No operational risk management framework is complete without Risk and Control Self Assessment (RCSA). This empowering technique, utilized by staff at all levels and across a wide range of organizations for identifying risks and evaluating associated controls and their effectiveness was developed in 1987. Today, it’s still considered a powerful way to provide assurance to governing bodies and regulators that all objectives will be met. A number of ‘softer’ benefits have also been identified: personnel will gain a deeper understanding of business operations, enhanced awareness of operational risk management, and be better equipped to drive a tighter governance program.
The Institute of Risk (IOR) white paper, ‘Risk Control and Self Assessment’ details how RCSAs help organizations to prioritize risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address them.
It seems there’s a fine line in achieving the right balance; an RCSA well executed and implemented should help to embed operational risk management throughout a business and improve overall risk culture. Make it overly complex, and the notion that operational risk management is bureaucratic and compliance-led may be reinforced.
The guidance emphasizes that whilst helping to assess operational risk exposures, RCSAs also have a role to play in putting operational risk on the table and getting people talking about it. The thinking is that those organizations that do discuss operational risks and the efficacy of their associated controls will be better placed to cope with ‘what the future holds’ – new and emerging risks.
Undoubtedly, an effective RCSA will help to support corporate governance and compliance activities. According to the IOR, “The results of an RCSA provide assurance to the governing body and regulators that an organization has in place a sound system for the management of operational risks. Equally, RCSAs can support the work of internal and external auditors, helping them to prioritise audit attention and structure audits.”
A further benefit worth mentioning is business efficiency improvement. Weaknesses or gaps in controls may increase the likelihood of system and process failures and the impact of external events, all increasing costs, and scope for disruption. At the other end of the scale, ‘an excessive level of control can slow down systems and processes unnecessarily.’
To help organizations attain the right balance, the ‘Risk and Control Self Assessment’ white paper sets out detailed information on how to design and implement an RCSA that will best fit the scale and complexity of activities and an organization’s risk culture too.
From RCSA fundamentals, through to framework integration
Highlights from the chapters include:
- RCSA Fundamentals
“A fully comprehensive approach is not necessarily best, especially if it results in information overload and requires excessive amounts of time and effort to complete. RCSAs should only be used where they are value-adding.”
- Designing an RCSA
“Most organizations will design top-down and bottom-up RCSAs. The advantage of a top-down approach is that strategic level risks can be cascaded down, and aligned to the risks, controls, and actions identified in departments, divisions, or function assessments. This can help to improve operational risk governance and ensure that organization-wide and local priorities are aligned.
“The advantage of a bottom-up assessment is that local managers can focus on the risks and controls that are relevant to their area.”
- Completing an RSCA – Approaches and Techniques
“Questionnaires can be used to collect some or all of the information required for an RCSA. Questionnaires may be used as a substitute for w workshop, to help save time and resources. They are most effective when combined with workshops… This should reduce the chance that risks or controls are omitted and help to control individual biases.”
- Integrating an RCSA into the Operational Risk Management Framework
“RCSA outputs are a valuable source of information for the development of operational risk action plans. Such plans might include improving the effectiveness of existing controls, removing obsolete controls, or introducing new controls to address gaps. Actions must always be justified on cost/benefit grounds.”
In its conclusion, the white paper reinforces the message that operational risk managers should always be mindful that RCSAs must support business decision-making.