“There is a lot of misunderstanding as to what RCSAs are for, and what Risk Registers are for,” said Ramesh Pillai. “People often use the RCSA templates and call it a risk register – which is inherently wrong. It is often one of the reasons why risk management processes break down and fail…because the wrong tool is being used for the wrong thing.” This leads to the value of risk registers not being recognised by boards and management teams, as information is being presented wrongly. The start point is the difference between operational risk management (ORM) and enterprise risk management (ERM). This is what distinguishes the RCSAs from the Risk Registers.
Under ORM, the definition of risk is the risk of loss arising from failed or inadequate processes, people, systems and other external events. Risk is considered bad; there is no risk-return trade-off. “The objective of risk management under ORM is to reduce or eliminate risk,” Ramesh said, adding that ORM is actually a subset of ERM. Because it is ORM, the main tool is the RCSA; RCSAs are an ORM tool, not an ERM tool. Contrasting this with ERM he said that the definition of risk in ERM, on the other hand, is anything which prevents the achievement of organisational objectives. The aim of ERM is the achievement of organisational objectives and improving the quality of decision-making.
“This is where you get the risk-return trade-off,” he clarified. “Not under ORM but under ERM.” The objective of risk management under ERM is not to reduce or eliminate risk but to optimise it. One of the options available for the mitigation of enterprise risks (as opposed to operational risks) is to increase the risk to pursue a particular opportunity, or to increase returns. The main tool to evaluate ERM is the risk registers. RCSA – which stands for Risk and Control Self-Assessment – is a process by which operational risks and all controls associated with it, are assessed and examined. “The objective is to provide reasonable assurance that, from an ORM perspective, the organisation has a reasonable chance of meeting all its objectives,” Ramesh said.
RCSAs can be conducted vertically or horizontally. Many companies do it by function (i.e. vertically) but more advanced, knowledgeable firms do it horizontally, by process. “This is because when you evaluate anything by function, you run the risk of having things – processes, risks, controls, blind spots – fall in between the cracks,” he explained. “But when you do things by process, end to end, and get all the stakeholders involved, you don’t have the problem of trying to evaluate these things which fall between the cracks.” The main way in which RCSAs are conducted is through facilitated workshops. But these need to be done cross-functionally by process to derive maximum benefits.
“Internal controls are very important when it comes to ORM because these are a critical risk mitigation tool for ORM,” he continued. “The RCSAs also help to motivate personnel to carefully design and implement control processes and continually improve operating control processes…it helps to heighten awareness of the importance of operational risk, and cement the understanding that the responsibility of managing risk and the overall responsibility for risk management of the organisation lies with the line.” The primary objectives of RCSAs are to ensure the reliability and integrity of information; compliance with policies, plans, procedures, laws, regulations and contracts; the safeguarding of assets; economic and efficient use of resources; and the accomplishment of established objectives and goals for operations or programmes.
RCSAs further benefit firms by acting as a bottom-up feedback mechanism and helping organisations be pro-active. They also have the effect of reducing audit exposures while improving internal audit’s image and visibility. Audit then becomes a function that adds value. He advocated involving internal audit within the RCSA process but cautioned that internal audit needed to be educated that RCSAs were not a tool or medium to point fingers or write people up if they self-declare any issues. Any issue that is proactively highlighted should not be used as an opportunity to write people up. “If you do this, people will stop being honest under the RCSA umbrella,” he said.
He stressed that people can only be written up if they miss the deadlines or mitigations as indicated under the RCSAs. If they self-declare something that audit was not aware of, this should beis off limits, and they should not be written up. Because of the nature of the RCSA process, the organisation is actually looking at the entire spectrum of controls across the organisation. As everyone becomes more control-conscious and starts to understand the value of internal control, it means that the level of buy-in of the first line of defence will go up. RCSAs are not new; they are a proven tool for control processes within companies, and are a way for internal audit to increase their coverage without being intrusive.
