RCSA (Risk Control Self Assessment) is an empowering method/process by which management and staff of all levels collectively identify and evaluate risks and associated controls. It adds value by increasing an operating unit’s involvement in designing and maintaining control and risk systems, identifying risk exposures and determining corrective action. The aim of RCSA is to integrate risk management practices and culture into the way staff undertake their jobs, and business units achieve their objectives. It provides a framework and tools for management and employees to:
- Identify and prioritize their business objectives
- Assess and manage high risk areas of business processes
- Self-evaluate the adequacy of controls
- Develop risk treatment action plans
- Ensure that the identification, recognition and evaluation of business objectives and risks are consistent across all levels of the organization
Forms of RCSA
The primary forms of RCSA are facilitated workshops and structured questionnaires or surveys. Organizations can combine more than one approach. The facilitated self-assessment approach involves gathering management and staff for workshops relating to, and discussion of, specific issues or processes. It is used as a mechanism to assess informal, or soft, controls as well as traditional hard controls. The RCSA workshops are usually facilitated by an internal (or external) auditor who is familiar with the processes, activities, risks, controls of the entity. This includes its relevant policies, plans, laws, regulations and contracts, organizational information, financial information, previous audit results, industry best practices, details of problems affecting the area and, where possible, details of challenges and opportunities expected to arise in the future.
The survey or questionnaire approach is often used if the desired respondents are too numerous or widely dispersed to be readily brought together for a workshop. They are also preferred if the culture of the organization might hinder open, candid discussions in workshop settings or if management desires to minimize the initial time spent and the cost incurred in gathering the information. Self-assessment questionnaires can be produced as an outcome of facilitated workshops, with the intention of using the questionnaires as a means of following up on agreed workshop outcomes, or as a means for management to help maintain and monitor effective internal controls on a permanent basis.
Business units or functions that will be included in the process are those for which a set of objectives or results can be defined. This is important because there must be a common understanding and acceptance of what the group needs to achieve, against which risks and controls can be assessed and evaluated.
The workflow is as follows:
Select key process owners and staff involved in the process to participate based on the objectives and scope of the RCSA exercise. It may also be desirable to include other key stakeholders in the workshop, such as key customers and suppliers to the business unit or process. The participants and the appropriate management levels must understand the RCSA process. They must recognize, and be committed to, the potential benefits and value of the process.
Identify risk and assess risks identified against key business objectives
Each business line has to identify the operational risks arising from its products and activities. Identify these risks from various sources including audit reports, actual loss experience and regulatory reviews. Once the risks are identified, assess them by their degree: high, medium or low risk.
Identify controls for each identified risk
Each business line will then analyze their present processes for identifying the controls and document the overall control environment. For each risk identified above, identify controls that are in place to mitigate that risk. Document the attributes for the controls.
Once identified, assess whether the controls are working according to their original intention. The design of self rating is to bring together all of the findings of the review and to provide senior management with concise feedback regarding the overall quality and status of the controls. Rate the overall quality of the control environment for each business line as satisfactory, needs improvement or unsatisfactory.
After applying existing controls, assess the remaining levels of risk. The process must also identify appropriate risk owners who have responsibility for managing specific risks. The risk owners are responsible and accountable for determining whether the level of residual risk is acceptable, or whether there is a requirement for additional risk treatments.
Action in light of control lapses
Document control weaknesses that exist and take appropriate and prompt corrective action. Corrective strategies need to be developed and timelines to address the risk where the level of risk is not acceptable needs to be set. The risk owner has responsibility for the action plans developed. Sufficient testing or other procedures must be performed to provide reasonable assurance that controls adequately address risks and is functioning as intended. The important components of the corrective action plan must include:
- Name of the business line.
- Name of a responsible officer for the business line.
- Date of test and test period covered.
- A clear description of each control weakness.
- Action plan to resolve the deficiency.
- The target date for a resolution that is both reasonable and achievable.
- Rating of the issue severity.
The manager responsible will monitor corrective actions for a control weakness until it is rectified. Business line documentations will document any slippage in meeting previously agreed target dates.
The operational risk manager has to periodically monitor the RCSA, including the results of testing and corrective action tracking. Maintain evidence of this monitoring.
A quarterly operational risk report will incorporate the RCSA results. Board of directors and senior management will receive high level information.
- An example for using Key Risk Indicator Loss Events and estimating operational risk capital and
- RCSA – A simplified case study and example.