# HR Risk Control Matrix | No. | R | Category | Risk Event | L | C | F | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | Evidences | | ---- | ---- | --------------------- | ------------------------------------------------------------ | ---- | ---- | ---- | ----- | --------------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | --------- | | 1 | DHR | Operational Risk (HR) | Unauthorized search for new employees. | 1 | 1 | | | Preventing (Manual) | Only selected people can authorize the employee search. | 1 | 1 | | | yes | yes | | | 2 | DHR | Operational Risk (HR) | Job postings are not posted according to the legal requirements. | 1 | 1 | | | Preventing (Manual) | Job postings must be posted internally and at the agency for labor. | 1 | 1 | | | yes | yes | | | 3 | DHR | Operational Risk (HR) | The job postings are inconsistent or miss important information. | 1 | 1 | | | Preventing (Manual) | The DHR maintains a standard job posting layout. | 1 | 1 | | | yes | yes | | | 4 | DHR | Operational Risk (HR) | The job postings are inconsistent or miss important information. | 1 | 1 | | | Preventing (Manual) | The DHR maintains a standard job descriptions for the different positions which should be used as a basis. | 1 | 1 | | | yes | yes | | | 5 | DHR | Operational Risk (HR) | Not matching applications are considered for the job posting. | 1 | 1 | | | Preventing (Manual) | The HR department reviews every application and filters obviously mismatching applications. | 1 | 1 | | | yes | yes | | | 6 | DHR | Operational Risk (HR) | Applications of candidates get rejected only because of minor mismatches. | 1 | 1 | | | Preventing (Manual) | Minor mismatches are allowed if the candidate fits the overall position. | 1 | 1 | | | yes | yes | | | 7 | DHR | Operational Risk (HR) | Applications are handled with biases. | 1 | 1 | | | Preventing (Manual) | Applications are anonymized by the HR department. | 1 | 1 | | | yes | yes | | | 8 | DHR | Operational Risk (HR) | Applicants don't receive a feedback leading to bad reviews. | 1 | 1 | | | Preventing (Manual) | The HR department has to reject mismatching applications in a timely manner using a default rejection text. | 1 | 1 | | | yes | yes | | | 9 | DHR | Operational Risk (HR) | Applicants are sanctioned. | 1 | 1 | | | Revealing (System + Manual) | Applicants are checked by the HR department in a software for sanctions. | 1 | 1 | | | yes | yes | | | 10 | DHR | Operational Risk (HR) | References of applicants are invalid. | 1 | 1 | | | Revealing (Manual) | The HR department performs random checks of references. | 1 | 1 | | | yes | yes | | | 11 | DHR | Operational Risk (HR) | Applicants are chosen despite majority differences in the selection committee. | 1 | 1 | | | Preventing (Manual) | All selection committee members have equal voting rights. | 1 | 1 | | | yes | yes | | | 12 | DHR | Operational Risk (HR) | Missing critical contractual aspects. | 1 | 1 | | | Preventing (Manual) | The HR department has to use a sample contract which contains all important contractual standard aspects. | 1 | 1 | | | yes | yes | | | 13 | DHR | Operational Risk (HR) | The applicant receives an unapproved contract. | 1 | 1 | | | Preventing (Manual) | The DHR must approve a contract before it can be sent to the applicant. | 1 | 1 | | | yes | yes | | | 14a | DHR | Operational Risk (HR) | An applicant gets employed who didn't get selected by the majority of the selection committee. | 1 | 1 | | | Preventing (Manual) | The DHR checks if the applicant got selected through a majority vote by the selection committee. | 1 | 1 | | | yes | yes | | | 14b | DHR | Operational Risk (HR) | The applicant didn't submit any credentials for aspects mentioned in their CV. | 1 | 1 | | | Preventing (Manual) | The DHR checks if the applicant submitted the credentials for aspects mentioned in their CV. | 1 | 1 | | | yes | yes | | | 14c | DHR | Operational Risk (HR) | The credentials are invalid. | 1 | 1 | | | Preventing (Manual) | The DHR checks if the credentials were successfully verified (random checks) | 1 | 1 | | | yes | yes | | | 14d | DHR | Operational Risk (HR) | The contract signed