An effective Risk and Control Self-Assessment (RCSA) framework provides forward-looking identification and operational risk analysis to help financial institutions achieve their business objectives. RCSA capabilities must be adaptable, agile, and integrated to stay ahead of increasingly dynamic operating environments and regulatory needs. RCSA results reassure regulators and the institution’s governing body that the institution possesses a sound system for managing operational risks.
Regulatory expectations increasingly emphasize performing repeatable and reportable RCSAs that are aligned across entities, functions, and lines of business. Defining a framework that is clearly understood and attainable, with appropriate reporting and communication across the enterprise, is critical for long-term success. The following recommendations outline focus areas, insights, and key actions to help build an effective RCSA framework.
Framework Considerations
Ownership & Accountability
For many organizations, policies and procedures—those that define the what and the how—are only one part of the equation. Without a clear understanding of the stakeholders who execute, own, manage, and report on these procedures (the who), emerging risks and control weaknesses are more likely to go unnoticed.
The delineation of roles, especially within the first line of defense (LOD), should promote both accountability and feasibility. It should encourage first line engagement and understanding of operational risks, while acknowledging the need to integrate these responsibilities into business as usual. Securing stakeholder buy-in to your risk management processes is crucial to identifying and mitigating risks at the source and ensuring RCSAs do not become another check-the-box exercise.
Key actions:
- Define, document, and educate the organization on risk management roles and responsibilities across all lines of defense. Proactive participation of all relevant stakeholders in an RCSA increases both accuracy and effectiveness.
- Ensure the first LOD independently assesses the material risks associated with its activities on a continuing basis. The second LOD (Risk Management Unit) acts as an independent function, providing review and challenge of RCSA results.
Risk Identification & Assessment
If risks are not identified, they cannot be assessed. If they are not assessed, they cannot be managed effectively. By identifying risks early, organizations can help reduce the negative impact of threats and increase the positive impact of opportunities.
Risk identification is a critical tool in strategic planning. Understanding potential risk helps businesses make informed decisions and create strategic plans for these hurdles. This understanding can guide important business decisions, from daily operations to long-term business objectives.
Key actions:
- Tailor the RCSA to the organization’s unique risk profile, size, and operational complexity at a sufficient level of granularity to allow for systematic application and aggregation.
- Incorporate triggers for reassessment (such as regulatory updates, new or modified products, and new business or acquisitions) and review them on a continuing basis.
- Conduct a combination of periodic and trigger-based dynamic RCSAs so the first LOD can quickly assess and respond to risks.
Control Environment
The control environment sets the tone for the organization and influences how employees conduct their activities and carry out control responsibilities. The control environment is the foundation for all other components of internal control and a crucial element to assess, mitigate, and monitor risks.
Key actions:
- Execute policies, processes, and systems, including an enterprise-wide internal control framework and standards for control testing and issue management.
- Document effective procedures for assessing, recording, and substantiating the effectiveness of controls throughout end-to-end business processes.
- Select appropriate remediation measures or risk acceptance recommendations to address identified control deficiencies.
Risk Monitoring & Reporting
Tailored monitoring reports for senior management and the board of directors drive timely action, decision making, and accountability for operating within established risk appetites.
Key actions:
- Communicate clearly, credibly, and promptly about your risk profile.
- Strengthen Governance, Risk, & Compliance tools to emphasize risk ownership and accountability and align data across processes and taxonomies.
- Integrate workflows and reporting capabilities to better understand real-time risk exposure and improve risk-based decision making at all levels, e.g., process, business segment, and enterprise.
Back Testing
Developing a strong RCSA program requires an evolutionary and iterative approach. Pairing your RCSA with a successful back testing program communicates that diagnosing and treating control deficiencies can be transformative rather than punitive.
Key actions:
- Implement a back testing process to compare the current period’s operational losses to the prior period’s control assessments.
- Dedicate a team to identify the variances in projected versus actual operational risk trends and control deficiencies to allow for continuous process improvement, while enabling and challenging first LOD risk owners to manage their risks properly and transparently.
- Communicating this point as part of your organization’s tone-at-the-top strategy is key to inspiring confidence in your first LOD risk owners and helping them better make sense of and improve their operating environment.
Connectivity to ORM Program Components
In a sustainable operational risk management (ORM) program, the RCSA should inform and be informed by other operational risk activities, e.g., risk identification, issue and event management, reporting, governance, etc. Understanding the cyclical and interrelated nature of these components is critical to communicating a strong narrative and translating data into knowledge.
Key action:
Position the RCSA as a focal point for data analysis and decision making within the overall ORM program. Consider how various operational risk data may serve as inputs and outputs to the RCSA process, including:
| Inputs to the RCSA | Outputs to Other ORM Programs |
|---|---|
|
|
Program Oversight
An effective framework requires clear and consistent governance, oversight, and control activities to monitor and assess adherence to the RCSA standard.
Key actions:
- Establish reporting routines to monitor and escalate noncompliance of the RCSA standard through risk committees/forums and issue management processes.
- Leverage monitoring capabilities to help ensure management’s strategies and decisions are implemented consistently for all impacted geographies, products, services, and/or legal entities.
- Design monitoring systems that enable the board to hold management accountable for operating within established risk appetites.
Building the Right Framework for Success
The financial services industry continues to evolve at an unprecedented pace, with increased oversight from regulatory bodies and other external agencies regarding risk management practices and industry framework application. The RCSA framework should evolve in tandem with such regulatory and industry changes; however, a strong framework takes time to design, implement, and operationalize. Organizations should review and identify areas for enhancement within their current framework and develop a target operating road map to help achieve their desired state.
FORVIS can help you kickstart and refine your RCSA journey using these and other best-in-class risk management practices.