RCSA - You Developed Your Risk Management Framework

Conducting risk and control self-assessments (RCSAs) is a cornerstone risk management technique that all businesses should be performing. Here are the five key steps to ensure that you are conducting it smartly.

Conducting Risk and Control Self-Assessments

So, you have developed your risk taxonomy and identified all your relevant risks for your risk categories. You have also developed your risk matrix and determined your risk appetite for your risk categories. You may have also identified the person responsible for managing your risk categories (i.e., the risk owner). Now it is time to start assessing your risks!

Assessing your risk means understanding how risky the risk is for your business (i.e., the risk level) and whether it is at a level that you are comfortable with (i.e., within your risk appetite).

Conducting a risk and control self-assessment (RCSA) is the fundamental tool used to make this assessment.

If you haven’t developed your risk matrix or appetite yet, I recommend that you do so before continuing. If you have, follow these steps and you can be confident that you know the state of your risks.

RCSA Step 1: Assess Inherent Risk

It is important to understand the extent to which the risk could negatively impact your business objectives if you did nothing to prevent the risk from occurring nor to detect and correct the risk if it did occur. This is called your inherent risk.

This step is sometimes overlooked because it can be challenging to take a step back and really consider the inherent risk. This is because controls are often times performed intuitively and not performing them may seem nonsensical.

However, without performing this step, you may be at risk of putting unnecessary controls in place to manage the risk. Over controlling a risk can be just as problematic as under controlling a risk.

Use your color-coded risk matrix to conduct this assessment. Once you have considered where the risk’s impact and likelihood falls on your matrix, you will know how inherently risky this risk is. You can then compare it to where you would like it to sit on the risk matrix according to your risk’s appetite.

If your inherent risk is within your risk appetite, you can stop here. There is no need to identify controls to reduce the likelihood or impact of the risk because you are already comfortable with the level of risk it poses for your business. If the risk level is outside of your risk appetite, proceed to step 2.

RCSA Step 2: Identify Controls

Your controls are the steps you take to reduce the likelihood and/or the impact of this risk. These could be preventative, which serve to reduce the likelihood of the risk occurring. Some common preventative controls are training and four-eye checks, for example. Controls can also be detective or corrective, which serve to reduce the impact of the risk should it occur. These could be taking out insurance or reconciling transactions to an end of day report, for example. Make a list of all the controls you have in place for this risk, the frequency of when it is performed and who is responsible for performing the control. Proceed to step 3.

RCSA Step 3: Assess Controls

There are two aspects to assessing a risk’s controls: design and performance. When assessing your controls both aspects should be independently considered since the solution to improving your control environment can vary according to whether it is a design problem or performance problem.

Assess the design of your controls first. In this instance, properly designed controls means that you have the right controls in place to maintain the risk within your appetite level on your risk matrix.

If this is not the case, you can stop your assessment now and move to step 5. There is no need to assess whether these controls are performing well because even if they were, the risk level would not be within your stated appetite. This needs to be addressed first and foremost.

If your controls are properly designed, then assess the performance of your controls. Performance relates to whether the controls are being performed and are working as intended. Do not skip this step! If your controls are not performing as intended, you might as well not have the controls in place. And by default, your risk level is the inherent risk level assessed in step 1! If this is the case, proceed to step 5.

RCSA Step 4: Assess Residual Risk

Your residual risk is the riskiness of a risk after taking into consideration your control environment (i.e., the control design and performance). Take a second look at your risk level from this perspective using your color-coded risk matrix. Compare this assessment to where on the risk matrix it should sit in order for it to be within your risk’s appetite. If it sits within your risk appetite, congratulations, your risk assessment is done! If not, proceed to step 5.

Step 5: Mitigate Risk as Needed

If you are at this step, you have conducted your risk assessment and determined that your risk level is outside of your risk appetite. Therefore, you need to assess your possibilities to bring this risk to within your appetite. These are the options at your disposal:

Tolerate the risk: After reviewing your controls for this risk, you may determine that there is not much more that you can or would like to do to lower its risk level. Therefore, you are willing to accept this risk and increase your appetite for the risk.

Treat the risk: With this option, you will be considering additional or new controls to put in place to lower the risk level to within appetite.

Transfer the risk: With this option, you may determine that you may not have the resources to adequately control this risk or financial capacity to absorb losses from this risk. As a result, you could consider outsourcing the process and its associated risk to a service provider. Or, consider taking out insurance to mitigate losses that could be sustained if the risk were to occur.

Terminate the risk: With this option, you may determine that none of the above options is preferable. Therefore, you can decide to cease performing the process or activity associated with this risk.

If you have completed the steps above, you have conducted your risk assessment and have a plan in place for addressing the risks that are outside of your appetite. Well done!