Managing Risk and Controls though Self-Assessment

Managing Risk and Controls though Self-Assessment


March 25, 2021

This is the first in a series of articles that help capital market boards and executives better understand the Risk and Controls self-assessment process (RCSA).

What is it?

An RCSA is undertaken by ‘the business’ (first line of defence) with support and oversight from the risk management function (second line of defence).

The quality and integrity of the RCSA is one of the main points of concern for Internal Audit (third line of defence) as they seek to provide assurance to the board and executive team, and oversight committees that the firm’s risk profile is within risk appetite boundaries.

The RCSA is a systematic review of the risks and controls within the firm. This is completed by an internal expert(s) and/or by the person who is accountable for the risk.

Through this process, firms develop an understanding of the current level of residual risk and how effective their internal controls are. Typically, this process is conducted on a cyclical basis, either annually, quarterly or on a monthly basis. The development of new technology, like KRM22’s Risk Cockpit, transforms this cyclical approach into a more impactful continuous, real-time risk and controls assessment process.

Both of the key enterprise and operational risk management standards; COSO and ISO31000 are supported by and encourage the use of RCSA. Assessment results are typically presented in a Red, Amber, Green (RAG) status dashboard or report. This risk-based management information is a key output of this process.

How to do it?

The two most widely used enterprise and operational risk management standards, COSO and ISO31000, encourage the use of risk & control self-assessments. This process is also supported by all the leading professional risk management associations and industry bodies While there is no defined ‘right way’ to do the RCSA, we can review three approaches that are regularly used and discuss how they are seen by regulators and experts:

1. The Checklist Approach

This is where the inherent risk is determined jointly by the business and the risk team. Alongside this inherent risk assessment, a checklist is defined and the business teams ‘tick the box’ on the checklist. This results in a score or rating which determines the Residual Risk level. A similar approach can be taken for the assessment of control effectiveness.

This type of check listing / tick-boxing is discouraged by regulators and other stakeholders.

2. The Impact x Likelihood Approach

Another method of assessing risk is to assess the potential impact of a risk materialising and then assessing the likelihood (or probability) of the risk materialising within a defined time horizon (usually annual). The results of the impact and likelihood assessment are combined to generate a risk severity level or rating.

This approach is focused on primarily on residual risk Inherit risk should be reassessed as a result of a major risk event or a significant change within the firm’s operating environment (internal or external).

This approach is widely used and viewed favourably on by auditors, regulators and other stakeholders.

3. The Risk Team Approach

The Risk Team can conduct the RCSAs on behalf of the business. While this approach is not seen as best practice, the reality is that for small firms or firms with a low level of risk management maturity, this is the most practical approach.

It also might be a necessary approach if systematic problem with the firm’s or a departments risk culture or approach to risk management.

How KRM22’s Risk Cockpit streamlines the RCSA

KRM22’s Risk Cockpit is designed to cut the cost and complexity of risk management, and specifically to streamline the RCSA process.

With a design that is data and event driven, the KRM22 Risk Cockpit is at the forefront of enabling firms to move off spreadsheets and other ad-hoc RCSA processes to a workflow and accountability driven approach which is continuous and real-time.

In addition to enabling and automating the RCSA, the KRM22 Risk Cockpit also enables firms to drive treatment plans and other improvement activities to bring risk under control or address risk control weaknesses.

The Risk Cockpit provides flexibility as to the frequency and approach that firms want to take to their RCSA process, supporting both a ‘checklist’ and Impact X Likelihood approach.

All data captured within the Risk Cockpit can be visualised via powerful risk-based management information dashboards which transform risk data into powerful management and decision-making insights.

Please look forward to the next in the series of articles on RCSA which will include:

  • ARCI Accountability Model and the RCSA process
  • Incorporating metrics and events data into the RCSA process
  • Going beyond traditional RCSA process; underpinning the RSCA process with Bayesian inference network
  • Linking the RCSA data to business outcomes
  • The real value of the RCSA process