Incorporating metrics and other data into Risk & Controls self-assessment process

Incorporating metrics and other data into Risk & Controls self-assessment process


May 27, 2021

The Risk & Control Self-Assessment (RCSA) process, as described in Part 1 of this blog series, is regarded as best practice by risk management professionals and regulators alike. However, it is a process that is often subject to criticism.

The main points of criticism relate to the quality of both the process and the output. Many argue that the subjective nature of a typical Risk & Control Self-Assessment (RCSA) process results in poor quality risk-based management information, alack of support and buy-in from management, and inherent human biases and other inaccuracies becoming embedded within the process, further damaging buy-in and quality.

To help address some of these often-identified issues, we suggest that firms seek to build out a risk management framework that is specifically designed to generate data the assessment of risk severity and control effectiveness.

Three important datasets that firms should build are: 1) metrics data, 2) risk events data and 3) risk and controls data.


Building out a suite of metrics as part of a risk management framework is an essential part of building a data set that can support better decision-making within the Risk& Control Self-Assessment (RCSA) process, and ultimately lead to better assessments.

We recommend that firms implement a suite of balanced and comprehensive metrics, which including,

  • Key Performance Indicators (KPIs) – use KPIs to indicate the current levels of performance within the firm, how performance is changing over time and where issues are emerging. Typically, KPIs are linked to various business outcomes, including Objectives, Processes, Initiatives,Systems etc.
  • Key Risk Indicator (KRIs) – use KRIs to indicate the current risk severity levels, how it is changing over time and where issues are emerging.  
  • Key Control Indicator (KCIs) – use KCIs to indicate the current levels of control effectiveness, how it is changing overtime and where issues are emerging.  

Within the Risk& Control Self-Assessment (RCSA) process, those undertaking assessment should review metrics dashboards and data ahead of making assessments. In particular, consider the relationships between different metrics and view the‘story’ emerging from the metrics data. Metric data can also be used to challenge and validate risk and control assessments.

Risk Events (Incident)

Whereas metrics indicate the level of risk and control effectiveness and related changes, Risk Events provide a picture of what risks have actually crystallised within a period of time.

By systematically capturing risk events, mapping them into the risk management framework,analysing to identify root causes, and generating actionable insights, firms can drive continuous improvements to their risk management framework. They can also create information and insights that can play an essential role in the Risk & Control Self-Assessment (RCSA) process.

The real value of building datasets around metrics and risk events is it enables firms to generate more profound insights into their levels of risk and control effectiveness by overlaying this data with historical risk and control effectiveness assessment. This will create insights into the accuracy of historical assessments; it will enable correlations to be identified within the data. It would help answer questions about the quality of the risk management,the quality of the data generated via the framework and therefore, how much weight should this data be given in decision-making.

Key questions that one should seek to answer include;

  • Historically have your forward-looking metrics provided valid insights to your levels of risk and control effectiveness?
  • Historically, what is the correlation between your metrics, risk events, control effectiveness, and risk assessments?
  • What is the strength of the relationship between residual risk levels and the effectiveness of controls?
  • An important question that many risk management frameworks are not designed to answer but should be is; what is the relationship between control effectiveness, levels of risk-taking, and the operational and strategic performance of the firm?

A well designed Risk Management framework will provide the datasets and the risk-based management information and insights to support high-quality conversations and decision-making within the Risk & Control Self-Assessment (RCSA) process.

Many of the criticism levelled at the Risk & Control Self-Assessment (RCSA) process can be addressed by bringing together the subjective, expert opinion input, which can be validated or challenged by systematically curated data and insightful analysis. If there is no clear story emerging from your Risk & Control Self-Assessment (RCSA) process supported by expert opinion and data, then there is further work to do.