Risk Control Self Assessment (RCSA)

In the previous articles, we have understood how data can be collected from internal as well as external sources in order to facilitate decision-making. The next logical step after the collection of data is to actually make the decision. The collection of loss data relates to events that have taken place in the past. However, risk control and self-assessment (RCSA) is the next step. This is the step where the company uses past data to determine the present level of risk. In this article, we will have a closer look at what risk control and self-assessment (RCSA) is and what are the various steps that are undertaken as a part of this analysis.

What is Risk Control and Self Assessment (RCSA)?

The risk control and self-assessment (RCSA) methodology have certain characteristic features.

It is important to know that this process is dynamic. This means that it keeps changing constantly and depends upon the level of controls which have been introduced by the unit.

The risk control and self-assessment (RCSA) is iterative in nature. This means that the methodology works on a trial and error basis. Whenever any measure is taken to monitor risks, the effect is constantly measured. If the solution is not working as intended, the process is changed and the iteration is repeated

The risk control and self-assessment (RCSA) process does not take place at the organization level. Instead, as a part of this process, organizational units are identified. The policies are implemented and the success is monitored at the unit level. The organization-wide risk control and self-assessment (RCSA) is just the sum of the different units in the company

Steps Followed During Risk Control and Self Assessment (RCSA)

The risk control and self-assessment (RCSA) methodology is a structured methodology that has four different stages. One stage may have one or more steps. The details regarding these stages have been mentioned below:

  1. Stage 1: Documentation and Definition:

    The first step in the process is to identify and define organizational units for the purpose of risk management. These units need to be structured in the form of a hierarchy. The end result of the exercise is that the risk entities are identified and also the relationship between them is clearly defined. These reporting relationships also need to be defined so that data from individual risk entities can be combined to develop the organizational risk profile. This is the stage at which the companies generally do their top-down analysis for identifying operational risks. The documentation of control procedures as well as how they relate to operational risks is also extremely important. At this stage, the company does not actually pay attention to the risks and their mitigation. The focus is on identifying and documenting the control structure.

  2. Stage 2: Identification of Risks:

    The second stage is where the identification of risks happens. This is generally done in three steps. The first step is to identify the risks which emanate from the top-level entity. Since these risks are from a higher level, they apply to all the organizational units within the entity. The next step includes the regulatory risks which arise from government policies and interactions with regulators. Lastly, unit-wise additional risks are taken into account in order to correctly understand the risk profile of a particular unit. The last step in the process is to categorize risks. This is done by assigning a monetary value to the risk and recognizing its severity.

  3. Stage 3: Assessment of Controls:

    In this step, the risks are divided into categories. Controls and risk mitigation plans are set up for materialistic risks. Each entity is responsible for managing its own risks and developing an action plan. Risk entities are supposed to have multiple plans in place. This is because if a particular plan does not work, then it can be replaced with a different plan. It is important to note that this process is continuous and must be done periodically. Risk controls that are effective today may not remain effective after a certain period of time. As a part of this process, companies also have to set up methods that will help use samples to determine the effectiveness of the plans. The manner in which samples have to be selected as well as the interpretation of results has to be defined at this stage.

  4. Stage 4: Reviews and Ratings:

    At the end of the exercise, the mitigation plans are also categorized. Common categories are used as acceptable, less than acceptable, and acceptable with concerns. This categorization is derived from the scores generated in the previous stage. Since this exercise is conducted periodically, it would be prudent to ensure that this score is actually an average of the past few scores. This would represent the risk on a continuum instead of presenting it in a static manner. based on the ratings, the organizations can decide to implement secondary plans, and then the process repeats itself.

The end result of this process is that risk entities are constantly engaged in risk management activity. In many organizations, a dashboard is maintained where the risk levels of various units are constantly monitored. Thus the risk control and self-assessment (RCSA) framework helps in mitigating operational risks.


❮   Previous  Article Next  Article   ❯


Authorship/Referencing - About the Author(s)

The article is Written By “Prachi Juneja” and Reviewed By Management Study Guide Content Team. MSG Content Team comprises experienced Faculty Member, Professionals and Subject Matter Experts. We are a ISO 2001:2015 Certified Education Provider. To Know more, click on About Us. The use of this material is free for learning and education purpose. Please reference authorship of content used, including link(s) to ManagementStudyGuide.com and the content page url.


Risk Management