The risk and control self-assessment (RCSA) is an exercise that financial services firms run to understand the risks they currently face and the relevant controls they have in place to mitigate these risks.
The RCSA can also be referred to as a 'risk control assessment' (RCA) or a 'risk and internal control self-assessment' (RICSA).
Purpose of RCSAs
The overall goal of an RCSA is to assess whether the firm is adequately protected against potential risks so it can safely pursue its strategic objectives with reasonable assurance of success while remaining within its risk appetite (the level of risk it is willing to accept in pursuit of those objectives).
Benefits of a successful RCSA
- Clear assignment of accountability
- Fostering a risk-aware culture
- Assurance and demonstration of compliance
- Facilitation of strategic decision-making around risk management and investment
How firms conduct an RCSA
Key stages
1. Identify the risks currently facing the firm
Risks are identified from a variety of sources – for example, publicly-reported loss events (such as ORX News data), the issues management process, team workshops and SME interviews.
RCSAs are often performed horizontally to highlight areas of potential risk exposure or vulnerabilities across the end-to-end business process or service.
2. Assess the likelihood and impact severity of those risks
Both SME judgement and quantitative methods are used to rate risks according to how likely these risks are and how severe their impacts could be.
3. Identify any relevant controls
Look at the controls the firm currently has in place to mitigate against those risks and whether there are control weaknesses or gaps that need rectifying.
4. Assess the effectiveness of these controls
Examine whether the control has been designed and built properly, and whether it is operating correctly for the intended purpose. An overall control effectiveness score is then assigned.
Who usually performs the RCSA?
The first line (1LOD) business units typically own and perform the RCSA, while the second line (2LOD) operational risk functions provide support and guidance. This can include check and challenge, training or a consolidation role. For more information on the three lines of defence (3LOD), read our 3LOD model explained article.
When do firms usually run their RCSAs?
Traditionally, the RCSA was typically an annual exercise. However, the majority of financial services firms now also run RCSAs dynamically in response to a trigger (e.g. internal testing results, new product launches, new regulations), in addition to the annual exercise. The current industry ambition is to move towards a more real-time and ‘always-on’ RCSA to provide a live view of a firm’s current risk profile.
More on RCSAs from ORX
