For many Financial Services firms, the Risk & Control Self-Assessment (RCSA) process is a core part of their risk management activities.
The Risk & Control Self-Assessment is regarded by many as industry best practice and is widely supported by regulators, the risk community and many executive teams.
However, speaking to those involved with the process; in both the 1st and 2nd lines of defence, it is clear that this process does not always deliver the value expected. Some firms have stated they feel like something is missing from the process. In this blog, I will explore if that ‘missing something’ is Risk Velocity.
The typical Risk & Control Self-Assessment process comprises a Likelihood x Impact (or similar) Risk Assessment alongside a Control Effectiveness assessment, using Design and Operation as its assessment dimensions. It is a subjective, point in time assessment of the level of risk and the effectiveness of controls within a firm.
The RCSA data can be used to generate a range of management reports and dashboards with insights into the current level of risk and control effectiveness. It can provide alerts and prompts early action into emerging risk issues or controls weaknesses. This data can be used to build up trend information about risk severity and control effectiveness. The RCSA results can also be used in more advanced analytics to create aggregated, summary views of risk and control effectiveness and build causal models to understand the relationships between various risks and controls.
Slicing and dicing the RCSA data to generate insights into the current position and historical picture of risk severity and control effectiveness is important; however, it is generally backward looking. This is where Risk Velocity can add significant value. By its nature, Risk Velocity is a forward-looking measure.
Risk Velocity measures the time between a risk occurring and the time it impacts the firm. The explicit focus on time adds a new dimension to typical risk information, gives that information more depth, creates a more forward-looking suite of risk and controls information, and encourages a more forward orientated management conversation about risk. Risk Velocity also has a vital role in ranking risks, prioritising mitigation initiatives and building more resilience within the firm.
Traditional RCSA data enables executives and other decision-makers to understand their current level of risk and control effectiveness. Adding Risk Velocity enables those executives and other decision-makers to ask what-if questions; if a particular risk occurs, what time will we have to react? How fast will the risk impact the firm, and how quickly could those impacts spread?
If those forward-looking risk insights and conversations are missing in your firm, maybe it is time to consider adding Risk Velocity to your existing Risk and Controls Self-Assessment process.