The Methodology Behind Risk and Control Self Assessment

Risk and control self assessment (RCSA) is a process through which operational risks and the effectiveness of controls are assessed and examined. The objective is to provide reasonable assurance that all business objectives will be met.

One of the most popular approaches for conducting RCSA is to hold a workshop where the stakeholders identify and assess risks and controls in their respective areas of operations. A facilitated RCSA can improve the control environment of a bank by:

• Increasing awareness of organizational objectives and the role of internal control in achieving goals and objectives.
• Motivating personnel to carefully design and implement control processes and continually improve operating control processes.

The primary objectives of RCSA are to ensure:

• The reliability and integrity of information.
• Compliance with policies, plans, procedures, laws, regulations and contracts.
• The safeguarding of assets.
• The economic and efficient use of resources.
• The accomplishment of established objectives and goals for operations or programs.

RCSA Entities

RCSA must be performed within businesses and functions, and must encompass all activities within a business or function that may give rise to operational risk. The RCSA entities need to be identified at the beginning of this process and could be either the departments or the business, such as:

• Information technology.
• Retail banking.
• Corporate banking.
• Asset management.
• Treasury.
• Payments.
• Customer services.
• Financial control.
• Business development.

RCSA will require the coordinated efforts of senior management, business and support functions. The concept of teamwork and management accountability are important aspects of RCSA in order to ensure end-to-end evaluation of risks and controls.

RCSA Governance, Roles and Responsibilities

In a RCSA strategy, the risk management committee and board of directors should receive periodic high level information on RCSA. Senior management is responsible for inculcating an organisational culture that places high priority on sound internal controls and policies, therefore it should receive regular reports about RCSA results.

The board of directors should approve the policy on RCSA and the operational risk manager should establish the RCSA standards contained in this policy. The heads of the businesses/functions are ultimately accountable for carrying out the RCSA process.

Internal audit managers provide independent assessment and evaluation of the individual business and function activities and compliance with this policy, including assessing the adequacy and effectiveness of the control processes and appropriateness of the control ratings. Essentially, the internal audit manager acts as a facilitator in an RCSA workshop.

RCSA Workflow

The workflow (see below) starts by identifying the risks faced by the RCSA entities and once the risks are identified, they need to be assessed. Identification of controls for the identified risks is the next step in the workflow. After control identification, the controls need to be assessed based on whether they are working as intended or suitable for the purpose they are designed for. If there is any lapse in the controls, suitable action needs to be taken.

The RCSA Process

Heads of departments/businesses are the people closest to the critical control points within the organisation, so they are the ones who know what is working and what isn’t when process changes occur and whether changes in procedures, systems and the workforce are affecting process performance. Department heads/business heads are ultimately responsible for assessing the design and the performance of controls. Self-assessment reinforces this accountability.

Approach

The approach that has to be used is the facilitated self-assessment approach, which involves gathering management and staff for workshops relating to, and discussion of, specific issues or processes. It is used as a mechanism to assess informal, or soft, controls as well as traditional hard controls.

Document control environment

Each RCSA entity has to analyse their present processes for identifying the controls and document overall control environment.

Identify and evaluate risks

Each RCSA entity has to identify the operational risks arising from its products and activities. These risks can be identified from various sources including audit reports, actual loss experience and regulatory reviews. Once the risks are identified, they are high, medium or low. Inherent risks and residual risks are to be segregated.

Identify specific controls

For each risk identified above, controls need to be identified that are in place to mitigate that risk. The attributes for the controls are to be documented.

Assess and rate the controls

Once the controls are identified, an assessment has to be carried out and analysed, to see whether the controls are working as intended. Self rating is designed to bring together all of the findings of the review and to provide senior management with concise feedback regarding the overall quality and status of the controls.

The overall quality of the control environment for each RCSA entity must be rated as satisfactory, needs improvement or unsatisfactory.

Action planning

Whenever control weaknesses are found to exist, they must be documented and be the subject of appropriate and prompt corrective action. Sufficient testing or other procedures must be performed to provide reasonable assurance that controls adequately address risks and are functioning as intended. The important components of the corrective action plan must include:

• Name of the RCSA entity.
• Name of a responsible officer for the RCSA entity.
• Date of test and test period covered.
• Clear description of each control weakness.
• Action plan to resolve the deficiency.
• Target date for resolution that is both reasonable and achievable.
• Rating of the issue severity.

Corrective actions for a control weakness must be monitored until rectified by the responsible manager. Any slippage in meeting previously agreed target dates must be documented in the RCSA documentation.

Monitor RCSA results

The operational risk manager has to periodically monitor the RCSA, including results of testing and corrective action tracking. Evidence of this monitoring should be maintained.

Report RCSA results

RCSA results have to be incorporated into the quarterly operational risk report. High level information has to be sent to the board of directors and the senior management.

Control testing

Frequent internal audit testing – the effectiveness of self-assessment is evaluated in terms of the quality and reliability of the assurances the process provides to certifying officers. Therefore, internal audit should test selected controls to evaluate the quality of the assertions reported through the self-assessment program. In such instances, internal audit’s testing work product should be documented ‘outside’ the self-assessment programme used by process owners.

Benefits of RCSA

Numerous benefits can be derived by successfully implementing an effective RCSA programme. Some of the benefits include:

• Encourages both management and staff to assume responsibility for internal controls.
• Provides the opportunity to focus efforts on important informal as well as formal controls.
• Acts as a bottom-up feedback mechanism.
• Help organisations to be pro-active.
• Reduce audit exposures.
• Provides more comprehensive and relevant information.
• Improves internal audit’s image and visibility.
• Looking at the entire spectrum of controls.

RCSA is a process that generates information on operational risks and internal controls that may be useful for management and internal auditors in judging the quality of control. It can be a positive influence on the control environment within an organisation by raising control consciousness and achieving buy-in of members.

RCSA is a proven asset for control processes within companies.

RCSA can be used to increase the scope of coverage of internal control reporting during a given year. Audit work can be targeted by reviewing high risks and unusual items noted in RCSA results. Also, the RCSA method can be used to increase the effectiveness of corrective action by transferring ownership to operating employees.