Organization-Guide/Processes/02_Purchase_Risk Control Matrix.md

Purchase Risk Control Matrix

No.	R	Category	Risk Event	L	C	F	Cause	Mitigation Type	Mitigation Strategy	L*	C*	Changes	Comments	ES	EY	Evidences
1	Employee	Operational Risk (Purchase)	Purchasing not the optimal investment product due to no market research. "Optimal" includes product/service quality, vendor reliability, price, ...	1	1	Many times a day		Preventing (Manual)	Compare products and vendors	1	1			yes	yes
2	See purchase approval table	Operational Risk (Purchase)	Unauthorized purchase (budget risks, fraud, compliance, ...)	1	1	Many times a day		Preventing (Manual)	Authorize purchases according to the purchase approval table. This functions as control and separation of responsibilities.	1	1			yes	yes
3	Employee	Operational Risk (Purchase)	Critical information related to a purchase are not stored or difficult to find.	1	1	Many times a day		Preventing (Manual & System)	Documents and important information related to a purchase are stored in the IT system referring the purchase.	1	1			yes	yes
4	Purchase	Operational Risk (Purchase)	Invalid invoice contents (formal and other mistakes/deviations)	1	1	Many times a day		Preventing (System)	Automatic IT system checks.	1	1			yes	yes
5	Purchase	Operational Risk (Purchase)	Invalid invoice contents (formal and other mistakes/deviations)	1	1	Many times a day		Preventing (Manual)	Additional manual invoice approval by purchase clerk.	1	1			yes	yes
6	Head of department + Head of purchase	Operational Risk (Purchase)	Deviations between order and invoice	1	1	Many times a day		Preventing (Manual)	Approval by responsible staff.	1	1			yes	yes
7	Finance	Operational Risk (Finance)	Invalid posting.	1	1	Many times a day		Preventing (System)	The IT system generates an automatic posting suggestion.	1	1			yes	yes
8	Finance	Operational Risk (Purchase)	Invalid posting suggestion.	1	1	Many times a day		Preventing (Manual)	The accountant can adjust the posting suggestion from the IT system.	1	1			yes	yes
9	Head of finance	Operational Risk (Purchase)	Invalid posting.	1	1	Many times a day		Preventing (System & Manual)	The head of finance checks a selection invoice postings randomly.	1	1			yes	yes
10	Finance	Operational Risk (Purchase)	Missing invoice payments.	1	1	Weekly		Preventing (System)	The IT system generates a list of invoices for payment.	1	1			yes	yes
11	Finance	Operational Risk (Purchase)	Invalid cash back or forex calculations.	1	1	Weekly		Preventing (System)	The IT system automatically calculates the cash back or forex differences.	1	1			yes	yes
12	Finance	Operational Risk (Purchase)	Invalid payment suggestion.	1	1	Weekly		Preventing (Manual)	The accountant can add or remove payments.	1	1			yes	yes
13	Finance + Head of finance	Operational Risk (Purchase)	Invalid payments	1	1	Weekly		Preventing (System & Manual)	Both accountant and head of finance approve the payments. The payment list shows which invoices got manually added, excluded and adjusted.	1	1			yes	yes
14	Purchase	Operational Risk (Purchase)	Missing supplier information (e.g. important tax information)	1	1	Many times a day		Preventing (System)	The IT system requires mandatory information before invoices can be created for a supplier.	1	1			yes	yes
15	Purchase	Operational Risk (Purchase)	Invalid supplier information	1	1	Many times a day		Preventing (System)	The IT system performs automatic checks.	1	1			yes	yes
16	Head of purchase	Operational Risk (Purchase)	False positive supplier errors.	1	1	Many times a day		Preventing (Manual)	Manual supplier approval by head of purchase	1	1			yes	yes
17	Purchase	Operational Risk (Purchase)	Critical changes to suppliers (e.g. sanctions)	1	1	Daily		Preventing (System)	The IT system automatically checks suppliers against sanction lists every day.	1	1			yes	yes

Abbreviations

• R: Responsible

• L: Likelihood (1-5)

• C: Consequence (1-5)

• L*/C*: Likelihood and Consequence after mitigation

• F: Frequency (many times a day, daily, weekly, monthly, annually)

• ES: Effective

• EY: Efficient

2022-01-01 - Version 1.0