# Support & Service Risk Control Matrix | No. | R | Category | Risk Event | L | C | O | Cause | Mitigation Type | Mitigation Strategy | L* | C* | Changes | Comments | ES | EY | | ---- | ---- | ------------------------------------ | ------------------------------------------------------------ | ---- | ---- | ---------------- | ----- | ------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- | | 1 | CTO | Operational Risk (Support & Service) | No legal basis for accessing customer data during customer support & service. | 1 | 1 | Daily | | Preventing (Manual) | Every customer must sign the Customer Data Protection Policy before they can receive support & service | 1 | 1 | | | yes | yes | | 2 | CTO | Operational Risk (Support & Service) | No legal protection regarding liabilities and responsibilities during customer support & service. | 1 | 1 | Daily | | Preventing (Manual) | Every customer must sign the Customer Service Agreement before they can receive support & service | 1 | 1 | | | yes | yes | | 3 | CTO | Operational Risk (Support & Service) | Unauthorized people make support & service requests. | 1 | 1 | Many times a day | | Preventing (Manual) | Only authorized are allowed to do support & service requests | 1 | 1 | | | yes | yes | | 4a | CTO | Operational Risk (Support & Service) | Not well defined goals and tasks resulting in miscommunication, high costs and unmet expectations. | 1 | 1 | Many times a day | | Preventing (Manual) | Define goals, tasks, specifications and costs in writing in an offer. | 1 | 1 | | | yes | yes | | 4b | CTO | Operational Risk (Support & Service) | The goals, tasks, specifications and costs are estimated with significant deviations. | 1 | 1 | Many times a day | | Preventing (Manual) | Only personnel with sufficient experience is allowed to make these estimations | 1 | 1 | | | yes | yes | | 5 | CTO | Operational Risk (Support & Service) | The customer disputes the provided service. | 1 | 1 | Many times a day | | Preventing (Manual) | The customer must approve the offer in writing. | 1 | 1 | | | yes | yes | | 6 | CTO | Operational Risk (Support & Service) | Environment setup & configuration by inexperienced employees | 1 | 1 | Daily | | Preventing (Manual) | Only employees with sufficient experience are allowed to perform the environment setup & configuration. | 1 | 1 | | | yes | yes | | 7 | CTO | Operational Risk (Support & Service) | The customer disputes the provided service. | 1 | 1 | Many times a day | | Preventing (Manual) | Software setup & configuration is only allowed together with the customer. | 1 | 1 | | | yes | yes | | 8 | CTO | Operational Risk (Support & Service) | Installation of unapproved software on the customer server causing issues. | 1 | 1 | Many times a day | | Preventing (Manual) | Only approved software is allowed to get installed on the customer servers | 1 | 1 | | | yes | yes | | 9 | CTO | Operational Risk (Support & Service) | Bad, risky or faulty software gets approved for the installation at customers. | 1 | 1 | Quarterly | | Preventing (Manual) | Only the CTO is allowed to approve software to be installed on customer hardware after testing. | 1 | 1 | | | yes | yes | | 10 | CTO | Operational Risk (Support & Service) | Insufficient hardware resources for the application | 1 | 1 | Daily | | Preventing (Manual) | Tested system requirements are provided for the customers. | 1 | 1 | | | yes | yes | | 11 | CTO | Operational Risk (Support & Service) | Leaking customer data incl. server login names and passwords. | 1 | 1 | Daily | | Preventing (Manual) | No customer data incl. server login names or passwords are stored on the organization side. | 1 | 1 | | | yes | yes | | 12 | CTO | Operational Risk (Support & Service) | Not all necessary steps are executed during the application setup or faulty. | 1 | 1 | Daily | | Preventing (Manual) | A Application Install Checklist is provided which has to be used during the install process. | 1 | 1 | | | yes | yes | | 13 | CTO | Operational Risk (Support & Service) | The trainings don't cover important aspects. | 1 | 1 | Daily | | Preventing (Manual) | Trainings must be held according to the Training Manuals defined by the CTO. | 1 | 1 | | | yes | yes | | 14 | CTO | Operational Risk (Support & Service) | The maintenance doesn't cover important aspects. | 1 | 1 | Daily | | Preventing (Manual) | Maintenance must be performed according to the Maintenance Checklist defined by the CTO. | 1 | 1 | | | yes | yes | | 15 | HOCS | Operational Risk (Support & Service) | Support requests from customers are handled by people who don't have the necessary skills or experiences. | 1 | 1 | | | Preventing (Manual) | Support requests are assigned according to experiences and skillsets by team leaders, senior employees or the HOCS. | 1 | 1 | | | yes | yes | | 16 | CTO | Operational Risk (Support & Service) | The provided support is not satisfactory for the customers. | 1 | 1 | | | Revealing (Manual) | Customers have the option to provide feedback after every closed support request. | 1 | 1 | | | yes | yes | ## Abbreviations * R: Responsible * L: Likelihood (1-5) * C: Consequence (1-5) * L\*/C\*: Likelihood and Consequence after mitigation * O: Occurrence (many times a day, daily, weekly, monthly, annually) * ES: Effective * EY: Efficient 2022-01-01 - Version 1.0