Risk and controls self-assessment applied in a business context.

In this blog, we will see how the Risk and Control Self Assessment (RCSA) works in a business context by applying it to a business process. I will use the process of managing employee expense claims, their payment, processing and recording, a process we can all appreciate from one perspective or another.

This example is deliberately at a granular level to illustrate the principles. The same concepts should be used at any level of the organisation using the appropriate level of granularity. This means that the volume of information should be similar for any risk assessment carried out.

We have created a downloadable RCSA template in Excel format that you can use to identify, evaluate and manage the risks within your business. Find out more and download it now:

Step 1: Business objectives

The objectives of this process are to:

1. Keep employees happy
2. Meet contractual requirements (actual if contained in the employment contract and implied if contained in an HR policy)
3. Meet external compliance obligations such as Corporations Law and Tax Laws
4. Manage expenses

Step 2: Identify critical processes

The critical processes (things we need to successfully complete in order to meet the objectives) are:

1. Pay the correct amount
2. Pay on time
3. Pay the correct bank account
4. Have a simple and fair expense policy and expense claim process
5. Know what the contractual obligations are
6. Meet the contractual obligations. Depending on what they are, items 1,2 & 3 are most likely to meet them
7. Know what the external compliance obligations are. We will use typical corporations law and tax law obligations in this example which require proper recording and accounting with adequate supporting documentation
8. Post to the correct general ledger account
9. Post the correct amount
10. Post in the correct period
11. Obtain and maintain relevant supporting documentation such as tax invoices
12. Prepare and maintain a budget and assess budget vs. actual
13. Pay only legitimate expenses

I have listed the critical processes in order of the objectives. However, there is a many to many relationship between objectives and critical processes which means one critical process can meet more than one objective or vice versa.

Step 3: Risks

We can now ask ourselves – what risks exist that could prevent the critical processes from being successfully completed? It is best to address each critical process at a time to ensure all key risks are identified. Again, there is a many to many relationship between critical processes and risks. I have only listed risks relating to the first three critical processes as examples:

1. Manual processing error
2. System processing error
3. Third party bank processing error
4. System outage
5. Insufficient available funds

Step 4: Controls

For each risk, we then identify the key controls. Below are examples relating to some of the risks noted above.

1. Segregation of duties - Review and authorise
2. Reconciliation
3. Staff resource management
4. Back-up systems
5. Cash flow planning

Step 5: Assess and analyse the risks

We can now analyse the risks by assessing their likelihood and impact using the pre-determined scales (I am using a simple 1 = Low and 5 = high rating below).  We typically find this is best performed by assessing the residual risk first (as this is the level we understand and experience) and then assess inherent risk by reassessing after assuming the recorded controls do not work / exist. I have only assessed one as an example:

Step 6: Evaluate

Evaluation of the risk is made against the organisations’ risk appetite, commonly using a risk matrix as follows:

The residual risk for this example is highlighted in light red.

Step 7: Issues and actions

The evaluation into risk levels then prompts how the risk will be dealt with. Depending on the risk appetite levels, the response may be:

Accept the risk:

• This would occur automatically if the risk was within the acceptable level or formally if it was outside of normal acceptance

Reduce the risk:

• Increasing controls
• Transferring some of the impact (e.g. insurance)
• Avoiding by ceasing the process
• Process re-engineering to change the level of inherent risk

Increasing the risk:

• Removing or reducing controls because the cost does not outweigh the benefit
• Process re-engineering which increases the level of inherent risk based on increasing reward

Conclusions and next steps for your organisation

The RCSA process when done in this manner has the following advantages:

1. It aligns risk management perfectly with business objectives and ultimately strategy
2. It helps embed risk management as part of the normal business process
3. It overcomes the view that risk management is opposed and works against the achievement of objectives
4. It is more engaging with the business as it focusses on the achievement of objectives which is the man focus of business.

The RCSA framework is an essential component of any good ERM or GRC software system. But you don’t need to have an ERM solution in place to make a start at producing an RCSA, and we recommend that all organisations should complete an RCSA of their own irrespective of their digitisation plans or current status.

We have created a downloadable RCSA template in Excel format that you can use to identify, evaluate and manage the risks within your business, based on the best-practice design of our Protecht ERM SaaS solution. Following the steps to complete the form will give you new insights into your business’s risk profile and risk maturity:

This blog was originally published in March 2016 and updated in June 2024.