matrix is an important tool to understand and optimize your organization’s risk profile.
A Risk Control Matrix (RCM) or also commonly referred as Risk and Control Matrix (RACM) is a powerful tool that can help an organization identify, rank and implement control measures to mitigate all the risks prevalent in the organization. A RACM is a repository of risks that pose a threat to an organization’s operations as well as the controls in place to mitigate those risks. Put simply, a RACM serves as a snapshot of an organization’s risk profile, measuring the organization’s risks against the formalized actions taken to prevent negative events from occurring.
Details under RCM
Further, as per Section 143(3)(i) of The Companies Act, 2013, auditors have to report whether the company has adequate Internal Financial Controls and the operating effectiveness of such controls for all classes of companies (listed/unlisted) except Private Limited Companies and One Person Company (OPC) which has Annual turnover of less than Rs 50 Crores or has aggregate borrowings of less than Rs 25 Crores from banks/financial institution at any time during the financial year issued after 13th June, 2017. Thus, RCM is one of the outputs for ensuring the implementation of Internal Financial Control as prescribed by The Companies Act, 2013.
II. Case Study:
The Base Manufacturing Co. is one of the leading companies in India dealing into various range of cosmetic products including fragrance, personal care and beauty brands. However, the management of the company is not very happy with the ongoing problems faced within the company. The CEO of the company Mr. Naresh has come across a major issue that there has been a lot of misappropriation of receipts from Debtors in the company over the past few months. On communication with the debtors, it was found out that they had paid the dues to Base Manufacturing Co. however, the same was not reflected in the accounts of the Company. After detailed investigation, it was found out that the Manager of the company had given different account number to the debtors and used to misappropriate the receivables from the debtors. The Company wanted to prevent such frauds in future & since they did not have any internal check for the processes, they therefore approached M/s MASD & Co. who were experts in the field of Risk Advisory and Assurance Services.
After evaluating the ongoing issue and clearly identifying the risks, MASD & Co. decided to devise a Risk Control Matrix (RCM) for Collection and invoicing as follows:
|Sub-Process||Risk Description||Risk Heat||Control Description||Control Nature|
|Collection||Unauthorised Bad Debt write offs||High||-Ageing report should be generated to determine the period and amount outstanding.
-Also, a maker-checker process should be implemented to check and identify whether any bad-debt has been unauthorizedly written off or not.
|Invoicing||Unauthorized access of invoices||High||Employee Responsibilities should be properly separated and Access Rights should be well-defined and granted to specific users||Preventive|
Since, the company had then implemented a well-designed Risk Control Matrix which properly addressed the risk which company was facing, company was able to find out a proper solution with proper controls placed which were not earlier implemented.
As it can be seen from the RCM above, developing and maintaining RACM for an organization has multiple benefits-
An RCM provides a one-point documentation of business process, risks, control testing details and is used extensively .Organizations striving to optimize their risk profile – identifying the amount of risk they are willing to tolerate while simultaneously achieving strategic goals – should consider leveraging a RACM as a powerful tool to clearly identify, understand, and manage their risk environment. The success or failure of a business can be directly linked to whether the organization truly understands and manages its risk exposure. Therefore, it is essential to have a holistic understanding of an organization’s risk environment to provide Management with the information necessary to make sound and informed business decisions.
If you are interested in understanding how your organization could benefit from a Risk and control, please reach out to us on the below mentioned mail IDs.
Authors: CA Aakash Mehta | Partner | E-mail: email@example.com
Poojan Joshi | Associate Consultant | Email – firstname.lastname@example.org