Risk and Control Self-Assessment (RCSA) – A New Paradigm Required

The 2014 review identified that several principles had not been adequately implemented, and further guidance would be needed to facilitate their implementation in the following areas:

1. a) Risk identification and assessment tools, including risk and control self-assessments (RCSAs), …

The opening statement of the Basel Committee Revisions to the Principles for the Sound Management of Operational Risk is spot on.

In my experience, Risk and Control Self-Assessment (RCSA) can turn into mini enterprises in their own right, swallowing countless resources across all three lines of defence, generating many frustrations and no clear risk decisions. Or worse, way too many things to fix!

To deliver significant strategic and operational value and improve risk management, risk assessments must be transformed into a digital risk management solution and predictive data-driven actionable business management tool aligned to organisational objectives and embedded into operational business decision processes. Some significant thoughts must also go into rollout strategy, speaking from hard-learnt lessons.

To make this work, I would focus on three broad areas as starting points:

1) Reiterating the business case;

2) Embedding assessment into day-to-day business management; and

3) Establishing an implementation roadmap.

Add a single design principle: keep it simple for business folks!

What is RCSA?

I found the following definition from Finance Training Course very relevant:

RCSA (Risk Control Self-Assessment) is an empowering method/process by which management and staff of all levels collectively identify and evaluate risks and associated controls. It adds value by increasing an operating unit’s involvement in designing and maintaining control and risk systems, identifying risk exposures and determining corrective action. The aim of RCSA is to integrate risk management practices and culture into the way staff undertake their jobs, and business units achieve their objectives.

An RCSA is not solely a “business driven” risk and control self-assessment though. It also requires risk and control inventories, taxonomies, etc.

Often, none of these is mature enough, which generates significantly more work for all parties involved to get the framework in place, never mind embedded. But more of that later.

Why is an RCSA required?

…results of the bank’s operational risk assessment should be incorporated into the bank’s overall business strategy development process (per above Basel Committee paper page 6)

Effective operational risk management leads to a culture of risks and controls fully embedded across the firm’s business activities and operations. It ensures that business folks understand what a risk is, what a control is and can “put two and two together”.

In that context, the RCSA is a tool that should enable senior management to translate “WHAT” their teams do and “HOW” they do it into resulting risks and required controls. It should also provide educational opportunities for business folks on the consequences, including associated costs, of their operational decisions.

This is critically important for both “WHAT” and “HOW” drive:

1. how senior management and operational teams end-up spending their time (e.g. urgently fixing the latest failed process vs. delivering the right service to their clients); and

2. the firm’s ability to absorb new business and to scale up. If resources are allocated to managing a fragmented, manual and complex operational environment, they are not available to develop innovative services, support business growth and deliver seamless customer experience.

If the risks arising from the “WHAT” generate value for both customers/clients and shareholders, risks associated with the “HOW” mostly create downside through higher operational costs, undesirable losses and poor customer experience.

The latter type of risks (ie. the downside and costly type) can represent two thirds or more of the operational risk landscape[1] of any given activity. Consequently, control activities can eat up to 80-90% of available resources.

In that context, the RCSA provides a firm with a valuable operational diagnostic

1. to transform a sub-optimal activity into a simplified, resilient and scalable customer centric business operating model;

2. to strengthen its cost to income ratio whilst increasing process outcome predictability (ie. reducing risks and undesirable losses); and of course

3. to meet regulatory expectations.

Embedding RCSA into Day-to-Day Business Management

… The components of the ORMF[2] should be fully integrated into the overall risk management processes of the bank by the first line of defence, adequately reviewed and challenged by the second line of defence, and independently reviewed by the third line of defence… (per above Basel Committee paper page 6)

As a result of the above, RCSA frameworks are usually designed as a standalone framework in the context of the overall operational risk management infrastructure to ensure regulatory compliance, instead of being designed as a business management tool with risk management capabilities.

By contrast, credit risk and market risk activities are usually fully embedded into business decision making. My experience is that business folks operate through them day in and day out, not once a year or only when something breaks down in my experience.

With that in mind, firms have already implemented numerous specialised operational risk assessment tools to address specific business needs and/or meet regulatory requirements. These tools should already be embedded into business processes.

Without being exhaustive, here is a list of assessments regulated firms might already have:

• Business Continuity

• Third Party Risk

• Change and Transformation Risk

• Offshoring and out/in-sourcing

• Technology Risk

• Cyber Risk

• Model Risk

• EUC Risk

• Fraud

• Anti-Money Laundering

• Health and Safety

• Reputational Risk

• New Product

• New Instrument

• New Market

• Know Your Customer

• Climate Risk

• New Contract

• New Client

• Conflict of Interests

• Diversity and Inclusion

• Cloud

• Regulatory Risk

• Etc.

Going forward, I see RCSA being an aggregator of the output of such assessments providing a “live” view on risk exposure and level, control, etc. without conducting a stand-alone self-assessment. This would significantly increase the quality and granularity of the risk and control data, remove significant duplication of work (and secure stronger buy-in from business folks as a result), and ultimately enable better strategic fit.

Arguably, retrofitting these assessments could generate significant rework especially for the framework owner, but I am convinced this would pay-off. The business case would be a matter of opportunity costs supported by stronger risk management outcomes (and less work in the business) vs. continuing to do all the above and RCSA together.

