Skip to content

Risk and controls self-assessment applied in a business context.

In this blog, we will see how the Risk and Control Self Assessment (RCSA) works in a business context by applying it to a business process. I will use the process of managing employee expense claims, their payment, processing and recording, a process we can all appreciate from one perspective or another.

This example is deliberately at a granular level to illustrate the principles. The same concepts should be used at any level of the organisation using the appropriate level of granularity. This means that the volume of information should be similar for any risk assessment carried out.

We have created a downloadable RCSA template in Excel format that you can use to identify, evaluate and manage the risks within your business. Find out more and download it now:

Download our simple RCSA framework now

Step 1: Business objectives

The objectives of this process are to:

  1. Keep employees happy
  2. Meet contractual requirements (actual if contained in the employment contract and implied if contained in an HR policy)
  3. Meet external compliance obligations such as Corporations Law and Tax Laws
  4. Manage expenses

Step 2: Identify critical processes

The critical processes (things we need to successfully complete in order to meet the objectives) are:

  1. Pay the correct amountscreen_2x
  2. Pay on time
  3. Pay the correct bank account
  4. Have a simple and fair expense policy and expense claim process
  5. Know what the contractual obligations are
  6. Meet the contractual obligations. Depending on what they are, items 1,2 & 3 are most likely to meet them
  7. Know what the external compliance obligations are. We will use typical corporations law and tax law obligations in this example which require proper recording and accounting with adequate supporting documentation
  8. Post to the correct general ledger account
  9. Post the correct amount
  10. Post in the correct period
  11. Obtain and maintain relevant supporting documentation such as tax invoices
  12. Prepare and maintain a budget and assess budget vs. actual
  13. Pay only legitimate expenses

I have listed the critical processes in order of the objectives. However, there is a many to many relationship between objectives and critical processes which means one critical process can meet more than one objective or vice versa.

Step 3: Risks

We can now ask ourselves – what risks exist that could prevent the critical processes from being successfully completed? It is best to address each critical process at a time to ensure all key risks are identified. Again, there is a many to many relationship between critical processes and risks. I have only listed risks relating to the first three critical processes as examples:

  1. Manual processing error
  2. System processing error
  3. Third party bank processing error
  4. System outage
  5. Insufficient available funds

Step 4: Controls

For each risk, we then identify the key controls. Below are examples relating to some of the risks noted above.

  1. Segregation of duties - Review and authorise
  2. Reconciliation
  3. Staff resource management
  4. Back-up systems
  5. Cash flow planning

Step 5: Assess and analyse the risks

We can now analyse the risks by assessing their likelihood and impact using the pre-determined scales (I am using a simple 1 = Low and 5 = high rating below).  We typically find this is best performed by assessing the residual risk first (as this is the level we understand and experience) and then assess inherent risk by reassessing after assuming the recorded controls do not work / exist. I have only assessed one as an example:

Protecht dashboard - RCSA assessment

Step 6: Evaluate

Evaluation of the risk is made against the organisations’ risk appetite, commonly using a risk matrix as follows:Protecht 2023 branding - basic risk matrix - one highlighted risk

The residual risk for this example is highlighted in light red.

Step 7: Issues and actions

The evaluation into risk levels then prompts how the risk will be dealt with. Depending on the risk appetite levels, the response may be:

Accept the risk:

  • This would occur automatically if the risk was within the acceptable level or formally if it was outside of normal acceptance

Reduce the risk:

  • Increasing controls
  • Transferring some of the impact (e.g. insurance)
  • Avoiding by ceasing the process
  • Process re-engineering to change the level of inherent risk

Increasing the risk:

  • Removing or reducing controls because the cost does not outweigh the benefit
  • Process re-engineering which increases the level of inherent risk based on increasing reward

Conclusions and next steps for your organisation

The RCSA process when done in this manner has the following advantages:

  1. It aligns risk management perfectly with business objectives and ultimately strategy
  2. It helps embed risk management as part of the normal business process
  3. It overcomes the view that risk management is opposed and works against the achievement of objectives
  4. It is more engaging with the business as it focusses on the achievement of objectives which is the man focus of business.

The RCSA framework is an essential component of any good ERM or GRC software system. But you don’t need to have an ERM solution in place to make a start at producing an RCSA, and we recommend that all organisations should complete an RCSA of their own irrespective of their digitisation plans or current status.

We have created a downloadable RCSA template in Excel format that you can use to identify, evaluate and manage the risks within your business, based on the best-practice design of our Protecht ERM SaaS solution. Following the steps to complete the form will give you new insights into your business’s risk profile and risk maturity:

Download our simple RCSA framework now


This blog was originally published in March 2016 and updated in June 2024.

About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.