Skip to main content Skip to Footer


Deriving value from a risk and control self-assessment program

Read how Risk and Control Self-Assessment can help companies understand operational risk better.


A Risk and Control Self-Assessment (RCSA) can help provide an enterprise view of operational risk, and help keep the company on course for achieving high performance.

Accenture identifies six leading practices from the financial services industry that may be used more generally.

  • Integrate RCSA programs into all operational risk initiatives. The RCSA program should act as the crossroads for all risk initiatives. Indeed, many organizations are also adopting standard risk language or taxonomies.

  • A complete view of risks and controls is necessary. This will enable the later performance of value-added analysis.

  • Establish a clear methodology for trend analysis. A RCSA program should identify undue concentration of risk or potential control failures.

  • Establish a method for identifying non-financial risks. The impact of non-financial risks may, at times, far exceed the dollar cost.

  • Think outside the box. RCSA can provide organizations with a new opportunity to identify and plan for unexpected or emerging risks.

  • Use RCSA data to support strategic budgeting. The framework can be used to paint a clear picture of why expenditures and resources are being deployed to targeted problem areas within the company.

RCSA is a framework that can be used by a firm to analyze its operational risk profile. Since operational risks are inherently embedded into each function or process, an RCSA program can be useful in generating an enterprise view of the firm’s operational risk profile, provided there is comprehensive participation by each business unit throughout the organizational structure.


The RCSA is used by many financial institutions for performing operational risk assessments as required by Basel II and many local regulatory bodies. In those institutions, the annual RCSA exercise is typically undertaken to comply with regulatory requirements calling for a firm-wide, self-analysis of operational risks. In its most general format, an RCSA requires the documentation of risks, identifying the levels of risk (derived from an estimate of frequency and impact), and controls associated with each process conducted by the organization.

To simplify the output and better organize the assessment approach, the exercise is generally conducted at the business-unit level. For regulatory purposes, each business unit assessment is typically collected and presented as a comprehensive repository of assessed operational risks.

There is a spectrum of how organizations can approach their RCSA program. Some treat it as a “check the box" activity and invest minimally in both time and resources—just enough to satisfy regulatory obligations. On the other hand, some view the RCSA as a value-added risk management tool and invest accordingly. Investments in technology, reporting capabilities and personnel are necessary to meet even basic regulatory requirements; however, unless the RCSA is appropriately structured, minimal investment may beget minimal value.


Chris Thompson is an Accenture executive director, Risk Management, Banking and Capital Markets in North America. Specializing in complex, large-scale finance and risk programs, he works with some of the world’s leading retail, commercial and investment banks. Thompson brings his nearly 20 years of broad-based experience in financial architecture, risk management, performance management and trading to organizations determined to become high-performance businesses.

Meera Kakad Gondha is an Accenture senior manager, Risk Management. Based in Charlotte, North Carolina, and with 10 years of industry and consulting experience with a focus on operational risk, Gondha works with banking and capital markets clients to help them define, implement, and monitor their operational risk programs.

Industry & topics highlighted

Financial Services