diff --git a/Processes/01_Development_Risk Control Matrix.md b/Processes/01_Development_Risk Control Matrix.md index 7da0eec..5e222ed 100644 --- a/Processes/01_Development_Risk Control Matrix.md +++ b/Processes/01_Development_Risk Control Matrix.md @@ -1,6 +1,6 @@ # Development Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | ----------------- | ------------------------------ | ------------------------------------------------------------ | ---- | ---- | ----------------- | ----------------------------- | ---------------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | ------------------------------------------------------------ | ---- | ---- | --------- | | 1 | CTO | Operational Risk (Development) | Unauthorized source code and development asset access. | 1 | 1 | Many times a day | Unmanaged access permissions. | Preventing (System & Manual) | Only authorized people gain access to confidential source code and development assets. | 1 | 1 | | Not all source code and development assets are considered confidential and may be publicly accessible. The confidential aspects are determined by the CTO. | yes | yes | | | 2 | CTO | Operational Risk (Development) | Undefined terms of intellectual property for code contributions. | 1 | 3 | Many times a day | | Preventing (Manual) | The terms of intellectual property for all contributions are well defined. | 1 | 1 | | | yes | yes | | @@ -23,12 +23,12 @@ * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient - + 2022-01-01 - Version 1.0 diff --git a/Processes/02_Purchase_Risk Control Matrix.md b/Processes/02_Purchase_Risk Control Matrix.md index f263a8d..5ad6d0f 100644 --- a/Processes/02_Purchase_Risk Control Matrix.md +++ b/Processes/02_Purchase_Risk Control Matrix.md @@ -1,6 +1,6 @@ # Purchase Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | -------------------------------------- | --------------------------- | ------------------------------------------------------------ | ---- | ---- | ---------------- | ----- | ---------------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | | 1 | Employee | Operational Risk (Purchase) | Purchasing not the optimal investment product due to no market research. *"Optimal" includes product/service quality, vendor reliability, price, ...* | 1 | 1 | Many times a day | | Preventing (Manual) | Compare products and vendors | 1 | 1 | | | yes | yes | | | 2 | See purchase approval table | Operational Risk (Purchase) | Unauthorized purchase (budget risks, fraud, compliance, ...) | 1 | 1 | Many times a day | | Preventing (Manual) | Authorize purchases according to the purchase approval table. This functions as control and separation of responsibilities. | 1 | 1 | | | yes | yes | | @@ -30,12 +30,12 @@ * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient - + 2022-01-01 - Version 1.0 diff --git a/Processes/03_Sales_Risk Control Matrix.md b/Processes/03_Sales_Risk Control Matrix.md index e8f2d76..0d2947e 100644 --- a/Processes/03_Sales_Risk Control Matrix.md +++ b/Processes/03_Sales_Risk Control Matrix.md @@ -1,6 +1,6 @@ # Sales Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | ------------------------------- | --------------------------- | ------------------------------------------------------------ | ---- | ---- | ---------------- | ----- | ---------------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | ------------------------------------------------------------ | ---- | ---- | --------- | | 1 | Sales | Operational Risk (Sales) | Invalid offer | 1 | 1 | Many times a day | | Preventing (System) | Use default offers. | 1 | 1 | | | yes | yes | | | 2 | Sales | Operational Risk (Sales) | No flexibility in case of none-standard customer requests. | 1 | 1 | Many times a day | | Preventing (Manual) | Custom offers for customers. | 1 | 1 | | | yes | yes | | @@ -37,12 +37,12 @@ * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient - + 2022-01-01 - Version 1.0 diff --git a/Processes/04_Support & Service_Risk Control Matrix.md b/Processes/04_Support & Service_Risk Control Matrix.md index f807281..d65b6cd 100644 --- a/Processes/04_Support & Service_Risk Control Matrix.md +++ b/Processes/04_Support & Service_Risk Control Matrix.md @@ -1,6 +1,6 @@ # Support & Service Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | ---- | ------------------------------------ | ------------------------------------------------------------ | ---- | ---- | ---------------- | ----- | ------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | | 1 | CTO | Operational Risk (Support & Service) | No legal basis for accessing customer data during customer support & service. | 1 | 1 | Daily | | Preventing (Manual) | Every customer must sign the Customer Data Protection Policy before they can receive support & service | 1 | 1 | | | yes | yes | | | 2 | CTO | Operational Risk (Support & Service) | No legal protection regarding liabilities and responsibilities during customer support & service. | 1 | 1 | Daily | | Preventing (Manual) | Every customer must sign the Customer Service Agreement before they can receive support & service | 1 | 1 | | | yes | yes | | @@ -30,13 +30,13 @@ * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient - + 2022-01-01 - Version 1.0 diff --git a/Processes/05_HR_Risk Control Matrix.md b/Processes/05_HR_Risk Control Matrix.md index 4200da8..ce7562a 100644 --- a/Processes/05_HR_Risk Control Matrix.md +++ b/Processes/05_HR_Risk Control Matrix.md @@ -1,6 +1,6 @@ # HR Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | ---- | --------------------- | ------------------------------------------------------------ | ---- | ---- | ---- | ----- | --------------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | | 1 | DHR | Operational Risk (HR) | Unauthorized search for new employees. | 1 | 1 | | | Preventing (Manual) | Only selected people can authorize the employee search. | 1 | 1 | | | yes | yes | | | 2 | DHR | Operational Risk (HR) | Job postings are not posted according to the legal requirements. | 1 | 1 | | | Preventing (Manual) | Job postings must be posted internally and at the agency for labor. | 1 | 1 | | | yes | yes | | @@ -46,12 +46,12 @@ * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient - + 2022-01-01 - Version 1.0 diff --git a/Processes/06_Finance_Risk Control