Skip to content

Seven steps of the RCSA process in your personal life.

This blog focuses on the Risk and Control Self Assessment process. The expertise we have in our personal lives provides excellent guidance as to how a good RCSA should be carried out in our businesses and the value add of the RCSA process when done well.

In our personal lives, risk assessments are sometimes performed formally, such as for your motor vehicle’s annual service. Other times, however, they are performed informally, from checking the risks and controls relating to your swimming pool to assessing the risks of your house when your first child is born.

The example I will use, is your annual medical check-up. As in the business world, not all of us subscribe to the annual check-up. Maybe we do not see the value. Hopefully after this blog, you will! Let’s take a closer look.

We have created a downloadable RCSA template in Excel format that you can use to identify, evaluate and manage the risks within your business. Find out more and download it now:

Download our simple RCSA framework now

Example: Annual medical check-up

I went for my first annual medical check-up some ten years ago, and annually since then. I organised the appointment, and when I arrived, the doctor had read up on my history, so he had full knowledge of all visits, issues, medications, etc. The first step to a risk assessment is therefore for the risk assessors to prepare, gaining full knowledge of the area (body), being assessed. The doctor then carried out a series of tests and analysis looking for risks. Some time later I received my report; a spreadsheet analysed in Red, Amber and Green for all results (he knows I am a risk manager!).

For the first report ten years ago, it was mostly green with one very bright red – cholesterol, at a level of 8.7. This was my high risk and related medical issue, one I was not aware of at the time. I, therefore, booked a further appointment to discuss the issue and potential treatment methods.

Changing diet was the first suggestion but after six months of eating “salad sandwiches on brown bread and no butter!” the cholesterol reading was still red at 8.4 – the treatment method was not working.

Next suggested action was to implement a medical control, being 20mg of Lipitor per day. After a further six months a retest showed a level of 5.4, still in amber but better than bright red! After further consideration, the conclusion was that there was nothing further I could do to lower the level, and I have chosen to accept the risk at this point.

In subsequent checks ups, it confirms my residual risk remains around 5.4 and shows that my treatment method is still working. A couple of times, I have been asked to cease taking the medication before the check up to measure the level without Lipitor – my inherent risk. This confirms it is still in the high “8s” and that the control is still important and valid.

In addition to highlighting higher risk areas, where the results are green, this gives me ongoing assurance that all is well as a basis for heading into the next year of meeting my objective of healthy and active life!

Let’s now consider this assessment based on how we should carry an RCSA in the business world:

Step 1: Objectives 

Risk is the effect if uncertainty on our objectives. We start the process, therefore, with the objectives of the thing we are risk assessing – our body.

Objective: To live a long, active and healthy life.

Step 2: Critical processes

The second step is to identify the critical things we need to ensure operate well for us to achieve our objectives.

Critical processes: There will be many which will most likely include such things as:

  • Breathing
  • Blood flow
  • Blood composition
  • Brain function

Step 3: Risks

Risks are things that could stop the critical processes from being achieved, which in turn leads to the objective(s) not being achieved.

Risks will include:

  • High cholesterol leading (apparently!) to narrowing arteries
  • Heart defects
  • Lung disease

Step 4: Controls

Canva Design DAGKbeVZ6Rs

Existing controls will exist over many of these health risks.

They may include:

  • Medications
  • Diet
  • Exercise

Step 5: Risk analysis

Once the key risks and related controls have been identified, we need to determine the level of risk both before considering controls (inherent risk) and after considering controls (residual risk). Residual risk highlights where current issues exist that need to be addressed, and inherent risk highlights the importance of current controls, such as current medication.

Step 6: Risk evaluation

Once analysed, the risks need to be assessed against pre-determined levels (risk appetite). The doctor uses guidance scales for risk levels to assess this.

Step 7: Issues and actions

Risk evaluation then highlights which risks are outside of the acceptable range and as a result, where an issue may exist. Each issue then needs addressing through consideration of possible remedies, from changed diet to medication.

Conclusions and next steps for your organisation

We should apply the same seven steps to the risk and control self-assessment process as part of your overall enterprise risk management framework. In our follow-up blog, we apply these seven steps to a business scenario to illustrate how it transports across into any business situation.

The RCSA framework is an essential component of any good ERM or GRC software system. But you don’t need to have an ERM solution in place to make a start at producing an RCSA, and we recommend that all organisations should complete an RCSA of their own irrespective of their digitisation plans or current status.

We have created a downloadable RCSA template in Excel format that you can use to identify, evaluate and manage the risks within your business, based on the best-practice design of our Protecht ERM SaaS solution. Following the steps to complete the form will give you new insights into your business’s risk profile and risk maturity:

Download our simple RCSA framework now


This blog was originally published in February 2016 and updated in May 2024.

About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.