DRAFT 1

RISK AND CONTROL MATRIX

ADEQUACY TESTING
Inherent risk rating
( (C)completeness
(P)preventative
Y (M)annual (V)validity Adequate
Audit Objective/Scope Inherent risk Impact Likelihood Rating Existing controls (D)detective EWP reference Finding ref.
/ (A)automated (A)accuracy (Y/N)
I L IL (C)corrective
N (R)restricted Access
)
5 4 20
4 3 12
3 3 9
4 4 16
3 3 9
3 3 9
4 4 16
4 3 12
4 3 12
4 3 12
4 3 12
4 3 12
3 3 9
4 3 12
3 3 9
4 3 12
4 3 12
4 3 12
3 3 9
4 3 12
4 3 12
4 3 12
4 3 12
4 3 12
4 3 12
3 2 6
3 2 6
4 3 12
4 3 12
3 3 9
3 3 9
3 3 9
4 4 16
4 3 12
3 3 9
3 3 9
4 3 12
4 3 12

Disclaimer: The content and format of this document is the intellectual property of XYZ Credit Tanzania Limited. This document is
confidential and may not be used, copied, reprinted, adapted or reproduced in whole or in part by any internal or external party without
explicit written permission from the Internal Audiitor.
How to define your risks

Once you have identified specific risks, use the steps below to identify the impact (I), likelihood (L) and limitation of risk (LR).

STEP 1 - Choose one of the following to define the impact if the risk happens
Impact
Score Impact level Your Assessment
5 Extreme
4 High
3 Moderate Risk Methodology 2
2 Low
1 Negligible

STEP 2 - Choose one of the following to define the likelihood of the risk happening
Likelihood
Score Likelihood level Your Assessment
5 Almost certain Is expected to occur in most circumstances; Happens often or is happening currently; Happens often.
Would probably occur in most circumstances; Could easily happen within 0-3 months
Likely (5 -11 times per year); Could easily happen.
4
Could occur at some time; May occur within the next 3-6 months
Possible (1- 4 times every year); May occur here or elsewhere.
3
2 Unlikely Is not expected to occur; May occur in the next 12 month; Has not happened, but could.
1 Rare May occur only in exceptional circumstances

STEP 3 - use these two ratings to determine the overall risk rating (green/yellow/amber/red)
Plot the likelihood and consequence ratings on the matrix to identify the colour of the risk rating.
For example: a risk with a 'possible' likelihood and 'moderate' consequence would be rated as AMBER (where the two intersect on the matrix).

Impact Likelihood Risk rating

negligible rare blue
negligible likely green
negligible possible green
negligible unlikely green
Low rare green
Low unlikely green
moderate rare green
high rare green
negligible almost certain yellow
Low possible yellow
Low likely yellow
moderate unlikely yellow
moderate possible yellow
high unlikely yellow
extreme rare yellow
low almost certain amber
moderate likely amber
moderate almost certain amber
high possible amber
high likely amber
extreme unlikely amber
extreme possible amber
high almost certain red
extreme likely red
extreme almost certain red
 Financial perspective
Impact Level Your Assessment
(net impact p.a-R)

Inability to sustain operations over the next 12

Significant impact on the achievement of
5 Extreme months
goals/objectives;
% loss of clients

High impact on the achievement of > 30% of annualised revenue

4 High
goals/objectives % loss of clients

Moderate impact on the achievement of 10% < 30% of annualised revenue

3 Moderate
goals/objectives % loss of clients

5% < 10% of annualised revenue

2 Low Impacts on a limited aspect of the activity
% loss of clients
The consequences are dealt with by routine < 5% of annualised revenue
1 Negligible
operations % loss of clients
 Resource perspective Reputational perspective Legal

Adverse publicity resulting from maladministration or

Loss of key personnel and skills , or widespread industrial action (# of Withdrawal of accreditation,
Clinical decisions or mistakes made affecting the health/life
days) Heavy fines or long civil actions, jail
of beneficiaries of clients
Loss of functionality > 2days terms

Long term shortage of appropriate skills and loss of personnel.

Unavailability of key skills in the market indefinitely Accreditation restrictions
General loss of trust. Poor communication
Local or sectoral industrial action. (# of days) fines, costly litigation
Significant adverse national media and public attention.
Loss of functionality in a key operating system for more than 1 day.

Medium term shortage of skills.

Local or sectoral industrial action. Problems in key areas Breach of regulations with official
(# of days) Media attention or heightened local/industry or public enquiry or investigation
System functionality impaired in key system > 8 hours concern.
Grievances and disputes Concern in certain areas Warnings and penalties, moderate
Frequent loss of services Minor adverse local attention and complaints. compensation claims
Complaints and dissatisfaction amongst workforce Minor problems -business as usual
Minor legal issues
Occasional loss of local services for short periods. Limited damage to reputation from media cases
 Health and Safety

Work related fatality to one or more person.

Permanent disability to one or more person.

Moderate permanent disability (<30%) under

performance

Objective but reversible injury needing

hospitalisation.

No medical treatment needed.