This section includes a detailed explanation of how the DEMI model works, what a key control is and why it is important to define key controls in the risk-control matrix.

The DEMI model used at Vienna University of Technology is a flow chart that is characterised by clearly defined and concise responsibilities for each process step. For each process step, only one structural element or leader can be defined for "implementation" or "decision", while for cooperation and information, several structural elements or leaders can be listed.

  • D ... Implementation (1 person responsible)
  • E ... Decision (1 person responsible)
  • M ... Collaboration (several structural elements possible)
  • I ... Information (several structural elements possible)
Shown are the columns of the DEMI model from left to right: Input, Sequence, Output, D, E, M, I

Shown are the columns of the DEMI model from left to right: Input, Sequence, Output, D, E, M, I

  • A key control is a financially risky control step whose risk is identified, assessed and assigned a specific control by the process manager.
  • The task of a key control is to minimise or prevent the occurrence of risks through certain control activities.
  • The risk assessment and the traceability of the execution of the key control is precisely documented in the risk-control matrix.
  • The risk assessment is carried out through a realistic estimation of the amount of damage and the probability of occurrence.

The risk-control-matrix includes all key controls that have been identified and set up by the process managers for their processes. A key control is a financially risky control step whose risk is identified and assessed. The risk assessment and the traceability of the execution of the key control is precisely documented in the risk-control-matrix, which consists of several parts.

Process Information

  • Process ID
  • Process name
  • Key Control ID
  • Process manager
  • Process step/activity

Check for ICS relevance

  • Financial risk
  • Key Control - yes or no
  • Further procedure

Risk Assessment

  • Risk owner
  • Risk description
  • Impact of the risk
  • Risk assessment - amount of damage and occurrence

Control information

  • Control description
  • Control responsibility
  • Control cycle
  • Type of control
  • Proof of control

Last evaluation

  • Date
  • Auditor
  • Result of the sampling

The probability of occurrence is measured in years. The time period in which the risk is expected to occur must be selected. This evaluation results due to realistic assessment or on experience.

The probability of occurrence is shown with 4 scores, score 1 = very low (risk event > 10 years ago), score 2 = low (risk event 4 - 10 years ago), score 3 = medium (risk event 2 - 4 years ago), score 4 = high (risk event 2 years ago).

The extent of the damage is estimated at between 0.3 million and 5 million euros. The assessment of the extent of damage is not limited to the expected damage for the own structural element (department, division), but for the entire TU Wien.

The amount of damage is shown in 4 scores with annual amounts, score 1 = insignificant with max. 0.3 million euros, score 2 = minimal with 0.3 - 1 million euros, score 3 = significant with 1 - 5 million euros, score 4 = endangering with > 5 million euros.

The total risk score is calculated by adding up the scores, e.g. "Score 1 very low: > 10 years" + "Score 1 insignificant < 0.2 million per year" = 2:
"Score 1 very low: > 10 years" + "Score 1 insignificant < 0.2 million per year" = 2

A total score of 5 and higher is considered a critical risk assessment. These key controls are prioritised in the annual random checks.

.

Further information is available to process managers at ICS Workplace, opens an external URL in a new window.