Skip to content
Protecht Academy

Risk and control self assessment.

Understanding the RCSA process from design and implementation through to carrying out assessments, reporting results and creating follow-up actions.

In this course, David Tattam, Chief Research and Content Officer at Protecht, covers all aspects of the RCSA process from design and implementation through to carrying out assessments, reporting results and creating follow up actions.

The course is aimed at risk practitioners and business managers who have, or are looking to implement, a robust and comprehensive Risk & Control Self Assessment (RCSA) process within their organisation. It considers the RCSA process both as a stand-alone process and as part of an integrated Enterprise Risk Management framework.

The course applies the ISO 31000 and 31010 standards.


Course overview

In this course, you'll learn:

1. Objectives & purpose of RCSA

  • Objectives of RCSA
  • What is RCSA?


2. What are we assessing – risks

  • Types of risk

  • Components of risk

  • Risk bow ties

  • Measures of risk


3. What are we assessing – controls

  • Types of controls

  • How controls modify risk

  • Control classifications


4. Risk & control taxonomies

  • Objectives of taxonomies
  • Common types of taxonomies
  • Using taxonomies in RCSA


5. Risk management & RCSA frameworks

  • How RCSA integrates with other risk processes
  • Risk and reward framework
  • RCSA in an enterprise risk management framework


6. Approaches to risk assessment

  • Tools and techniques for risk assessment


7. RCSA methods

  • Determining what we will assess
  • Likelihood and impact scales
  • Setting likelihood scales: what measure?
  • Setting impact scales: how many types of impact?
  • Assessing risks: inherent, residual and targeted
  • Assessing the effectiveness of controls


8. RCSA process

  • Identifying business and process objectives
  • Identifying critical processes
  • Identifying risks
  • Identifying controls
  • Evaluating risks
  • Treatment methods
  • Methods for collecting information
  • Preparing for a risk workshop
  • Facilitating a risk workshop


9. RCSA reporting

  • Types of report and information
  • Information to report
  • Including RCSA in an aggregated dashboard report
  • Interpreting reports


10. When should risk assessment be carried out?

  • Periodic risk assessment
  • Dynamic risk assessment
  • Integration with other risk processes
  • Formal and informal risk assessment


11. Roles and responsibilities

  • RCSA and the three-lines model
  • Who owns risk and controls?
  • Who owns risk and control self assessment?


Learning objectives

  • An in-depth understanding of the objectives and outcomes of a robust RCSA process
  • An understanding of how the RCSA process integrates into an enterprise risk management framework and how the results of RCSA can be used in scenario analysis, key risk indicators, incident management and compliance
  • The ability to design an effective and efficient RCSA process
  • The ability to set relevant risk scoring scales to reflect risk appetite and tolerance
  • The ability to produce meaningful reports as output from the RCSA process
  • How to use the RCSA in risk and general management
  • How to use RCSA results to develop risk treatment improvements
  • An appreciation of the system requirements and system pitfalls for an effective RCSA process
  • The skills to be able to carry out effective and engaging RCSA workshops
  • An understanding of the pitfalls to a successful RCSA process and how to overcome them
  • An understanding of relevant external guidance and requirements including ISO 31000 and ISO 31010


Course expectations

  • Watch 25 videos
  • Answer 12 knowledge questions
  • Complete 1 Interactive Risk Assessment Forecast
  • Answer 10 quiz questions



  • 4.5 hours of video content
  • Approximately 5-6 hours for the whole course



  • US$600 payable by credit card on registration


Next steps

You can purchase this course on-demand via Protecht Academy. You'll need to log in or register to Protecht Academy in order to purchase and access the course.

Please contact Protecht directly if you would like to discuss packages to implement this training across your organisation. Bulk discounts are available and packages can be invoiced in your local currency.


Go to Protecht Academy Contact us

Our trainers

David Tattam

Chief Research and Content Officer

David Tattam is the Chief Research & Content Officer and co-founder of the Protecht Group. David's vision is to redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht's customers.

David is the driving force in taking Protecht's risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.

Read More

Michael Howell

Research and Content Lead

Michael Howell is Protecht's Research and Content Lead. He is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach.

Michael is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.


Read More