Risk Control Matrix Template.xlsx Customer ID updates cur and Customer ID may be incorrectly provided leading to customer confusion leading to financial renumeration and reputational impacts pe Internal nal/ Technical who is Finance There exist two separate data systems that reconcile data on a nightly basis but a small percentage of customer IDs overlap between the two systems and there are no business rules to identify the source of truth sk to Nightly system updates result in certain customer IDs updating incorrect information belonging to another customer No Impact - addition to Cost impact to reimburse customers who have placed online orders and have not received their deliveries (delivery guarantee) costs to be assumed associated with retums and shipping Reputational impact based on loss of customer confidence (since the issue has started we have noticed a downward trend in customer satisfaction when it comes to online deliveries) (%) 4% of customers are affected (4000 customers out of 100,000 total customers) (S) $200,000 were spent last year to provide customer restitution (S) 4% * $200,000 = $8000 =/ Accept Mitigate Mitigation plan: 1. Implement code-fix which identifies business rules for overnight data pulls 2. Manually update existing records which cannot be fixed with business rule code fixes to risk Contingency Plan: Put aside required funds to pay customers damages and mitigate any reputational impacts ID R## RI Rank # ## Risk Short name Customer ID updates Description Summary describing what may occur and Customer ID may be incorrectly provided leading what the potential effect may be customer confusion leading to financial renumeration and reputational impac Source Internal/ External/ etc. Internal Category Technical/External Organizational/ Project Technical Risk Owner Business Function / Stakeholder who is impacted by the risk Finance Root-causes Why is the risk exposed There exist two separate data systems that reconcile data on a nightly basis but a small percentage of customer IDs overlap betwee systems and there are no business rules to identify the source of truth Triggers Sign/ occurrence that cause the risk to occur Nightly system updates result in certain customer IDs updating incorrect information belonging to another customer Scope No Impact - Time No Impact Affecting Cost Cost impact to reimburse customers who have placed online orders and have not received their deliveries (delivery guarantee) in a costs to be assumed associated with returns and shipping Quality Reputational impact based on loss of customer confidence (since the issue has started we have noticed a downward trend in custo satisfaction when it comes to online deliveries) Probability High/Med / Low (%) 4% of customers are affected (4000 customers out of 100,000 total customers) Absolute Impact High/Med / Low (S) $200,000 were spent last year to provide customer restitution Real Impact High/Med / Low ($) 4% $200,000 = $8000 Risk Response Avoid / Transfer/Mitigate / Accept Mitigate Mitigation plan: 1. Implement code-fix which identifies business rules for overnight data pulls 2. Manually update existing records which cannot be fixed with business rule code fixes Action Responses Specific action to respond to risk Comantgency Triggers Sign/ occurrence that cause the risk to Nightly system updates result in certain customer IDs updating incorrect information belonging to another customer occur Scope - No Impact - Time - No Impact - Affecting Cost Cost impact to reimburse customers who have placed online orders and have not received their deliveries (delivery guarante costs to be assumed associated with returns and shipping Reputational impact based on loss of customer confidence (since the issue has started we have noticed a downward trend in satisfaction when it comes to online deliveries) Quality Probability High/Med / Low (%) 4% of customers are affected (4000 customers out of 100,000 total customers) Absolute Impact High/Med / Low (S) $200,000 were spent last year to provide customer restitution Real Impact High/Med / Low (S) 4%* $200,000 =98000 Risk Response Avoid / Transfer / Mitigate / Accept Mitigate Mitigation plan: 1. Implement code-fix which identifies business rules for overnight data pulls Effort High/Med / Low (S) $1,000 Risk Response Owner Business Function / Stakeholder who is tasked with actioning/mitigating /remediating the risk IT Customer Service Responsibility/ Actions 1. Identify customers impacted by the incorrect business rules 2. Implement/Test code fix on software Responsibilty of the party to respond to 3. Develop software control to validate no duplicate customer IDs risk 4. Implement/Test software validation control S. Upload code fix/validation control to both affected servers 1. Identify customers impacted 2. Manually fix customer records that I could not fix Plan Status Current progression/status IT has completed customer identification - Next step is to develop code fix - Customers will be identified once a validation control is implemente to identify impacted customers Date for remediation Duration (weeks) to remediate the risk/issue 3 weeks (from now) 2 weeks (from now) Preventative Control: CTRLI - Proposed control will include code fix that will evaluate overnight transfer on a nightly basis Control What is the process/control in place to avoid the risk Detective Control: Team will use CTRL1 output to identify any impacted customers Corrective Control: Date for remediation Duration (weeks) to remediate the risk/issue 3 weeks (from now) 2 weeks (from now) Preventative Control: CTRLI - Proposed control will include code fix that will evaluate overnight transfer on a nightly basis Control What is the process/control in place to avoid the risk Detective Control: Team will use CTRLI output to identify any impacted customers Corrective Control: Assurance How do you know the control is working Daily report showing customer with duplicate IDs Revised Probability High/Med / Low We estimate between 0.5% -1% of customer system records will not be remediated using software code-fixes (between 500 - 1000 customers) Revised Absolute Impact High/Med / Low (S) $25,000 - $50.000 Revised Real Impact High/Med / Low (S) $125 - $500 Residual Risks Any risk(s) that remain/arise from risk Upto 1000 customers may still be impacted still exposing mitigating risks response (usually refers to Risk ID, and is listad congratolu und ath Preventative Control: CTRLI - Proposed control will include code fix that will evaluate overnight transfer on a nightly basis Control What is the process/control in place to avoid the risk Detective Control: Team will use CTRL1 output to identify any impacted customers Corrective Control: Assurance How do you know the control is working Daily report showing customer with duplicate IDs Revised Probability High/Med / Low (%) We estimate between 0.5% -1% of customer system records will not be remediated using software code-fixes (between 500 - 1000 customers) Revised Absolute Impact High/Med / Low (S) $25,000 - $50,000 Revised Real Impact High/Med / Low (S) $125-S500 Residual Risks Any risk(s) that remain/arise from risk Upto 1000 customers may still be impacted still exposing mitigating risks response (usually refers to Risk ID, and is listed separately underneath) Risk arising from IT vendor used to fix data Secondary Risks Risk Status Open/Closed Open Risk Control Matrix Template.xlsx Customer ID updates cur and Customer ID may be incorrectly provided leading to customer confusion leading to financial renumeration and reputational impacts pe Internal nal/ Technical who is Finance There exist two separate data systems that reconcile data on a nightly basis but a small percentage of customer IDs overlap between the two systems and there are no business rules to identify the source of truth sk to Nightly system updates result in certain customer IDs updating incorrect information belonging to another customer No Impact - addition to Cost impact to reimburse customers who have placed online orders and have not received their deliveries (delivery guarantee) costs to be assumed associated with retums and shipping Reputational impact based on loss of customer confidence (since the issue has started we have noticed a downward trend in customer satisfaction when it comes to online deliveries) (%) 4% of customers are affected (4000 customers out of 100,000 total customers) (S) $200,000 were spent last year to provide customer restitution (S) 4% * $200,000 = $8000 =/ Accept Mitigate Mitigation plan: 1. Implement code-fix which identifies business rules for overnight data pulls 2. Manually update existing records which cannot be fixed with business rule code fixes to risk Contingency Plan: Put aside required funds to pay customers damages and mitigate any reputational impacts ID R## RI Rank # ## Risk Short name Customer ID updates Description Summary describing what may occur and Customer ID may be incorrectly provided leading what the potential effect may be customer confusion leading to financial renumeration and reputational impac Source Internal/ External/ etc. Internal Category Technical/External Organizational/ Project Technical Risk Owner Business Function / Stakeholder who is impacted by the risk Finance Root-causes Why is the risk exposed There exist two separate data systems that reconcile data on a nightly basis but a small percentage of customer IDs overlap betwee systems and there are no business rules to identify the source of truth Triggers Sign/ occurrence that cause the risk to occur Nightly system updates result in certain customer IDs updating incorrect information belonging to another customer Scope No Impact - Time No Impact Affecting Cost Cost impact to reimburse customers who have placed online orders and have not received their deliveries (delivery guarantee) in a