Risk and Control Self-Assessment, RCSA, is a process of continual assessment of risk and controls to identify control gaps and the actions to close them. RCSA is an integral component of good operational risk management (ORM). The primary objectives of RCSAs are to ensure the reliability and integrity of information; compliance with policies, plans, procedures, laws, regulations and contracts; the safeguarding of assets; economic and efficient use of resources; and the accomplishment of established objectives and goals for operations or programmes.
It is also intended as a continuous process, not a one-time effort. Besides identifying control gaps, it reinforces a risk-aware culture of openness and transparency, helps establish accountability and ownership of control and risk management; and spurs the development of proactive management of risk by anticipating and correcting problems before they occur. RCSA is an ORM tool which can be applied vertically or horizontally, i.e., by function or process.
When anything is evaluated by function, there is the risk of processes deficiencies, risks, controls, and blind spots ‘falling in between the cracks.’ When things are done by process, end to end, there is less possibility of this happening. Should a company choose to apply RCSAs, it will find itself having to acknowledge its shortcomings – not always an easy or comfortable thing to do. RCSA may identify areas where a firm’s compliance may be lacking but staff, management and the Board should see it as adding value to the organisation. Far from being tedious or irrelevant, it is an excellent way for organisations to identify where their shortfalls lie, in a controlled, structured manner, without publicly exposing their vulnerabilities.
RCSAs are conducted mainly through facilitated workshops, where the organisation looks at the entire spectrum of controls, organisation-wide. As continued operations are pivotal to maintaining the organisation as a going concern, RCSAs are imperative to the improvement of the understanding, control and oversight of the company, in its efforts to identify, assess, control and mitigate its risks. Not only are RCSAs capable of pinpointing where the operational risks lie, but they also help companies anticipate their needs, allowing them to optimise resource deployment.
How do they do that? Firstly, implementing RCSA requires a great deal of feedback and consultation, which implies extensive collaboration, and the dismantling of siloes. People must share information if they want RCSA to work for them; they will have to take responsibility for many things which perhaps did not come under their purview previously. Because it is internal, staff are encouraged to assume shared responsibility for the necessary controls. This will lead to more collaborative management and stronger buy-in by employees who may have, hitherto, been disengaged from the process.
It further benefits firms by acting as a bottom-up feedback mechanism, helping organisations open up and become more transparent. Feedback from all levels is imperative and should be an ongoing exercise, perhaps in the form of surveys or questionnaires, workshops or training sessions where employees can directly give their feedback. RCSAs are not the easiest things to use in a business but it is important because it forces a business to look at all risks facing it, and what controls can be put in place to mitigate the situations arising from the manifestation of these risks.
It forces the business to approach its various risks from different perspectives because risks change with time, place and environment. It can be complicated but it is do-able. Risk and controls go hand in hand. Identify a risk, and you identify its control component.
