Markets across the globe are experiencing a period of heightened strategic and operational risk – which is why comprehensive risk and control self assessments (RCSAs) continue to be a crucial first step in mitigating these risks. Nash Riggins explores the various processes organisations can take to develop and implement a reliable RCSA.
It’s been more than a decade since the economic meltdown of 2008, and the global financial landscape has evolved dramatically. Market conditions are experiencing a positive shift across many jurisdictions, central bankers are finally hiking interest rates and disruptive technology has totally rocked the global financial landscape. Yet while many of these changes are perceived to be great for consumers and industry, they’re also accompanied by a worrying degree of risk and uncertainty for large organisations and financial institutions.
FIs are undeniably in the midst of a prolonged period of substantial operational risk, and many of these potential threats will only continue to grow over the course of 2019. Geopolitical risks such as Brexit and the UK’s uncertain future relationship with the EU, the rise of populist political parties and the Trump Administration’s repeated intentions to renegotiate key trade agreements have all had an impact on supply chain management, cross-border payments and FX.
Elsewhere, major regulatory updates and legislation from PSD2 and MiFID II to GDPR have created complex and costly compliance hurdles for FIs and firms across a wide range of industries – while enterprising fintechs are leveraging innovation to compete with and replace established financial institutions, banking products and traditional B2B and B2C relationship dynamics.
In short, institutions are quite literally surrounded by risk on all sides. In order to survive, sustain success and create value, firms must deploy robust risk management techniques, strategies and processes. That winding journey begins with a risk and control assessment.
A risk and control assessment is the process by which organisations assess and examine operational risks and the effectiveness of controls used to circumnavigate them. It’s one of the easiest and most effective tools in the risk management arsenal, and the objective is simple: to provide firms with reasonable assurance that all business objectives are going to be met, and existing risk management protocols are sustainable and robust.
Risk control assessments are included in many regulatory frameworks and are designed to ensure the reliability and integrity of information, confirm compliance across internal policies, external regulatory responsibilities and safeguard assets. Similarly, the RCSA process also helps institutions to assess how efficiently and economically they’ve been using resources and how closely teams are aligning with established objectives and goals.
Bearing that in mind, the benefits of RCS assessments are relatively self-evident. Because the exercise generates crucial information on operational risks and internal controls, internal auditors and managers can use RCSA findings to judge the quality of control.
In turn, not only do RCSAs encourage management and staff to assume and share responsibility for internal controls, but they also give organisations the opportunity to focus efforts on both informal and formal controls.
Likewise, these assessments double as an effective bottom-up feedback mechanism to help organisations be more proactive, reduce audit exposures and improve the image and visibility of internal audits. Although risk and control self assessment can be time consuming, they also identify, enhance and more evenly distribute responsibility across an organisation to heighten awareness and accountability.
Banks and other financial institutions enjoy further benefits by utilising RCSA techniques as part of an integrated risk management strategy. This is because a facilitated RCSA can vastly improve the control environment of FIs by increasing awareness regarding organisational objectives and motivate personnel to more carefully design and implement operating control processes.
The risk and control self assessment process must be performed across all activities and functions within a business that have the potential to pose an operational risk to the organisation. But before delving into process, it’s worth pointing out the range of approaches to choose from in terms of how an organisation actually carries out RCSA workflows.
The most popular risk and control assessment approach is to hold a company-wide workshop in which all key stakeholders sit down together to identify, share and assess risks and controls across their respective operational areas. Other organisations opt to deploy structured questionnaires or surveys – while some choose to combine multiple approaches.
Regardless of method, each RCSA approach involves detailed discussions surrounding specific issues, and should be used as a mechanism to assess both soft and hard controls. Workshops are typically facilitated by a designated internal auditor who’s been trained and is familiar with the processes, risks and controls relevant to that institution and its entities. That said, professional external auditors are sometimes brought in to facilitate these workshops or to assist in crafting and distributing surveys.
In terms of process, both internal and externally facilitated risk and control self assessment programmes begin with the identification of each entity within an existing business to be included as part of the RCS assessment. These entities could be a single process – but more often than not, they encompass entire departments.
RCSA entities often identified for assessment include information technology (IT), retail banking, corporate banking, asset management, treasury, customer services, payments, financial control and business development.
After identifying RCSA entities, an effective workflow starts by identifying the potential risks within each entity – and each risk must subsequently then be assessed by identifying existing controls that have already been created or assigned to mitigate the identified risk.
In terms of the identifiable operational risks around products or activities that need addressed, written audit reports, actual loss experience and regulatory reviews are typically sufficient. Following identification, risks should then be prioritised on a basis of high, medium or low – while inherent risks and residual risks are segregated.
The control identification process must include an assessment to discover whether the existing controls are working as intended. All attributes for the controls need to be documented, and a self-rating system should help stakeholders to bring these attributes together and determine the overall quality of a control environment. A simple rating of ‘satisfactory’, ‘needs improvement’ or ‘unsatisfactory’ will ordinarily do.
Those responsible for self-assessing each entity should then be able to provide senior management and fellow stakeholders with concise feedback concerning the overall quality of controls – and where there is an identifiable lapse in controls, recommend suitable actions must be taken.
Again, this process of documenting each entity’s control environment should typically be led by the heads of departments or businesses closest to that entity and its critical control points, as they’re ideally placed to communicate to fellow stakeholders what is and isn’t working.
Likewise, corresponding teams will be able to share their entity knowledge surrounding whether changes in procedure, systems or workforce are impacting upon process performance. Because these teams are ultimately responsible for their respective entity, self-assessment helps to reinforce accountability.
Finally, wherever a control weakness is found to exist within a respective risk and control self assessment entity, the institution must prompt corrective action. This will normally require a degree of consultation and testing to provide reasonable assurance the new controls will adequately address the highlighted risks and function as intended.
Despite the weaknesses identified and actions selected, a crucial step within any RCSA programme is to develop and record an overall corrective action plan.
This plan should generally include the:
After producing this plan, the responsible manager or head of department should be considered responsible for communicating these actions to relevant staff, and subsequently monitoring performance. Slippage concerning any previously agreed target dates should then be recorded within the organisation’s RCSA documentation.
Having delved into the typical workflow of an effective risk and control assessment, it goes without saying the process may seem relatively daunting for some organisations. Unfortunately, the RCSA process doesn’t end with the development and implementation of a suitable action plan – but it usually is worth all the time and effort put in.
Your risk and control self assessment process results must be closely monitored following the launch of any programme. Operational risk managers should then periodically assess progress and results of testing and corrective actions taken, and evidence of this monitoring should be maintained. Fortunately, a wide selection of risk management platforms and solutions currently available on the market include in-built risk and control self assessment process recording and reporting functionality to assist in this process.
These periodical assessments should then be reported alongside your overall RCSA results – all of which must be incorporated into your organisation’s quarterly operational risk reports. High level feedback should also be submitted to senior management and the board of directors.
In fact, because the board and senior management are responsible for implementing an organisational culture prioritising sound integral controls and policies, it’s worth pointing out the board should approve any RCSA standards or policies that will end up being passed on to heads of department or stakeholders for later self-evaluation and implementation.
Meanwhile, frequent internal audit testing should be conducted between and during RCSA exercises to evaluate the effectiveness of self-assessment protocols and procedures in terms of quality, reliability of the assurances and the roles and responsibilities of team members.
At the end of the day, there’s no right or wrong way to conduct a risk and control assessment – yet by following this general workflow and investing in a centralised risk management solution capable of organising and automating much of the risk and control self assessment process procedure, the successful deployment of an RCS assessment has the potential to add value to any financial institution of organisation.