The Risk and Control Self-Assessment (RCSA) is an important tool that forces a business to look at all operational risks it faces, and what controls can be put in place to mitigate the situations arising from the manifestation of these risks. The RCSA is also an ongoing process, forcing the business to approach its various risks from different perspectives – sometimes juxtaposing them against different backgrounds – because risks change with time, place and the environment. RCSAs are easy to implement if properly explained to all stakeholders and you adopt sensible and practical approach. Designing a structured and logical RCSA process is, therefore, the key to its implementation success. Operational Risk and controls go hand in hand. Hence, once a risk is identified, its control component should and can immediately be determined. This way, when you’re doing one, you’re automatically doing the other.
What does it take?
Firstly, it involves identifying objectives, and the involvement of the Line. In fact, with RCSAs, you need to ensure everyone’s buy-in. This is because everyone has to be involved. Accordingly, they need to understand how the RCSA adds value to what they’re doing, and to the value of the firm. RCSAs are involved processes which begin with some simple questions like:
- What is an RCSA?
- Why do it?
- Who is it for?
- Who will do it?
- When should it be done?
- How often should it be done?
- What are the resources needed to do it?
- How does it get done?
What, why, who, when, where and how
RCSA, a process of continual assessment of operational risks and controls, is applied primarily to identify control gaps and the actions required to close these gaps. It should ideally be applied across the entire organisation, including departments, business units and local/overseas subsidiaries to be truly effective. RCSA has come to be regarded in many blue-chip, sustainable and progressive firms as an integral component of good operational risk management. But before plunging headfirst into RCSAs, the organisation should pause and make an assessment – a “pre-assessment” assessment, if you will.
Realistically speaking, there will always be a gap between risks and controls. In closing these gaps, cost benefit considerations should also be included. RCSAs require deep, collective thought, clear insights into how the firm operates, and the extent of its resources. All these factors come together to produce a macro view of the firm, an inventory of its assets, and the Operational risks confronting them that will prevent the firm from achieving its objectives.
More than mere compliance
Should a company choose to deploy RCSAs, it will find itself having to acknowledge its shortcomings – not always an easy or comfortable thing to do, especially when there may be stakeholders’ interests to consider. Inventorying for the purpose of RCSAs brings to light areas where a firm’s compliance may be lacking but the company should see it as not merely an exercise in compliance. Instead, it should encourage staff, management and the Board to see it as adding value to the organisation as a whole because shortfalls have been identified and addressed, and therefore the disruption arising from that risk can be mitigated.
RCSAs prod the firm into opening up and becoming more transparent. Properly deployed it can also breach organisational silos as departments and employees start sharing information. Firms should consider the implications of this on corporate governance and stakeholder perception. What it says about the company is that it is being proactive about managing its operational risks and challenges, and is making a concerted effort to cope with uncertainty. In other words, it is being managed well and is prioritising the interests of shareholders and stakeholders, focusing on growth, sustainability and competitiveness in the long term, rather than exclusively on its bottom line.
Meeting many objectives
As a component of ERM, RCSAs are operational more than anything else. They can have multiple objectives, and be applied generally to the whole business, or scaled to fit specific processes, departments or individual business units. It is characteristically a detailed process because of the extent of the information it strives to acquire, and the area it has to cover. There needs to be a great deal of education, collaboration and agreement on RCSAs to be effective. Even though not all top management may fully understand its purpose, and the Board may not see its role in corporate strategy, RCSAs are supposed to identify and address the organisation’s vulnerabilities – and must be endorsed by the Board and top management to achieve full potential.