Knowledge · Risk & control

Risk & control matrix (RCM)

A risk & control matrix links the risks in your processes to the controls that cover them. It is the heart of risk management in processes: it shows what can go wrong, how you control it, who is responsible and where you still have gaps.

What is a risk & control matrix?

The risk & control matrix (RCM), also called a risk-control matrix or control matrix, is a structured overview that connects each risk to the controls that cover it. Where a risk register only lists what can go wrong, the RCM adds the other half: how you control it. Each row shows the risk, the associated control, the owner, the frequency and the effectiveness.

That combination makes the RCM the workhorse of internal control and audit. It is the basis for demonstrating that an organisation is in control: not with words, but with a traceable link between risk and measure.

What does an RCM consist of?

The exact columns differ by organisation, but a usable risk & control matrix almost always contains the following elements:

ElementWhat you record
Process stepThe activity the risk applies to — the anchor point of the RCM.
RiskWhat can go wrong, and why that affects the objectives.
Cause & effectThe source of the risk and the impact if it occurs.
Likelihood × impactThe estimate of probability and severity, often as gross and net risk.
ControlThe measure that reduces or detects the risk.
Control typePreventive or detective, and manual or automated.
FrequencyHow often the control runs — continuous, daily, per event.
OwnerWho is responsible for the control working as intended.

Many organisations work with a gross and net risk: the gross risk is the estimate before control, the net risk the residual risk afterwards. The difference shows how much the controls actually add.

Preventive vs. detective controls

Controls broadly fall into two types. A good RCM balances both, and also distinguishes manual from automated controls — the latter are generally more reliable and easier to test.

Preventive

Stops a risk from occurring. For example segregation of duties, a mandatory second approval before a payment, or system validations that block invalid input.

Detective

Flags after the fact that something went wrong. For example periodic reconciliations, exception reports or a review of log files. Indispensable as a backstop to prevention.

Risk management in processes

Risks don't arise in a register — they arise in the work. An invoice paid without a check, a change that goes live without review, data that passes through the wrong hands: all risks that sit on a specific process step. Yet many organisations manage their RCM as a standalone document, separate from the processes it describes.

That goes wrong the moment the process changes. The control you described months ago no longer fits the new way of working — but you only notice at the next audit. The solution is to link risks and controls to the process step, so control and process move together. You then see at a glance which steps are insufficiently covered, and which roles (via the RASCI matrix) are involved in that control.

How to build a risk & control matrix

  1. 1

    Set the scope

    Decide which process or processes go into the RCM and to what level of detail.

  2. 2

    Inventory risks per step

    Walk through the process steps and, per step, name what can go wrong, with cause and effect.

  3. 3

    Assess the risk

    Estimate likelihood and impact (gross risk) to prioritise where control is needed.

  4. 4

    Attach controls

    Assign one or more controls per risk and record whether they are preventive or detective.

  5. 5

    Set owner and frequency

    Record who runs the control and how often, so its operation is testable.

  6. 6

    Assess the net risk

    Determine the residual risk after control and repeat the cycle periodically.

A living, connected RCM

The difference between an RCM that works and one that goes stale is in the linkage. In Proceshuis, the risk & control matrix is a living, connected object rather than a separate register: risks and controls hang directly off the process step, together with the roles, systems and data of that same step. When the process changes, control changes with it.

This is how you support the ways of working behind frameworks like Three Lines of Defense, ISO 27001 and GDPR — by modelling the associated risks, controls and ownership on the process. To be clear about what is and isn't built in today: the APQC benchmark is actually built in and reported, with a coverage percentage. The frameworks mentioned are supported ways of working; that off-the-shelf framework layer we are building out step by step.

Risk ↔ control ↔ process, in one model

No separate register that goes stale, but control that hangs off the process step — with RASCI and APQC coverage. That's how you demonstrate you are in control.

Frequently asked questions about the risk & control matrix

What is a risk & control matrix (RCM)?+

A risk & control matrix is an overview that records, per risk, which control covers that risk, who owns it, how often the control runs and how effective it is. The RCM connects risks to controls, ideally linked to the process step they apply to.

What is the difference between a risk register and a risk & control matrix?+

A risk register lists risks. A risk & control matrix goes a step further and links the controls to each risk, with owner, frequency and effectiveness. So the RCM shows not only what can go wrong, but also how you control it.

What is the difference between a preventive and a detective control?+

A preventive control stops a risk from occurring — for example a mandatory second approval before a payment. A detective control flags after the fact that something went wrong — for example a periodic reconciliation or an exception report. Healthy control combines both.

Why link risks and controls to the process?+

Because risks arise in the work itself. A standalone risk register goes stale the moment the process changes. Link your risks and controls to the process step and the controls move with the process — and you immediately see which steps are insufficiently covered.

Does Proceshuis support Three Lines of Defense and ISO 27001?+

Proceshuis supports those ways of working by letting you model the associated risks, controls, roles and ownership and attach them to the process. That is different from an off-the-shelf compliance framework: today APQC is built in and reported; the framework layer we are building out step by step.

Keep reading

Set up your process house today.

Explore the fully populated demo environment or book a tailored demo — and see how RASCI, risk & control and the APQC benchmark all hang off a single process step.

Risk & control matrix (RCM): risk management in processes — Proceshuis