Is your Business getting value from its RCSAs?
Financial Institutions are required to demonstrate a thorough understanding of their biggest operational risks and be able to clearly evidence the steps taken to control and mitigate them. Risk and Control Self-Assessment (RCSA / RCA) processes are a popular tool, used by many banks, insurers and asset managers, to identify and assess their operational risks in an efficient and systematic way. But, despite their prevalence, few organisations have been successful in achieving the full scope of benefits that effective RCSAs can offer.
RCSA processes help organisations to (i) identify and assess the risks that are inherent in their business processes, to (ii) ensure appropriate controls are in place to mitigate those risks and (iii) to quantify the level of residual risk once all necessary controls are in place, considering the potential impact(s) and likelihood of each risk occurring.
Undervalued or Overrated?
Despite the relative maturity of RCSAs across the industry, they can often be viewed as a laborious tick-box exercise rather than as a tool for driving risk-based decision making and, ultimately, improved business performance.
Central to the problem is the level of buy-in from stakeholders across the organisation – it is not always clear how the outcomes of the RCSA exercise benefit the business.
Engage and build support
Operational Risk Management teams leading an RCSA exercise can address the question on how to better engage their stakeholders across the business lines by following these four steps:
- Identify key stakeholders:
Operational Risk management teams must have a clear understanding of who their stakeholders are across the Thee Lines of Defence and how they can and should contribute to the RCSA process.
- 1st Line of Defence:
The 1st Line of Defence own the organisation’s risks and controls through the risk generating activities conducted, the impact(s) suffered from risks materialising and their application of controls to mitigate them. The 1st Line’s accountability for risks, combined with their understanding over how the business operates, means that they are best placed to ‘self’ identify and assess their risks.
- 2nd Line of Defence:
The emergence and fragmentation of non-financial risk related departments, such as Regulatory Compliance, Financial Compliance, Conduct Risk and Reputational Risk, has led to duplicative and sometimes conflicting risk and control assessment methodologies.
The initiation of a new RCSA approach, or update to an existing process, must involve consultation with these departments to ensure the most effective and efficient outcomes are achieved; ideally with one approach used to assess all non-financial risks.
- 3rd Line of Defence:
Internal Audit as the 3rd Line of Defence, should be consulted to provide their independent assurance over a new RCSA process.
The support from Internal Audit will help provide Operational Risk with the necessary backing to drive the first line implementation and adoption of RCSAs.
The execution of RCSAs can help the 1st line of defence to ‘self-identify’ risk related issues; acting as a pro-active mechanism to remediate issues prior to Audit reviews / testing. The output from RCSAs should in-turn provide an important input and source of comparison with any issues identified by Audit.
- Engage stakeholders early, selling the benefits and expectations of RCSAs
To achieve the necessary support for RCSAs, the benefits and requirements need to well-articulated and communicated early on to all stakeholders.
Senior management across 1st Line Business Units and Support Functions will support an RCSA exercise if they believe they can use the outputs to inform risk-based decision making. If properly embedded, with appropriate resourcing, RCSAs can come to be viewed as a valuable BAU activity rather than a burdensome administrative overhead.
It should be noted, that in smaller organisations / those with less mature risk functions, the level of 1st Line Risk capacity and capability can be limited. Where this is the case, the support and engagement from the 1st Line becomes increasingly critical.
The carrot: Quality RCSAs can be utilised as an important tool when prioritising risk mitigation activities (spend) and can support broader risk-based strategic decisions. Being able to understand and remediate operational risks before they materialise is of high importance to senior management with increasing levels of personal accountability (driven in part by the Senior Managers and Certification Regime); the insights from RCSAs can thereby be used as a key tool to help address this.
The stick: Our regulators expect Financial Institutions to understand their risk profile. RCSAs, in one form or another, are thereby a requirement of any Operational Risk Management Framework.
- Bring stakeholders on the journey of a well-considered RCSA approach
Operational Risk departments should make every effort to define an RCSA approach that is sympathetic to the organisation.
The level of risk capacity and capability needs to be well understood with a consistent approach defined that focuses on identifying ‘material’ risks and ‘key’ controls – minimising the effort required from business stakeholders and focusing on big wins for overall risk reduction.
Operational Risk management teams should therefore ensure stakeholders are well informed and if necessary, consulted through the design and planning stages allowing them to free the necessary resource capacity to support the eventual RCSA execution.
- Be precise and prepare
A well-defined RCSA approach should be clear and simple to follow (especially for ‘non-risk’ people). Rather than imposing complicated Risk-centric terminology on business stakeholders, Operational Risk management teams should make a concerted effort to communicate in a language that is familiar and accessible to all.
Furthermore, Operational Risk management teams should not underestimate the level of training and support needed. Explaining how to undertake an RCSA, utilising tools such as a risk rating / prioritisation matrix and a GRC (Governance, Risk & Compliance) system, takes considerable time and effort, both up-front in planning and preparing as well as in the actual delivery of training.
Training people on RCSA methodologies is best conducted in person and in small groups; where each stage of the process can be explained and where necessary tailored to the relevant Business Unit / Function. However, face to face training, by nature, is a time-consuming method that presents logistical and cost challenges when rolling out across multiple geographic locations.
RCSAs are not simply a necessary evil to satisfy regulatory expectations. When done well, they are an opportunity to improve Business performance through better risk-based decision making.
The process of assessing risks and controls in a consistent manner across Business Units and Support Functions can help an organisation to:
- Reduce the ‘cost of control’, through the identification and resolution of:
- Duplicative controls
- ‘Over Control’ e.g. use of unnecessary controls / control activities that do not reduce risk exposure or the over testing & monitoring of controls that play a minimal role in reducing risk exposure
- A weak control environment, driven by the wrong blend of control types (preventative, detective etc)
- Drive investment decisions in controls and other risk-related components (people tools etc,); prioritising spend and remedial activities based on risk materiality – helping to efficiently reduce risk exposure
- Demonstrate understanding and control of material risks (e.g. helping to quantity / aggregate the level of Fraud risk exposure)
- Compare risk related issues (e.g. through identified control weaknesses and gaps) and understand cross-departmental control dependencies
- Provide confidence and assurance when undertaking change or through periods of stress
Operational Risk management teams should take care to appropriately plan how they will design and implement RCSAs; considering which stakeholders need to be engaged, how best to involve them and avoiding overly labour-intensive approaches.
The support that Operational Risk can generate through this process will prove critical to the ultimate success of RCSAs as an exercise, maximising the value that they can provide.