RCSA (Risk Control Self Assessment) is an empowering method/process by which management and staff of all levels collectively identify and evaluate risks and associated controls. It is a technique that adds value by increasing an operating unit’s involvement in designing and maintaining control and risk systems as well as identifying risk exposures and determining corrective action. It aims to integrate risk management practices and culture into the way staff undertake their jobs, and business units achieve their objectives. It provides a framework and tools for management and employees to:
- Identify and prioritize their business objectives
- Assess and manage high risk areas of business processes
- Self-evaluate the adequacy of controls
- Develop risk treatment action plans
- Ensure that the identification, recognition and evaluation of business objectives and risks are consistent across all levels of the organization
The primary forms of RCSA are facilitated workshops and structured questionnaires or surveys. Organizations can combine more than one approach. The facilitated self-assessment approach involves gathering management and staff for workshops relating to, and discussion of, specific issues or processes. It is used as a mechanism to assess informal, or soft, controls as well as traditional hard controls. The RCSA workshops are usually facilitated by an internal (or external) auditor who is familiar with the processes, activities, risks, controls of the entity including its relevant policies, plans, laws, regulations and contracts, organizational information, financial information, previous audit results, industry best practices, details of problems affecting the area and, where possible, details of challenges and opportunities expected to arise in the future.
The survey or questionnaire approach is often used if the desired respondents are too numerous or widely dispersed to be readily brought together for a workshop. They are also preferred if the culture of the organization might hinder open, candid discussions in workshop settings or if management desires to minimize the initial time spent and cost incurred in gathering the information. Self-assessment questionnaires can be produced as an outcome of facilitated workshops, with the intention of using the questionnaires as a means of following up agreed workshop outcomes, or as a means for management to help maintain and monitor effective internal controls on a permanent basis.
Business units or functions that will be included in the process are those for which a set of objective or results can be defined. This is important because there must be a common understanding and acceptance of what the group needs to achieve, against which risks and controls can be assessed and evaluated.
The workflow is as follows:
Select key process owners and staff involved in the process to participate based on the objectives and scope of the RCSA exercise. It may also be desirable to include other key stakeholders in the workshop, such as key customers and suppliers to the business unit or process. The participants and the appropriate management levels must understand the RCSA process and recognize, and be committed to, the potential benefits and value of the process.
Identify risk and assess risks identified against key business objectives
Each business line has to identify the operational risks arising from its products and activities. These risks can be identified from various sources including audit reports, actual loss experience and regulatory reviews. Once the risks are identified, they need to be assessed regarding their degree whether they are high, medium or low risk.
Identify controls for each identified risk
Each business line will then analyze their present processes for identifying the controls and document overall control environment. For each risk identified above, controls need to be identified that are in place to mitigate that risk. The attributes for the controls are to be documented.
Once the controls are identified, an assessment has to be carried out and analyzed, to see whether the controls are working as intended. Self rating is designed to bring together all of the findings of the review and to provide senior management with concise feedback regarding the overall quality and status of the controls. The overall quality of the control environment for each business line must be rated as satisfactory, needs improvement or unsatisfactory.
Assess the remaining levels of risk after existing controls are applied. The process must also identify appropriate risk owners who have responsibility for managing specific risks. The risk owners are responsible and accountable for determining whether the level of residual risk is acceptable, or whether additional risk treatments are required.
Action in light of control lapses
Whenever control weaknesses are found to exist, they must be documented and be the subject of appropriate and prompt corrective action. Corrective strategies need to be developed and timelines to address the risk where the level of risk is not acceptable need to be set. The risk owner has responsibility for the action plans developed. Sufficient testing or other procedures must be performed to provide reasonable assurance that controls adequately address risks and are functioning as intended. The important components of the corrective action plan must include:
- Name of the business line.
- Name of a responsible officer for the business line.
- Date of test and test period covered.
- Clear description of each control weakness.
- Action plan to resolve the deficiency.
- Target date for resolution that is both reasonable and achievable.
- Rating of the issue severity.
Corrective actions for a control weakness must be monitored until rectified by the responsible manager. Any slippage in meeting previously agreed target dates must be documented in the business line documentation.
The operational risk manager has to periodically monitor the RCSA, including results of testing and corrective action tracking. Evidence of this monitoring should be maintained.
RCSA results have to be incorporated into a quarterly operational risk report. High level information has to be sent to the board of directors and the senior management.