costs to be assumed associated with returns and shipping Quality Reputational impact based on loss of customer confidence (since the issue has started we have noticed a downward trend in custo satisfaction when it comes to online deliveries) Probability High/Med / Low (%) 4% of customers are affected (4000 customers out of 100,000 total customers) Absolute Impact High/Med / Low (S) $200,000 were spent last year to provide customer restitution Real Impact High/Med / Low ($) 4% $200,000 = $8000 Risk Response Avoid / Transfer/Mitigate / Accept Mitigate Mitigation plan: 1. Implement code-fix which identifies business rules for overnight data pulls 2. Manually update existing records which cannot be fixed with business rule code fixes Action Responses Specific action to respond to risk Comantgency Triggers Sign/ occurrence that cause the risk to Nightly system updates result in certain customer IDs updating incorrect information belonging to another customer occur Scope - No Impact - Time - No Impact - Affecting Cost Cost impact to reimburse customers who have placed online orders and have not received their deliveries (delivery guarante costs to be assumed associated with returns and shipping Reputational impact based on loss of customer confidence (since the issue has started we have noticed a downward trend in satisfaction when it comes to online deliveries) Quality Probability High/Med / Low (%) 4% of customers are affected (4000 customers out of 100,000 total customers) Absolute Impact High/Med / Low (S) $200,000 were spent last year to provide customer restitution Real Impact High/Med / Low (S) 4%* $200,000 =98000 Risk Response Avoid / Transfer / Mitigate / Accept Mitigate Mitigation plan: 1. Implement code-fix which identifies business rules for overnight data pulls Effort High/Med / Low (S) $1,000 Risk Response Owner Business Function / Stakeholder who is tasked with actioning/mitigating /remediating the risk IT Customer Service Responsibility/ Actions 1. Identify customers impacted by the incorrect business rules 2. Implement/Test code fix on software Responsibilty of the party to respond to 3. Develop software control to validate no duplicate customer IDs risk 4. Implement/Test software validation control S. Upload code fix/validation control to both affected servers 1. Identify customers impacted 2. Manually fix customer records that I could not fix Plan Status Current progression/status IT has completed customer identification - Next step is to develop code fix - Customers will be identified once a validation control is implemente to identify impacted customers Date for remediation Duration (weeks) to remediate the risk/issue 3 weeks (from now) 2 weeks (from now) Preventative Control: CTRLI - Proposed control will include code fix that will evaluate overnight transfer on a nightly basis Control What is the process/control in place to avoid the risk Detective Control: Team will use CTRL1 output to identify any impacted customers Corrective Control: Date for remediation Duration (weeks) to remediate the risk/issue 3 weeks (from now) 2 weeks (from now) Preventative Control: CTRLI - Proposed control will include code fix that will evaluate overnight transfer on a nightly basis Control What is the process/control in place to avoid the risk Detective Control: Team will use CTRLI output to identify any impacted customers Corrective Control: Assurance How do you know the control is working Daily report showing customer with duplicate IDs Revised Probability High/Med / Low We estimate between 0.5% -1% of customer system records will not be remediated using software code-fixes (between 500 - 1000 customers) Revised Absolute Impact High/Med / Low (S) $25,000 - $50.000 Revised Real Impact High/Med / Low (S) $125 - $500 Residual Risks Any risk(s) that remain/arise from risk Upto 1000 customers may still be impacted still exposing mitigating risks response (usually refers to Risk ID, and is listad congratolu und ath Preventative Control: CTRLI - Proposed control will include code fix that will evaluate overnight transfer on a nightly basis Control What is the process/control in place to avoid the risk Detective Control: Team will use CTRL1 output to identify any impacted customers Corrective Control: Assurance How do you know the control is working Daily report showing customer with duplicate IDs Revised Probability High/Med / Low (%) We estimate between 0.5% -1% of customer system records will not be remediated using software code-fixes (between 500 - 1000 customers) Revised Absolute Impact High/Med / Low (S) $25,000 - $50,000 Revised Real Impact High/Med / Low (S) $125-S500 Residual Risks Any risk(s) that remain/arise from risk Upto 1000 customers may still be impacted still exposing mitigating risks response (usually refers to Risk ID, and is listed separately underneath) Risk arising from IT vendor used to fix data Secondary Risks Risk Status Open/Closed Open