The Methodology Behind Risk and Control Self Assessment
Risk and control self assessment (RCSA) is a process through which operational risks and the effectiveness of controls are assessed and examined. The objective is to provide reasonable assurance that all business objectives will be met.
One of the most popular approaches for conducting RCSA is to hold a workshop where the stakeholders identify and assess risks and controls in their respective areas of operations. A facilitated RCSA can improve the control environment of a bank by:
The primary objectives of RCSA are to ensure:
RCSA must be performed within businesses and functions, and must encompass all activities within a business or function that may give rise to operational risk. The RCSA entities need to be identified at the beginning of this process and could be either the departments or the business, such as:
RCSA will require the coordinated efforts of senior management, business and support functions. The concept of teamwork and management accountability are important aspects of RCSA in order to ensure end-to-end evaluation of risks and controls.
In a RCSA strategy, the risk management committee and board of directors should receive periodic high level information on RCSA. Senior management is responsible for inculcating an organisational culture that places high priority on sound internal controls and policies, therefore it should receive regular reports about RCSA results.
The board of directors should approve the policy on RCSA and the operational risk manager should establish the RCSA standards contained in this policy. The heads of the businesses/functions are ultimately accountable for carrying out the RCSA process.
Internal audit managers provide independent assessment and evaluation of the individual business and function activities and compliance with this policy, including assessing the adequacy and effectiveness of the control processes and appropriateness of the control ratings. Essentially, the internal audit manager acts as a facilitator in an RCSA workshop.
The workflow (see below) starts by identifying the risks faced by the RCSA entities and once the risks are identified, they need to be assessed. Identification of controls for the identified risks is the next step in the workflow. After control identification, the controls need to be assessed based on whether they are working as intended or suitable for the purpose they are designed for. If there is any lapse in the controls, suitable action needs to be taken.
Heads of departments/businesses are the people closest to the critical control points within the organisation, so they are the ones who know what is working and what isn’t when process changes occur and whether changes in procedures, systems and the workforce are affecting process performance. Department heads/business heads are ultimately responsible for assessing the design and the performance of controls. Self-assessment reinforces this accountability.
The approach that has to be used is the facilitated self-assessment approach, which involves gathering management and staff for workshops relating to, and discussion of, specific issues or processes. It is used as a mechanism to assess informal, or soft, controls as well as traditional hard controls.
Each RCSA entity has to analyse their present processes for identifying the controls and document overall control environment.
Each RCSA entity has to identify the operational risks arising from its products and activities. These risks can be identified from various sources including audit reports, actual loss experience and regulatory reviews. Once the risks are identified, they are high, medium or low. Inherent risks and residual risks are to be segregated.
For each risk identified above, controls need to be identified that are in place to mitigate that risk. The attributes for the controls are to be documented.
Once the controls are identified, an assessment has to be carried out and analysed, to see whether the controls are working as intended. Self rating is designed to bring together all of the findings of the review and to provide senior management with concise feedback regarding the overall quality and status of the controls.
The overall quality of the control environment for each RCSA entity must be rated as satisfactory, needs improvement or unsatisfactory.
Whenever control weaknesses are found to exist, they must be documented and be the subject of appropriate and prompt corrective action. Sufficient testing or other procedures must be performed to provide reasonable assurance that controls adequately address risks and are functioning as intended. The important components of the corrective action plan must include:
Corrective actions for a control weakness must be monitored until rectified by the responsible manager. Any slippage in meeting previously agreed target dates must be documented in the RCSA documentation.
The operational risk manager has to periodically monitor the RCSA, including results of testing and corrective action tracking. Evidence of this monitoring should be maintained.
RCSA results have to be incorporated into the quarterly operational risk report. High level information has to be sent to the board of directors and the senior management.
Frequent internal audit testing – the effectiveness of self-assessment is evaluated in terms of the quality and reliability of the assurances the process provides to certifying officers. Therefore, internal audit should test selected controls to evaluate the quality of the assertions reported through the self-assessment program. In such instances, internal audit’s testing work product should be documented ‘outside’ the self-assessment programme used by process owners.
Numerous benefits can be derived by successfully implementing an effective RCSA programme. Some of the benefits include:
RCSA is a process that generates information on operational risks and internal controls that may be useful for management and internal auditors in judging the quality of control. It can be a positive influence on the control environment within an organisation by raising control consciousness and achieving buy-in of members.
RCSA is a proven asset for control processes within companies.
RCSA can be used to increase the scope of coverage of internal control reporting during a given year. Audit work can be targeted by reviewing high risks and unusual items noted in RCSA results. Also, the RCSA method can be used to increase the effectiveness of corrective action by transferring ownership to operating employees.