“The RCSA establishes very clearly that the responsibility for the identification and management of risks lie with the line,” Ramesh said. “This is also very important to understand because you cannot identify opportunity when you identify risk. Opportunity does not arise from risk; it arises from how you choose to mitigate risk. In order to identify and manipulate the opportunity, you first have to manage the risk. Opportunities arise from risk management, not from risk identification. The RCSA is actually a risk management process that you need to undertake if you want to identify and utilise the opportunities which come along.”
Ramesh shared the IERP’s RCSA template with the audience, with in-depth explanation of how it should be applied. The process can be tedious, he said, because besides filling in the template, all action plans arising from the analysis and controls need to be tracked. “If you’re doing this, you should find a way of automating it,” he said, adding that the IERP has developed software to do the tracking, although the process may also be managed via a spreadsheet. “Try and find a way of automating it yourself or via a system, so that you will have less tedious work to do,” he advised. For ERM, he advised that Iindividual departments or units should have their ownindividual visions and missions that are aligned with the visions and missionsgoals and objectives of the organisation.
On the purpose of risk registers, he said that this was to ensure that the organisation has a tool to record and discuss the effectiveness of its risks and mitigations in place to ensure that the organisation achieves its strategic and other objectives. Recording these will automatically trigger discussions on the extent and effectiveness of risk controls or mitigationperformance and sustainability as well. “In ERM, you are actually evaluating your risk mitigationability to meet your objectives,” he said. “In ORM, you are evaluating your internal controls. That is the main difference between RCSAs and risk registers.” ERM can be implemented using either the taxonomic or objective-centric approach. Best practice in todays environment is the objective-centric approach as guided by ISO 31000:2018. Taxonomy basically means definitions.ng, identifying and ranking risks. But if any relevant risk category is not identified or defined at the start, all risks in that category will not be included.
This is a blind spot. “If there is an emerging risk, you will never be able to identify it. You’ll always be blindsided,” Ramesh pointed out. Additionally, if any category is incorrectly identifieddefined, the risks identified will also be incorrect – which could be dangerous. However, many firms still apply the taxonomic approach because it continues to be recommended by consultants, he added. The objective-centric approach, on the other hand, emphasises the achievement of organisational objectives. This requires the alignment of departmental objectives, vision, mission and strategies, with organisational objectives, vision, mission and strategies.
It may appear simple but this requires an extensive thought process and the setting of smart objectives as well as the correct KPIs, Ramesh cautioned. “Changing the KPIs can change the nature of the risk,” he said. “When you are evaluating risks in relation to objectives, your objectives need to be smart. You need to try and find a way to link your KPIs to your objectives.” This will also enable deep-diving into the details and data collected, and make reporting of risks more expedient. “It’s about enterprise risk management…and moving towards the improvement of the quality of decision-making in ERM,” he said.
It is critical to understand the distinction and differences between ORM and ERM. From an ORM perspective, risk is bad and provides no returns. But from the ERM perspective, the higher the risk, the higher the returns; it is about achieving objectives and improving the quality of decision-making. It is critical therefore to use the right tools, such as RCSAs for ORM. ERM, on the other hand, looks at the larger picture and considers the organisation’s objectives and strategies. Also, RCSAs are usually used by managers and those at lower levels whereas risk registers are undertaken by more senior personnel as they need to have a greater overview of risk, objectives and how these can be achieved.
Advocating simplicity when implementing systems, he said that risk management was not about the management of risk, but the psychology of risk. “Keeping it simple will ensure you have better traction and success in implementation,” he said. “Make sure that you have proper implementation of the proper tool to address the proper issue…For ORM issues, use the RCSA; for ERM issues, use the risk registers. The emphasis for ERM is on achieving organisational objectives. At the end of the day, we all want to ensure that we achieve organisational sustainability, agility and resilience. That is the ultimate aim of risk management.”