That being said and building from my previous blog post on Risk Oversight, I also believe further integration of risk oversight functions and activities is required to enable a simpler and more embedded management of operational risks, which will mean less frameworks, less policies and an end-to-end approach to risk management. But this will be the topic for a future article.

RCSA Roll-out

I had the opportunity to lead multiple RCSA implementations and it is fair to say, none of them were “perfect”. There are some common features, and mistakes, to be considered (and to be avoided)

• Risk Ownership - In my blog post Enabling Board & Senior Management Risk Oversight, I touched on the notion that the Board of Directors is accountable for the risks of their firm. The directors rely in turn on the executives and their teams to manage these risks.

In the context of RCSA, the risk “owners” identify, report and assess the risks they own. This requires establishing clear risk management accountability and responsibility across many executive and operational layers.

This is a headache! And a major impediment to RCSA adoption.

In my experience, organisational chart and official governance, widely used to assign risk ownership, rarely align with how things actually get done in a firm. This has as much to do with the inherent flaws in the concept of the “organisation chart”[3] as it does with the real centre of power(s) being disconnected from the official governance of a firm.

As a result, operational managers, per the official organisational chart structure, do not have any incentive to put their names against some of the risks impacting their departments and they end up either not reporting these risks at all or materially underestimating them. Or they exclude risks that impact their function because they originate upstream.

Practically, a social network analysis would be more relevant to effectively assign leadership responsibility including risk ownership, but I have never seen it used in any of the firms where I worked.

With that in mind, I would at least “neutralise” the notion of risk ownership whilst deploying and maintaining an RCSA. Let the operational team focus on identification and assessment for the activity they run, whilst leaving the “emotions” aside.

• Diagnostic - It is critical to understand what your starting point is. And this diagnostic must include an understanding on both operational risk framework and risk culture maturity.

When it comes to the level of maturity of the existing operational infrastructure, I have experienced different situations from having nothing, to having scattered and non-standardised “stuff”, to having fully formed but not fit for purpose frameworks.

You can find below a list of required foundational components:

1. Risk taxonomy

2. Risk inventory or register

3. Risk impact assessment methodology

4. Probability assessment methodology (if you decide to use probability)

5. Severity assessment combining b) and c) into a common rating

6. Activity/process/function inventory depending on how you decide to document the activities of your firm

7. Control inventory

8. Control taxonomy (though not mandatory day 1)

9. Control assessment methodology

10. Risk decision framework (ie. risk accept or remediate)

11. Etc.

The list can be longer. But regardless of how granular and complex it is, all those components will have to be applied by non-risk folks at some points.

With this in mind, it is going to be difficult to get business folks to assess risk severity or build a risk register if they don’t understand what a risk is.

The level of risk culture maturity is critical to define how complex you want to be short and medium term (see next section) and to map out how you will roll-out your framework especially when it comes to training and education. This also helps you to determine the required resource model – e.g. establishing a 1LoD Risk Function vs. fully relying on existing resources.

Once the diagnostic is performed, you need to define “a” target state and map out a strategy, or roadmap, to get there.

• “A” target state – I wrote “a” because this could change as the level of risk maturity increases across the firm over time. For example, I would not directly connect the RCSA with the various assessments I mentioned in the previous section unless I already have matured risk and control inventories and broad organisational coverage.

The initial target state could target granular risk inventories and registers across all your business activities and legal entities, supported by granular control inventories, to feed into risk reporting and oversight. Stated differently, it is about building the dataset.

Then, the vision can evolve to fully embedding business assessment tools (as per previous section) in addition to strategic and predictive portfolio risk and control management.

“Breaking down” the vision into ambitious but achievable steps makes it more palatable for all stakeholders and this will be better supported through an effective communication strategy.

• Communication – the one item I systematically underestimated, and, with hindsight, would have approached differently. Rolling out an RCSA is about leading many people at all levels through a painstaking difficult activity over a multiyear journey. That said, regular communication on why and what, as well as celebration of achieved results is key.

This is about business management

Operational Risk frameworks, including RCSAs, should be considered as parts of the wider business decision and management toolkit. They can be – and sometimes should be – designed and rolled out as standalone's but at some point, such tools must converge and be merged within the business environment to become ubiquitous and transparent to business folks, who needs to live and breathe this stuff day in and out.

I have been asked many times – When will we be done?

Based on my experience, success is achieved when risk assessments deliver a behavioural diagnostic that can support business change. Success is achieved when senior executives are put in front of hard strategic realities that lead to cultural transformation. Or more simply, success is achieved when RCSA kick starts the real strategic and value added discussion!

This is no longer only about ticking the regulatory box;effective as low v, and control prliferation it is about leveraging a very relevant tool to support operational and strategic organisational success.

[1] Based on the findings of a new breed of RCSA designed to join-up risk / control expertise with process excellence [2] Operational Risk Management Framework [3] I would recommend reading the book Free Agent Nation by D Pink chapter 8 to have an excellent detailed explanation on the root cause of the problem. To summarise, the organisational chart rarely depicts how things get done in a firm, which is a fundamental problem when it comes to assigning risk responsibilities