Matrix.md b/Processes/06_Finance_Risk Control Matrix.md index 1bdd439..ea5c164 100644 --- a/Processes/06_Finance_Risk Control Matrix.md +++ b/Processes/06_Finance_Risk Control Matrix.md @@ -1,6 +1,6 @@ # Finance Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | ---- | -------------------------- | ------------------------------------------------------------ | ---- | ---- | ---- | ------------------------------------------------------------ | --------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | | 1 | CFO | Operational Risk (Finance) | The company doesn't have a budget as a basis for their operations. | 1 | 1 | | | | The deadline for the budget finalization is defined with enough time until the new business year starts. | 1 | 1 | | | yes | yes | | | 2 | CFO | Operational Risk (Finance) | The budget is not approved/reviewed. | 1 | 1 | | | | The budget must be approved by the management. | 1 | 1 | | | yes | yes | | @@ -24,12 +24,12 @@ * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient - + 2022-01-01 - Version 1.0firefod diff --git a/Processes/07_Management_Risk Control Matrix.md b/Processes/07_Management_Risk Control Matrix.md index 62fb521..cb0e3b3 100644 --- a/Processes/07_Management_Risk Control Matrix.md +++ b/Processes/07_Management_Risk Control Matrix.md @@ -1,6 +1,6 @@ # Management Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | ---- | ----------------------------- | ------------------------------------------------------------ | ---- | ---- | ---- | ----- | ------------------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | ------------------------------------------------------------ | | 1 | CEO | Operational Risk (Management) | The business operations are not planned appropriately (risks, chances, resources, ...). | | | | | Preventing (Manual) | Annual budget process as described in the finance process. | | | | | yes | yes | | | 2 | CEO | Operational Risk (Management) | Critical information are not appropriately shared in the company. | | | | | Preventing (Manual) | Regular meetings such as executive committee meetings, head of department meetings and department meetings. Publicly available organization structure and processes which clearly communicate tasks and responsibilites. Annual employee evaluations for additional information sharing. | | | | | yes | yes | | @@ -19,13 +19,13 @@ * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient - + 2022-01-01 - Version 1.0 diff --git a/Processes/08_Quality Management_Risk Control Matrix.md b/Processes/08_Quality Management_Risk Control Matrix.md index 56fbc11..e92fe36 100644 --- a/Processes/08_Quality Management_Risk Control Matrix.md +++ b/Processes/08_Quality Management_Risk Control Matrix.md @@ -1,6 +1,6 @@ # Quality Management Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | --------------------- | ------------------------------------- | ------------------------------------------------------------ | ---- | ---- | ---- | ----- | ------------------ | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | | 1 | Internal auditor, DQM | Operational Risk (Quality Management) | Processes are not correctly implemented, no longer up-to-date or insufficient. | | | | | Revealing (Manual) | Every department is audited at least once a quarter by internal auditors. | | | | | | | | | 2 | Quality Management | Operational Risk (Quality Management) | The products and services contain insufficiencies which are not detected during the regular development controls and checks. | | | | | Revealing (Manual) | The software, documentation and services are manually tested like a normal customer/user would use them. | | | | | | | | @@ -16,13 +16,13 @@ * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient - + 2022-01-01 - Version 1.0 diff --git a/Processes/09_IT_Risk Control Matrix.md b/Processes/09_IT_Risk Control Matrix.md index 389ad28..5b005ce 100644 --- a/Processes/09_IT_Risk Control Matrix.md +++ b/Processes/09_IT_Risk Control Matrix.md @@ -1,6 +1,6 @@ # IT Risk Control Matrix -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | -------------------- | --------------------- | ------------------------------------------------------------ | ---- | ---- | ------ | ----- | ------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | | 1 | CTO | Operational Risk (IT) | Data loss | | | Daily | | Preventing (System) | Automatic daily local backups | | | | | | | | | 2 | CTO | Operational Risk (IT) | Data loss | | | Daily | | Preventing (System) | Automatic daily backups to external/remote service providers | | | | | | | | @@ -20,12 +20,12 @@ * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient - + 2022-01-01 - Version 1.0 \ No newline at end of file diff --git a/Processes/Quality Management/COSO/FSCP.md b/Processes/Quality Management/COSO/FSCP.md new file mode 100644 index 0000000..e69de29 diff --git a/Processes/Quality Management/COSO/Risk Management/Risk Management Review Template.md b/Processes/Quality Management/COSO/Risk Management/Risk Management Review Template.md index 31f3b80..c95e00b 100644 --- a/Processes/Quality Management/COSO/Risk Management/Risk Management Review Template.md +++ b/Processes/Quality Management/COSO/Risk Management/Risk Management Review Template.md @@ -32,7 +32,7 @@ For details see the [Risk Register](Risk%20Register.md) and the Risk Control Mat ### New risks -| No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | +| No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | ---- | -------- | ---------- | ---- | ---- | ---- | ----- | --------------- | ------------------- | ---- | ---- | ------- | -------- | ---- | ---- | --------- | | | | | | | | | | | | | | | | | | | @@ -42,7 +42,7 @@ Abbreviations: * L: Likelihood (1-5) * C: Consequence (1-5) * L\*/C\*: Likelihood and Consequence after mitigation -* O: Occurrence (many times a day, daily, weekly, monthly, annually) +* F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient diff --git a/Processes/Quality Management/COSO/Risk Management/Risk Report.xlsx b/Processes/Quality Management/COSO/Risk Management/Risk Report.xlsx index 69483c9..296078e 100644 Binary files a/Processes/Quality Management/COSO/Risk Management/Risk Report.xlsx and b/Processes/Quality Management/COSO/Risk Management/Risk Report.xlsx differ