Dr Pepper Snapple Group risk control matrix



One of the things that Dr Pepper didn’t have was a risk control matrix. They had it in the past and had gone away from it a few years ago and had gone to this memo style. They called it KCI memo, key control identification. It was a narrative written talking about the controls and the risks. That was one of the things we had to do was create a risk matrix for all of our risk and controls to tie the controls with all of the assertions and the test plan in one place.

We started with the risk library. We set up a risk library and just listed all the processes. Then we said, “Let’s make a control library.” We made a separate document that was the control library. Then we took those two and linked them together to create a risk control matrix and built that out.

We also do our self-assessments through Wdesk. We use certifier to do the certifications. We linked up a self-assessment library to get all the information I needed to do assessments on. We linked up all of the risk control matrices to the test plans. We created test sheets for every test, put those together and linked it all the way through. If we want to change something in a risk or a control, we change it at the control library, and it flows through the RCM into the test plan, and it will flow all the way to the remediation sheets if we have a failure or something like that. Then we have the dashboards for all the reporting.

Read More