Risk and control self-assessments (RCSAs) are a core activity in most risk management program, especially in financial services – but if you’ve trotted out the same RCSA methodology for years, it might be getting a bit tired.
It’s worth taking time to ensure how you can make your RCSA process more dynamic, providing more timely information to decision-makers. In this blog we will cover:
- The well-intentioned RCSA
- The challenges with some of the older techniques
- Moving to more dynamic approaches
Where does your organisation sit on the risk maturity scale? If you’re just getting started with RCSAs, download our simple RCSA framework template as a simple starting point:
The well-intentioned RCSA
One of the components of the RCSA is the ‘self’. The concept was intended to break down the organisation into something a little more manageable than the entire organisation at once. This approach often breaks down into divisions or business units, taking a ‘vertical’ or hierarchical view of the organisation.
From a governance perspective, it makes Line 1 accountable for assessing and understanding the risks they face in their part of the organisation. The risk and control self-assessment typically encompasses:
- Defining what’s in scope (typically a business unit, but could be a product, process or other activity)
- Identifying and understanding the risks within that scope
- Assessing the effectiveness of controls
- Documenting actions to address control weaknesses or gaps
All of these things are necessary, but there is a lot of room for improvement.
What’s wrong with RCSAs?
When considered in the context of managing risk at the enterprise level in dynamic environments (are there any that aren’t?), RCSAs have some weaknesses that can undermine the value they could provide.
Cyclical approach: RCSAs might typically be an annual affair, or on an otherwise static frequency. Depending on the level of rigour, they might take a month or two to complete – but then the assessment remains static until next year rolls around. This also means that they follow a ‘point in time’ approach. Using a 9-month-old RCSA to inform decision making can be dangerous, and may not represent the current types or levels of risk.
Vertical View: RCSAs have typically taken a business unit or hierarchical approach. However, many end-to-end processes cross departmental boundaries, and may not account for end-to-end risk across those boundaries.
Siloed approach: RCSAs might be conducted as a completely independent activity, without accounting for other assurance activities.
Too much ‘self’: The point of the RCSA is to give Line 1 accountability and agency; the risks belong to them, after all. However, even if a template is provided to capture risks and controls, there may be limited guidance on naming conventions or how risks are to be assessed. This can result in different departments having a completely different approach to documenting their RCSA.
Making RCSAs more dynamic
Let’s start with the end in mind. At any time, decision makers want the most up-to-date information on the status of risks and controls. Your RCSA processes should support this, or at least quickly highlight the specific components that might need review.
Standardised libraries: A common set of risk and control taxonomies and libraries, including risk categories aligned to risk appetite statements, help ensure your people are talking the same language. Linking to major risk categories and clearly defined risk scenarios provides clarity on the organisation's exposure to these. It also enables aggregation for reporting purposes: while RCSAs might be completed independently and at different times, reporting can be dynamically updated to incorporate the most recent updates.
Looking horizontally: While business unit-based RCSAs remain relevant, they may need to be supplemented with reviews that bring together subject matter experts who consider end-to-end processes. This is becoming an expectation from regulators of operational resilience. Thematic reviews, such as fraud risk assessments, can also focus the lens on how particular risks cross boundaries.
Integrating information from other risk processes: RCSAs should be enriched with data drawn from other risk activities, such as key risk indicators, incident data and attestations. For example, several near miss incidents may indicate the level of risk is higher than initially perceived.
Leveraging assurance: There may be existing assurance activities that are not leveraged during RCSA’s. Firstly, make sure those responsible for RCSA’s are aware of those assurance processes. They can’t use them if they don’t know they exist. Secondly, link assurance outcomes to components of the RCSA, so they are available at the time of assessment.
Trigger-based reviews: An RCSA usually covers all risks and controls all at once, and is then forgotten about until the next cycle. Triggers should be defined that would trigger a review of specific risks and controls, or a subset. This can include Key Risk Indicators exceeding thresholds, incidents that provide information about the level of risk, completion of relevant actions including closure of audit findings, or the introduction or change to products, services and processes.
Training: Effective training can help overcome cultural behavioural challenges, and ensure participants understand the value in making RCSAs more dynamic.
You should still conduct a more formal review over the area or process within scope. But rather than annually, it could be triggered any time an important decision needs to be made. This should prompt a few key questions:
- Is the risk information we need for this decision up to date?
- If not, which parts do we need to update?
- Who is responsible, and how quickly can we get that information up to date?
These approaches keep the accountability with Line 1 (one of the original purposes of the RCSA) while enabling an up-to-date enterprise risk profile that speeds up decision making processes.
Conclusions and next steps for your organisation
While typical RCSAs can be completed with spreadsheets, moving to more dynamic processes – those that provide decision makers with up-to-date information – require appropriate tools.
At Protecht, we provide a comprehensive enterprise risk management system that enables dynamic RCSAs:
- Workflows that inform risk or control owners of important information or action based on your defined triggers
- Key risk indicators (KRIs) and key control indicators (KCIs) linked to risks or controls, driving trigger-based reviews when defined tolerances are breached
- Compliance and control attestations that can prompt review of RCSAs if weaknesses or noncompliance is identified
- Our operational resilience solution tracks end-to-end processes across business units, enabling both vertical and horizontal views of risk
- Standard taxonomies and libraries embedded across all processes, enabling aggregation of data and consistent information
We bring this together in a concept we call Risk in Motion, bringing together information from various risk processes in the organisation to provide oversight of risk, while enabling stakeholders to drill down into the information that matters to them, at the time it matters.
Want to take your RCSA process to the next level? Book your personal Protecht ERM demonstration today and find out how Risk in Motion can transform your risk management approach:


