The Risk & Control Self-Assessment (RCSA) process, as described in Part 1 of this blog series, is regarded as best practice by risk management professionals and regulators alike. However, it is a process that is often subject to criticism.
The main points of criticism relate to the quality of both the process and the output. Many argue that the subjective nature of a typical Risk & Control Self-Assessment (RCSA) process results in poor quality risk-based management information, alack of support and buy-in from management, and inherent human biases and other inaccuracies becoming embedded within the process, further damaging buy-in and quality.
To help address some of these often-identified issues, we suggest that firms seek to build out a risk management framework that is specifically designed to generate data the assessment of risk severity and control effectiveness.
Three important datasets that firms should build are: 1) metrics data, 2) risk events data and 3) risk and controls data.
Building out a suite of metrics as part of a risk management framework is an essential part of building a data set that can support better decision-making within the Risk& Control Self-Assessment (RCSA) process, and ultimately lead to better assessments.
We recommend that firms implement a suite of balanced and comprehensive metrics, which including,
Within the Risk& Control Self-Assessment (RCSA) process, those undertaking assessment should review metrics dashboards and data ahead of making assessments. In particular, consider the relationships between different metrics and view the‘story’ emerging from the metrics data. Metric data can also be used to challenge and validate risk and control assessments.
Whereas metrics indicate the level of risk and control effectiveness and related changes, Risk Events provide a picture of what risks have actually crystallised within a period of time.
By systematically capturing risk events, mapping them into the risk management framework,analysing to identify root causes, and generating actionable insights, firms can drive continuous improvements to their risk management framework. They can also create information and insights that can play an essential role in the Risk & Control Self-Assessment (RCSA) process.
The real value of building datasets around metrics and risk events is it enables firms to generate more profound insights into their levels of risk and control effectiveness by overlaying this data with historical risk and control effectiveness assessment. This will create insights into the accuracy of historical assessments; it will enable correlations to be identified within the data. It would help answer questions about the quality of the risk management,the quality of the data generated via the framework and therefore, how much weight should this data be given in decision-making.
Key questions that one should seek to answer include;
A well designed Risk Management framework will provide the datasets and the risk-based management information and insights to support high-quality conversations and decision-making within the Risk & Control Self-Assessment (RCSA) process.
Many of the criticism levelled at the Risk & Control Self-Assessment (RCSA) process can be addressed by bringing together the subjective, expert opinion input, which can be validated or challenged by systematically curated data and insightful analysis. If there is no clear story emerging from your Risk & Control Self-Assessment (RCSA) process supported by expert opinion and data, then there is further work to do.