Risk and Control Self-Assessment (RCSA) remains a pivotal activity for banks and insurers, serving as a robust framework to identify, assess, and mitigate operational and non-financial risks (ONFR).While numerous organisations have started efforts to enhance their RCSA practices, a wide range of practices and maturity levels persists within the industry. A recent study by the ORX Risk Management Working Group (RMWG) explored current and emerging RCSA practices. Read on for some of our key findings, and ORX members can read the full results in a short report.
Key Insights: Three Ways to Optimise RCSA Processes
1. The First Line of Defence
The first line of defence (1LOD) can play a key role in enhancing the effectiveness of the RCSA exercise
RCSAs mostly involve colleagues from many different functions and across the 1LOD and 2LOD. Consequently, the exercise could result in a significant resource burden and coordination challenge. One of the key ways firms can optimise the RCSA process is by clearly defining 1LOD and 2LOD roles and responsibilities.
2. Moving to a process view of RCSAs
Moving to a process view of RCSAs brings many potential benefits, but there are challenges to overcome
An end-to-end process view within RCSAs brings a range of benefits, including:
- Ensuring there are no gaps in material risks and/or key controls
- Leveraging for resilience risk management
- Supporting the development of scenario analysis storylines
“Despite a majority (55%) of firms having already developed a process/key service library, only 40% leverage such a library within their RCSA exercise and there is a wide range of practice and maturity in how this is being undertaken.
This is in part due to the various challenges of integrating process libraries with the RCSA process, though some firms have already taken steps to remedy them.”
3. Aligning to business strategy
Alignment to business strategy unlocks additional value but core challenges must first be navigated
Ideally, a cyclical relationship between RCSAs and business strategy can be established, with strategy informing RCSAs and control effectiveness/action plans generated as part of RCSAs feeding back into the business strategy-setting process.