Risk and Control Self-Assessment (RCSA) - The Ten Steps to RCSA Redemption

The RCSA is broken – it’s time to fix it

The RCSA process has been used by organisations to identify, assess, and monitor operational risks for decades. Nevertheless, when we asked a range of Senior Operational Risk (Op Risk) professionals what Op Risk component utilised most first and second line resource time, the answer was clear: The RCSA. When the same professionals were asked where their organisation sees most value from Operational Risk, one topic came bottom: The RCSA. This paradox can’t continue. There needs to be a road to redemption.

Stakeholders have different priorities

Regulators are pushing for greater granularity in the RCSA and proactive actions from accountable individuals. Professionals in the first line would prefer a less labour-intensive exercise that facilitates better risk/reward decisions and reduces losses. Those in the second line want more consistency and deeper insights concerning risk profiles. Boards want results they can believe in so that they can allocate resources appropriately. The shareholders want to avoid key high-profile risks from crystalising. However, at the end of the day, nobody appears to be getting what they want.

It’s time to find a better way

The RCSA is the accepted mechanism to understand the organisational operational risk profile and the underpinning control effectiveness. While some Financial Services (FS) organisations have searched for an alternative approach, ultimately all roads seem to lead back to the RCSA, mainly in recognition of its sound conceptual basis. However, current RCSA processes are poorly designed, inefficient, overly subjective, out-of-date, resource intensive and have a poor reputation of box-ticking. This can lead to inaccurate risk profiles and sub-optimal decision-making and resource deployment.

Starting the journey

The path to redemption is not straightforward and achieving an efficient and more streamlined process will require time and resources from all stakeholders involved. However, getting it right should add insight to risk and control profiles, reduce costs over the long run, and minimise disruption to the business.

Based on our experiences in this space, we have identified ten steps for addressing the key issues, as we see them, with the traditional RCSA process. They are:

1. Deciding between a functional or process driven RCSA: Both approaches have advantages and disadvantages. We believe the market is moving more towards a process-driven model as it better aligns with the products and services that most organisations provide. However, without addressing the other 9 areas articulated below, this alone will not be enough to fix the RCSA.
2. Enhancing the design of the RCSA: For the RCSA to work, the basic methodologies of inherent risk, control, and residual risk assessments need to be right. Roles and responsibilities across all lines of defence must be clear. A complex process is not necessarily a practical and insightful process. The RCSA should be integrated into other components of the organisational Operational Risk framework. Organisations should seek to align the RCSA with clearly understood and agreed taxonomies.
3. Converging different risk assessments: Many organisations conduct numerous independent risk assessments, sometimes exceeding a dozen separate processes. These assessments typically cover areas such as Compliance, Conduct, Resilience, IT risk, Cybersecurity, Financial Crime, Fraud, and Reputational risk. While each assessment may have its own specific objectives and methodologies there are advantages to integrating the processes to enhance efficiency, consistency, and reporting.
4. Granularity of assessments: This is a hot topic for many FS firms at the moment. Organisations face a trade-off between resource intensity and level of insights achieved when determining the granularity of their risk assessments. While high-level assessment points reduce the workload, they may hinder risk assessors' understanding of the detailed risks involved. Organisations often manage financial risks like credit, market, and insurance risks at a more granular level than operational risks, raising the question of why this disparity exists.
5. Consistency and triggers from contextual data: Inconsistency and subjectivity often destroys perceived RCSA value without enormous levels of second line oversight. Giving risk assessors access to a single set of key data sources can reduce this problem. Organisations can start with delivering internal losses, external losses, regulatory issues, control testing results, scenarios, Key Risk Indicators (KRIs), risk appetite breaches, and internal audit findings to risk assessors at the point of assessment. The same datasets can also be used to trigger assessment updates making RCSAs more dynamic and moving away from a prescribed cycle whether it is quarterly or annually.
6. Legal entity and country views: Local regulators want local views of the risk profile. However, it can’t be inconsistent with the enterprise-wide or Group view. In today’s world, the overlap is complex: causes and impacts can be associated with different entities and countries. Having a standardised approach that takes into account local nuances by design can help provide risk, control and remediation action views by entity, country or enterprise-wide, as required.
7. Tooling: Surveys conducted with Op Risk professionals highlight that existing instances of Governance, Risk & Compliance (GRC) platforms are often considered as sub-optimal. However, we have found that the underlying problems are often that firms have not fully considered these 10 steps and are then surprised when the selected GRC tool cannot be flexible enough to deliver against their emerging demands. Appropriate system selection and detailed business analysis is key for successful GRC tool implementations.
8. Get specific Risk Type/Assessment point data: In addition to the more generic datasets mentioned in (5) above, more advanced firms are now gathering multiple datasets linked specifically to the risk type at the point of assessment. They are then identifying and tracking specific datapoints linked to the drivers of the different risk types being assessed to enable a more focussed and quantitative assessment. Data can also be used to show the increasing or decreasing applicability of that risk to the assessment point.
9. Automating RCSA ratings: Once specific risk and control information can be generated from (8), this can be used to automate risk and control ratings. Initially, manual over-rides will be needed, but as data analytics and aggregation capabilities improve efficiency and accuracy of RCSA ratings will surge.
10. Leveraging Artificial Intelligence (AI): AI can be leveraged in the early days to improve consistency of recorded information and aid second line quality checking. We ultimately envision AI driving ratings autonomously in near real-time, analysing data on a risk type-by-risk type basis. For instance, AI could monitor voice-recorded calls, emails, and specific Risk Type/Assessment point datasets to assess mis-selling risks against a baseline of recorded losses.

We continue to work with our clients to refine and implement these measures, and over time we will seek to publish more detailed analysis for each of these steps, considering practical measures stakeholders can take to build an RCSA process that drives value for all.

No one is suggesting that climbing these steps will be a trivial undertaking for stakeholders, given the extent of ground to cover. Addressing some of the data architecture and data availability challenges needed to deliver change is fundamentally difficult. Nevertheless, if the steps to redemption can be recognised then a path to a data-driven, insightful, co-ordinated, and efficient RCSA can be achieved.

We look forward to sharing further insights with you on this important topic. In the meantime, if you would like to discuss any of these issues and opportunities in more detail, please don’t hesitate to reach out to the contacts below.