The Risk and Control Self-Assessment (RCSA) is widely acknowledged in the field of Enterprise Risk Management (ERM) as one of the best tools for supporting in the management of Operational risk. But beyond Financial Institutions, where risk management has long been one of the main priorities, RCSAs have been slow to gain traction. There are as many reasons for this as there are companies that have decided to forego ERM; every organisation which has considered using it has had to think long and deep on the implications of its use. RCSA is intended to identify and address an organisation’s vulnerabilities; this may be one of the reasons why firms have dragged their feet over RCSA, instead of picking it up and running with it.
Unpopular but necessary
To be effective, RCSAs need access to the organisation’s information – lots of it, in a constant stream, and constantly updated. RCSAs also need to be up-to-date on regulatory requirements, and any change in standards, or the introduction of best practices. The organisation’s Chief Risk Officer (CRO) is most often the prime mover of the RCSA agenda. In addition, RCSAs involve five main groups of any organisation: the company’s senior management, its line or business unit managers, the ERM department, risk specialists and Internal Audit.
A lot of people are involved, which means RCSAs inevitably takes up a lot of time. The first hurdle is usually finding the time to get everyone together to talk about it; being on the same page is imperative, or those involved in the RCSA process may find themselves working at cross-purposes. It is a sad fact but true that the people who move the RCSA agenda are rarely the most popular people in the company. In fact, they may be regarded as somewhat of a nuisance because of the demands they make on their colleagues’ time. Proponents of RCSA suggest that one way to get buy-in is to show how RCSAs can actually help employees meet their KPIs, or how using it adds value to their jobs.
At the forefront
Each one of the groups involved has specific roles to play in RCSA. Senior management endorses the RCSA programme and proactively reviews and analyses its results, identifying weaknesses so that they can be better managed. Although multiple sectors are involved in the RCSA, it is the business line management that directly undertakes the process, identifying specific risk and control weaknesses and implementing clearly-defined action plans. But while business line management is hands-on about the whole of the RCSA process, the ERM department is its main driver. It also determines how often RCSAs should be conducted.
The ERM department plays a pivotal role in managing RCSA because RCSA is intrinsically connected to the organisation’s risk strategy, governance, databases and quantification. Besides this, the ERM department vets the results of RCSA and reviews them for completeness and consistency. This requires a thorough understanding of each department’s business line, process and objectives; thus, business line managers may share the responsibility of vetting with the ERM department. Risk specialists assist in the implementation of the RCSA process and review results from the perspective of their own areas of specialisation. For instance, risk specialists in charge of IT will concentrate on technology issues while HR risk specialists will focus on “people” issues.
Based on information collected over the years, Internal Audit is in the ideal position to identify each department’s shortfalls where controls are concerned. This is really a two-way street, as IA can use the results from RCSA to monitor the progress made in correcting the weaknesses which they identified to begin with. IA should be independent, although it should review and evaluate the RCSA programme as part of their audit activities, and help to determine whether it is a reliable and effective management tool. However, in order to maintain the integrity of the information provided in the RCSA process, IA must agree not to include any weaknesses identified and reported through the RCSA process in its audit findings – unless these have not been mitigated or controlled by the departments concerned within a reasonable, or the agreed, timeframe.
Major challenges and critical success factors
If the extent and implications of RCSA programmes are not enough to keep senior management, line management, ERM and other risk specialists and IA busy, there are the challenges that come with it, as it is implemented across an organisation. It should be noted here that in an ideal situation, the five major groups involved with RCSA are enthusiastic about it to begin with, but no business operates in an ideal situation, so RCSA can only be implemented with top management support, and provided all business units get on board as well. In addition, there will be time and resource constraints to deal with, and the achievement of a common understanding of the organisation’s operational risks. Assuming all this falls into place, there is still follow-through of action plans, and monitoring.
With so much demanded of the people involved, what then makes for successful implementation of RCSAs? It calls for commitment to the programme, from the top downwards; for people to take responsibility for doing their respective parts and being accountable for it. Most of all, they need to understand that what they are doing is not mere compliance with regulations or an imposition on their time in the office. Rather, they need to realise that what they achieve through RCSAs will add value to what they are doing both to the firm and themselves as trained, proactive employees with a talent for managing risk.