The 5 steps to get your RCSA program up and running.

Boris Agranovich

This article is part of the series "Popular Risk Management". The aim of the series is to describe the main risk management topics in simple, clear and concise language. To stay updated on the recent trends, please make sure to check out our Risk Management Show podcast on the major podcast apps or via the following link:  

Risk Self Assessment or RCSA is one of the most effective tools in the Risk Management arsenal. When applied effectively it will add value to your entire organization and improve the way it does business.

The objective is to provide reasonable assurance that all business objectives will be met. In practice the aim of the RCSA is to map the areas of high risk and determine the ways to deal with this risk.

The RCSA is a time consuming exercise, as it requires precious time, both from business and risk management.

By the end of the day every responsible organization should know:

·         What are the major risks

·         What are the plans in place to deal with these risks

·         Who are the owners of the risks and the plans

The RCSA is the tool, which is probably least understood, and there are many confusions and misconceptions about its implementation.

Below are the 5 steps that every organization should take to successfully apply the RCSA. 

Step 1: Get buy in from the board.

RCSA requires the coordinated efforts of senior management, business and/or support functions. The board of directors should approve the RCSA policy and the risk management should establish the RCSA standards and methodologies. The heads of the businesses or functions are ultimately accountable for carrying out the RCSA process.

Step 2: Create a comprehensive plan.

Prioritise, by this time you should have a comprehensive process map and main ideas where your high risks processes are. Create a plan and the schedule and coordinate it with the business management. Remember the word “self”, the idea is that business itself will do the risk assessments. It will encourage risk reporting and awareness.   

Step 3: Decide the method of conducting RCSA.

There are several methods to conduct RCSA – survey/questionnaire, facilitated workshop with Risk management staff participation, workshop with only business unit participation.

Some methods like surveys are mostly suit for the IT related processes and controls. In this way you can assess quickly the processes. The usefulness of this method can be diminished however unless properly communicated. Be aware that when not applied in the structural manner, the business units might perceive it as a formal exercise in ticking the boxes.

Workshops are meant to brainstorm the process and define the risks and assess the controls. A good risk manager is able to motivate personnel and create an atmosphere of trust that will allow a free exchange of information and deliver a productive brainstorming session. After few initial sessions the business should be able to run the RCSA sessions by themselves without risk managers. The sessions have to be well documented and risk management should be able to run the reports to determine the quality of the information and coordinate further progress.     

Step 4: Register all information into the risk management tool.

The centralized RM tool is preferred, but if you don’t have one, use Sharepoint, Excel (only for starters). The business must have access to the system to provide constant input of the information. The overall quality of the control environment for each entity must be rated as 'satisfactory', 'needs improvement' or 'unsatisfactory'. Risk management is ultimately responsible for the quality of information collected in the risk management tool 

The result of the session can be summarized per process/business line:

1.      What risks do we have?

2.      What controls do we have to mitigate these risks?

3.      Have the controls been implemented?

4.      If implemented, have the controls been effective?

5.      If not effective or not implemented, decide the response action.

Inherent risks as well as residual risks need to be assessed and rated as 'High', 'Medium' or 'Low'.
Inherent risk is the risk that exists in the process. Effectiveness of controls is not taken into consideration for arriving at inherent risks. Residual risk is the risk that still exists after having business controls in place.

Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:

  • Avoidance (eliminate)

  • Reduction (mitigate)

  • Transfer (outsource or insure)

  • Retention (accept and budget)

Incorporate results into the quarterly reports. The best practice is to create the Heat maps, which will show the risk distribution across the organisation, processes and risk types. Send high-level information to the board of directors and the senior management.

Step 5: Monitor and incorporate the whole process into yearly planning.

The risk management has to monitor periodically the RCSA, including results of testing and track action items. Maintain the evidence of the monitoring. The end result of RCSA is also one of the important components for capital computation under AMA.

Do you want to learn more about risk management? Join the world's premier online community for risk managers connecting thousands of top professionals. Join via my personal invitation link and propel your career to the new level! 

Please send your comments to:
Written by Boris Agranovich