Introducing Marketplace: Fast-track your ERM system implementation
Learn More

This post is part of our series Operational Risk Management – Learning from yourself as an expert already!

My last blog highlighted the extensive use of KRIs (Key Risk Indicators) in our personal lives and the incredible KRI system we all have via our five senses. This blog focusses on the Risk and Control Self Assessment process. Again, the expertise we have in our personal lives provides excellent guidance as to how a good RCSA should be carried out in our businesses and the value add of the RCSA process when done well.

In our personal lives, risk assessments are sometimes performed formally, such as for your motor vehicle’s annual service. Other times, however, they are performed informally, from checking the risks and controls relating to your swimming pool to assessing the risks of your house when your first child is born.

The example I will use, is your annual medical check-up. As in the business world, not all of us subscribe to the annual check-up. Maybe we do not see the value. Hopefully after this blog, you will! Let’s take a closer look.

I went for my first annual medical check-up some ten years ago, and annually since then. I organised the appointment, and when I arrived, the doctor had read up on my history, so he had full knowledge of all visits, issues, medications, etc. The first step to a risk assessment is therefore for the risk assessors to prepare, gaining full knowledge of the area (body), being assessed. The doctor then carried out a series of tests and analysis looking for risks. Some time later I received my report; a spreadsheet analysed in Red, Amber and Green for all results (he knows I am a risk manager!).

For the first report ten years ago, it was mostly green with one very bright red – cholesterol, at a level of 8.7. This was my high risk and related medical issue, one I was not aware of at the time. I, therefore, booked a further appointment to discuss the issue and potential treatment methods.

Changing diet was the first suggestion but after six months of eating “salad sandwiches on brown bread and no butter!” the cholesterol reading was still red at 8.4 – the treatment method was not working.

Next suggested action was to implement a medical control, being 20mg of Lipitor per day. After a further six months a retest showed a level of 5.4, still in amber but better than bright red! After further consideration, the conclusion was that there was nothing further I could do to lower the level, and I have chosen to accept the risk at this point.

In subsequent checks ups, it confirms my residual risk remains around 5.4 and shows that my treatment method is still working. A couple of times, I have been asked to cease taking the medication before the check up to measure the level without Lipitor – my inherent risk. This confirms it is still in the high “8’s” and that the control is still important and valid.

In addition to highlighting higher risk areas, where the results are green, this gives me ongoing assurance that all is well as a basis for heading into the next year of meeting my objective of healthy and active life!

Let’s now consider this assessment based on how we should carry an RCSA in the business world:

Step 1: Objective(s) 

Risk is the effect if uncertainty on our objectives. We start the process, therefore, with the objectives of the thing we are risk assessing – our body.

Objective: To live a long, active and healthy life.

Step 2: Critical processes: 

The second step is to identify the critical things we need to ensure operate well for us to achieve our objectives.

Critical Processes: There will be many which will most likely include such things as:

  • Breathing
  • Blood flow
  • Blood composition
  • Brain function

Step 3: Risks

Risks are things that could stop the critical processes from being achieved, which in turn leads to the objective(s) not being achieved.

Risks will include:

  • High cholesterol leading (apparently!) to narrowing arteries
  • Heart defects
  • Lung disease

Step 4: Controls

RCSA-personal-example-exerciseExisting controls will exist over many of these health risks.

They may include:

  • Medications
  • Diet
  • Exercise

Step 5: Risk Analysis

Once the key risks and related controls have been identified, we need to determine the level of risk both before considering controls (inherent risk) and after considering controls (residual risk). Residual risk highlights where current issues exist that need to be addressed, and inherent risk highlights the importance of current controls, such as current medication.

Step 6: Risk Evaluation

Once analysed, the risks need to be assessed against pre-determined levels (risk appetite). The doctor uses guidance scales for risk levels to assess this.

Step 7: Issues and Actions

Risk evaluation then highlights which risks are outside of the acceptable range and as a result, where an issue may exist. Each issue then needs addressing through consideration of possible remedies, from changed diet to medication.

We should apply the same seven steps to the risk and control self-assessment process as part of your overall enterprise risk management framework. 

In the next blog, I will apply these seven steps to a business scenario to illustrate how it transports across into any business situation.

If you would like to know more about how Protecht can help enhance your RCSA process and get more value from the effort invested, just click the blue box, fill the form and we will contact you. 

Improving your risk assessment process

Join us in a live webinar as we talk about each level of risk and how each can best be used in a risk management framework to add value:

Recording of Webinar on Inherent, Residual and Targeted Risk

Related Articles

feature image
Enterprise Risk Management, Risk Reporting, Risk Management Software, Marketplace

Your Marketplace questions answered

What is Marketplace? Marketplace makes it easy to implement and scale Protecht.ERM. It provides templated registers, workflows and analytics...
Read more
feature image
Enterprise Risk Management, Risk Reporting, Risk Management Software, Risk Management Framework

4 Ways Marketplace Will Change Your Enterprise Risk Management

Establishing an ERM system can be as daunting as building a house from the ground up. There are hundreds of decisions to be made that will affect how...
Read more
feature image
Risk Culture, Operational Risk, Risk Manager, GRC

Top 5 Risk Management Challenges for FinTechs

It’s clear that today’s operating environment is changing at a very rapid pace, which means the risks are evolving fast, too. In this blog, we...
Read more