Deriving Value from a Risk and Control Self-Assessment Program

A Risk and Control Self-Assessment can help provide an enterprise view of operational risk, and help keep the company on course for achieving high performance.

Accenture identifies six leading practices from the financial services industry that may be used more generally.

Risk and Control Self-Assessment (RCSA) is a framework that can be used by a firm to analyze its operational risk profile. Since operational risks are inherently embedded into each function or process, a RCSA program can be useful in providing an enterprise view of the firm’s operational risk profile, provided there is comprehensive participation by each business unit throughout the organizational structure.

The RCSA is used by many financial institutions for performing operational risk assessments as required by Basel II and many local regulatory bodies. In those institutions, the annual RCSA exercise is typically undertaken to comply with regulatory requirements calling for a firm-wide, self-analysis of operational risks. In its most general format, a RCSA requires the documentation of risks, identifying the levels of risk (derived from an estimate of frequency and impact), and controls associated with each process conducted by the organization. To simplify the output and better organize the assessment approach, the exercise is generally conducted at the business-unit level. For regulatory purposes, each business unit assessment is typically collected and presented as a comprehensive repository of assessed operational risks.

There is a spectrum of how organizations can approach their RCSA program. Some treat it as a “check the box activity” and invest minimally in both time and resources—just enough to satisfy regulatory obligations. On the other hand, some view the RCSA as a value-added risk management tool and invest accordingly. Investments in technology, reporting capabilities and personnel are necessary to meet even basic regulatory requirements; however, unless the RCSA is appropriately structured, minimal investment may beget minimal value.

There is no single “correct” way to complete a RCSA, and the approach will vary depending on the culture, structure and goals of an organization, but there are commonly observed leading practices that organizations deriving value from the process are implementing and that are helping shape the profile of the next generation of RCSAs. While these are based on experiences at leading-edge banks, they are applicable to anyone conducting RCSAs.

• Integrate RCSA programs into all operational risk initiatives. The RCSA program should act as the crossroads for all risk initiatives. Indeed, many organizations are also adopting standard risk language or taxonomies.

• A complete view of risks and controls is necessary. This will enable the later performance of value-added analysis.

• Establish a clear methodology for trend analysis. A RCSA program should identify undue concentration of risk or potential control failures.

• Establish a method for identifying non-financial risks. The impact of non-financial risks may, at times, far exceed the dollar cost.

• Think outside the box. Risk and Control Self-Assessment can provide organizations with a new opportunity to identify and plan for unexpected or emerging risks.

• Use RCSA data to support strategic budgeting. The framework can be used to paint a clear picture of why expenditures and resources are being deployed to targeted problem areas within the company.

Chris Thompson is an executive director, Risk Management, Banking and Capital Markets in North America. Specializing in complex, large-scale finance and risk programs, he works with some of the world’s leading retail, commercial and investment banks. Thompson brings his nearly 20 years of broad-based experience in financial architecture, risk management, performance management and trading to organizations determined to become high-performance businesses.

Meera Kakad Gondha is a senior manager, Risk Management. Based in Charlotte, North Carolina, and with 10 years of industry and consulting experience with a focus on operational risk, Gondha works with banking and capital markets clients to help them define, implement, and monitor their operational risk programs.