by the applicant is unaltered. | 1 | 1 | | | Preventing (Manual) | The DHR checks if the contract is unaltered. | 1 | 1 | | | yes | yes | | | 14e | DHR | Operational Risk (HR) | No or altered NDA is signed. | 1 | 1 | | | Preventing (Manual) | The DHR checks if the unaltered NDA is signed. | 1 | 1 | | | yes | yes | | | 14f | DHR | Operational Risk (HR) | No or altered CLA is signed. | 1 | 1 | | | Preventing (Manual) | The DHR checks if the unaltered CLA is signed. | 1 | 1 | | | yes | yes | | | 14g | DHR | Operational Risk (HR) | No or altered privacy policy is signed. | 1 | 1 | | | Preventing (Manual) | The DHR checks if the unaltered privacy policy is signed. | 1 | 1 | | | yes | yes | | | 14h | DHR | Operational Risk (HR) | Employee has a criminal record which prevent their employement. | 1 | 1 | | | Preventing (Manual) | The DHR checks if criminal record certificate is negative. | 1 | 1 | | | yes | yes | | | 14i | DHR | Operational Risk (HR) | Employee has sanctions which prevent their employment. | 1 | 1 | | | Preventing (Manual) | The DHR checks if sanction check is negative. | 1 | 1 | | | yes | yes | | | 14j | DHR | Operational Risk (HR) | The applicant tax id is missing. | 1 | 1 | | | Preventing (Manual) | The DHR checks if the applicants tax id is available. | 1 | 1 | | | yes | yes | | | 14k | DHR | Operational Risk (HR) | The applicant has no work permit even though it is required for this employee. | 1 | 1 | | | Preventing (Manual) | The DHR checks if the work permit is available. | 1 | 1 | | | yes | yes | | | 15 | DHR | Operational Risk (HR) | The contract for the applicant is signed by unauthorized personnel. | 1 | 1 | | | Preventing (Manual) | The DHR only hands over the contract for signing to authorized personnel. | 1 | 1 | | | yes | yes | | | 16 | DHR | Operational Risk (HR) | Training plans are inconsistent or miss critical components. | 1 | 1 | | | Preventing (Manual) | A sample training plan must be used as a basis. | 1 | 1 | | | yes | yes | | | 17 | DHR | Operational Risk (HR) | The employee is not completely trained. | 1 | 1 | | | Preventing (Manual) | The employee must sign the training plan after completion confirming their training. | 1 | 1 | | | yes | yes | | | 18 | DHR | Operational Risk (HR) | The employee doesn't receive any feedback regarding their performance. | 1 | 1 | | | Preventing (Manual) | Annual employee evaluations take place by supervisors. | 1 | 1 | | | yes | yes | | | 19 | DHR | Operational Risk (HR) | The employee evaluation and performance is not shared with the HR department which leads to problems during salary negotiations. | 1 | 1 | | | Preventing (Manual) | The employee evaluation must be handed over by the supervisor to the HR department who store this evaluation in the employee file. | 1 | 1 | | | yes | yes | | | 20 | DHR | Operational Risk (HR) | The employee evaluation doesn't take place. | 1 | 1 | | | Preventing (Manual) | The HR department checks that all evaluations have taken place and reminds the supervisors. | 1 | 1 | | | yes | yes | | | 21 | DHR | Operational Risk (HR) | The employee evaluation by the supervisor and the employees self-assessment are apart. | 1 | 1 | | | Preventing (Manual) | The employee must provide a self-evaluation before the employee evaluation takes place which allows both sides to reconcile the differences. | 1 | 1 | | | yes | yes | | | 22 | DHR | Operational Risk (HR) | The organization is unattractive for employees. | 1 | 1 | | | Preventing (Manual) | Employees have a annual chance to create a anonymous company evaluation which gets evaluated by the HR department and discussed in the executive committee meeting. | 1 | 1 | | | yes | yes | | | 23 | DHR | Operational Risk (HR) | The employee gets put on sanction lists after joining the company. | 1 | 1 | | | Revealing (System) | All employees are checked automatically every day by a sanction software. | 1 | 1 | | | yes | yes | | ## Abbreviations * R: Responsible * L: Likelihood (1-5) * C: Consequence (1-5) * L\*/C\*: Likelihood and Consequence after mitigation * F: Frequency (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient 2022-01-01 - Version 1.0