Demystifying Risk and Control Self-Assessment (RCSA)
What, When and Why
Risk and Control Self-Assessment (RCSA) is the process of identifying, recording and assessing potential operational risks and related mitigating controls. Operational risks include the risks related to processes, people, systems and external events. RCSA is an empowering process that not only allows the management and staff, to collectively identify and evaluate risks associated with a particular process but also identify mitigating controls, thereby ensuring that the risks do not act as impediments in achieving business objectives.
The evolution of RCSA can be traced to 1987, when the impact of the Watergate Affair on Gulf Oil Corporation (GOC), made Bruce McCuaig, General Auditor of Gulf Canada (one of the subsidiaries of GOC), realize the limitations and weaknesses surrounding the standard audit techniques. These limitations were driven by a couple of factors, viz. ‘presence of a consent decree requiring the company to report on its internal controls’, and ‘the difficulties it faced in estimating its oil and gas reserves using traditional audit measures’. It was these l factors that resulted in an organization-wide consensus to implement the Risk and Control Self-Assessment (RCSA) across Gulf Canada.
Initially, the external auditors disregarded the benefits of RCSA even though it was effective at providing audit evidence, which at times was critical to the effectiveness of internal control systems. However, post the collapse of Robert Maxwell’s publishing empire in United Kingdom in 1992 followed by the Enron and Worldcom scams in 2001-02, there was a general consensus across on the relevance and importance of establishing an effective internal control system, thereby validating the need for adoption and implementation of RCSA.
The RCSA Process and Its Output
The RCSA process typically forms an important element of Operational Risk and Management Framework (ORMF) of an organization and links directly into the organization’s risk governance structure, its risk appetite and documented standards and processes. Typically, RCSA should specifically ensure, but not limited to, the following:
Anticipation and assessment of future events that can pose a risk/ threat to an organization. These business risks are further bifurcated into Inherent Risks and Residual Risks.
(Refer Figure 1 below highlighting the relationship between these risks)
Monitor the business environment and internal control factors including identification and assessment of key changes to the business.
An RCSA exercise typically comprises of 8 fundamental steps which can be summarized as below:
Why is RCSA Unique?
The term “Self-Assessment” in RCSA, makes it a unique risk management approach that runs from bottom to top. This means that the line managers can self-assess and self-declare the risks for their respective functions and report it upwards to the management. To put it differently, this risk management tool enables the business line managers to assume greater responsibility & accountability for the process related risks & controls, their monitoring and communication in a more effective manner to the senior management. Whilst it instils a culture of self-accountability across the organization, it also has the potential for benchmarking the business functions against each other and against leading practices. And to top it all, this also reduces the overall cost and time, as it significantly brings down the dependency on external agencies to conduct risk management exercise for the organization.
RCSA – An Ongoing Discipline
RCSA is an ongoing activity and the frequency of review of RCSA outcomes should be risk-driven, responsive to business change and should consider any regulatory or organization specific requirements. Whilst the periodicity of the review varies from organization to organization in terms of the degree and scale of operations, typically it should be run at least once in a year, with a more frequent review depending upon complexity of the business.
Organizations practicing RCSA are better placed to fight the Covid-19 Pandemic…!!
RCSA driven organizations are better placed in the current challenging times, when organizations, in general, have been caught off-guard and are struggling to survive and sustain the emerging socio-economic risks from the Covid-19 pandemic outbreak. Those, who had proactively assessed risks arising from a pandemic attack, would already have their controls in place to mitigate the impact, hence giving them enough cushion to endure the current upheaval.
To conclude, RCSA is a preventive tool and not a cure for the risks which have occurred, hence earlier the organizations adopt this tool, higher would be their defense and preparedness against the uncertainties!