Risk and control self-assessment: What’s next?

Enhancing the way Risk and Control Self-Assessment (RCSA) is conducted presents many opportunities for companies - to protect their business, employees and customers; to support growth; to reduce cost and to build and protect brand reputation. 

The RCSA process has long been the ‘bread and butter’ of the risk practitioner and as risk management embeds and matures within companies, employees without risk in their title have also come to appreciate the important role they play in the risk management lifecycle.

In this white paper our Risk Consulting team envision a future where RCSAs are dynamic, efficient, and value-adding. Discover the possibilities and practical steps towards this future.

The RCSA involves the identification and assessment of a company’s risks and controls. Ideally, it should be an efficient and systematic approach used by organisations to confidently manage their risk profile and support senior managers to make timely, informed, risk-based decisions, by: 

• Highlighting the most material risks impacting the company’s strategic goals. 
• Assessing the risk outlook of the business, considering changes in the business profile and external events. 
• Identifying specific, material weaknesses in the control environment that threaten controls performance and improvement. 
• Supporting the implementation and monitoring of risk mitigation plans. 
• Driving and embedding risk awareness and a strong risk culture across the company. 

However, effectively operationalising the RCSA is often challenging and is seldom considered to be the value-adding exercise that it has the potential to be. There are several drivers for this including:

• a reliance on inefficient and manual processes, 
• a lack of buy-in against the backdrop of competing risk management priorities in a time constrained environment, 
• the process being seen as a regulatory compliance exercise rather than a mechanism for continuous improvement, and 
• difficulties in tracing risk and control accountability and ownership.

This is compounded by challenges sourcing and validating accurate risk data, poor data quality and inconsistency in documentation and design of controls which limits the ability to deploy data analytics to deliver insights and inform actions. 

But take a step back and imagine a world where real-time risk and control information drives business decisions without these issues, where there is no need for the current levels of process, resourcing and effort.

For RCSAs to drive the desired level of value, there should be a shift from a ‘point in time’ assessment to a more dynamic, rapidly evolving view of risk, adept at keeping pace with the company. Technology and data are the linchpins that enable the effective utilisation of analytics and serve as the conduit for artificial intelligence (AI) and machine learning (ML) to be harnessed.

As many companies are at different stages of their digital transformation journey, leveraging tools and platforms will likely be fundamental when executing the RCSA to help businesses make better informed, risk-based decisions.