Top tips for effective and dynamic RCSA: Process

POSTED BY Natasha Smith-Craig | 24 JULY 2024

false

With Risk and Control Self-Assessment (RCSA) continuing to be a core activity for banks and insurers, ORX shares top considerations for improving RCSAs and the key benefits these developments could offer. We've created a three part series to explore the essential aspects of RCSAs, focusing on process, technology, and the culture and people involved.

This blog is part of a three part series. Read the second of the series, Top tips for effective and dynamic RCSA: Technology and the third Top tips for making your RCSAs more effective and dynamic: Culture and People.

In view of the evolving risk landscape and digitalisation of business, members have shared their concern that current RCSA processes do not sufficiently meet their needs to monitor their risk profile and adapt to changes in the risk environment in a timely manner.

As such, to support firms to make their foundations fit for the future, ORX has recently published a podcast exploring some key methods that firms have either started to use, or are planning to use in the future, to make RCSAs more efficient, effective and dynamic.

These top tips have been curated from conversations at the Regional forums in South Africa, Australia and Singapore held in early 2024, as well as dedicated discussion sessions run by the Risk Management Working Group at ORX.

Process

1. Standardise RCSAs across the business to achieve consistency

This can include standardising or rationalising the risks and controls within the exercise, such as by focusing on material risks.

2. Develop a centralised Risk and Control Library to support RCSA optimisation

There is a suite of reference standards available from ORX, including the Reference Risk Taxonomy for Event Types, Causes and Impacts, and the Reference Risk Control and Indicator Library, both of which could support your firm’s journey to standardising the RCSA process.

3. Perform RCSAs more dynamically

Review the frequency at which RCSAs are performed, for example, moving away from a periodic review of all risks and controls, to the close real-time monitoring of data.

One way to do this is performing RCSAs on a trigger basis, using a consistent and quality set of triggers with appropriate thresholds that allow close monitoring of changes in the risk and control environment (such as material events, regulatory changes, peaks in indicators) and timely response to changes.

Benefits of running a more dynamic, data-driven assessment include:

Better prioritisation of work, allowing the first line of defence (1LoD) to focus on the most pertinent issues at the time

Increased efficiency due to a reduction in overall effort required

Better engagement from the business as the importance of the work is demonstrated

Operational and non-financial risk acts as an enabler of business, relevant and essential to success

Resources from ORX to support firms’ monitoring of changes in the risk and control environment

We provide a range of services that can help you monitor changes in the risk and control environment, including:

- Data Science and AI regulation tracker
- Basel III SMA implementation tracker
- Scenarios regulatory monitoring service (updates are reported and presented monthly at ORX Scenarios Working Group meetings)

4. Leverage outputs from other risk assessments for the RCSA exercise

This allows firms to meet the RCSA requirements without needing to duplicate work, ultimately saving much time and resource.

5. Pivot to performing RCSAs on both a vertical and horizontal view, looking at the end-to-end process or value chain

Making this change brings many benefits, such as:

RCSAs become more thorough, relevant and holistic, with no material risks or key controls overlooked

Control gaps or duplications are identified

A common language is established, creating greater consistency

RCSAs are orientated to a business operation language, improving wider comprehension

Risk and control information is more easily connected to wider organisational data

The process view supports the prioritisation and frequency of assessments

This work can be leveraged for Resilience Management, support the development of scenario analysis storylines, and satisfy regulatory requirements

We're currently developing a Reference Business Services and Process Library, the latest in our set of reference libraries. For updates on this project and to get involved, take a look at this webpage.

Stay tuned for the upcoming second part of the blog series focusing on technology.

Related resources

For more details and a full panel discussion on this topic, listen to our podcast: Top tips for making your RCSAs more effective and dynamic (process, technology, and people).

You must have cookies enabled to view this podcast embed. To do so, review your cookie settings here.

Resources for ORX members

Read our short report on Three key areas to improve your RCSAs published earlier this year. This includes further details on how aligning RCSAs and business strategy can unlock additional value
Read our blog, Enhancing RCSAs – A guide to three key areas, related to the report above
Read our blog on the Top discussion points from our recent regional forums, which took place over Q1 2024
Read the RCSA Practice Benchmark
Discover more from our Risk Management Working Group and Community For summary notes of the RCSA-focused discussions, see the RMWG webpage