At the heart of enterprise risk management (ERM) is the risk and control self-assessment (RCSA) framework. The objective of this process is to identify, analyse and understand your key business risks and their related controls, to evaluate those against your risk appetite and the desired risk levels, and to see if you need to make any improvements.
What is my RCSA framework for?
A risk and control self-assessment process involves the identification of risks and related controls within a business area and a determination as to the level of each risk, using an assessment of the risk’s likelihood and consequence, and the effectiveness of controls.
The RCSA process integrates into an enterprise risk management framework, and the results of RCSA can be used in scenario analysis, key risk indicators, incident management and compliance.
While the RCSA framework is an essential component of any good ERM or GRC software system, you don’t need to have an ERM solution in place to make a start at producing an RCSA. We recommend that all organisations should complete an RCSA of their own irrespective of their digitisation plans or current status.
What are the steps to building my RCSA framework?
There are seven steps to a successful risk and controls self-assessment process.
- Business objectives – Identification of the business's objectives.
- Identify critical processes – Identification of the operating model (the key processes that need to be working to be able to deliver against those objectives).
- Identify risks – Identification of the risks that could cause the operating model to fail or not deliver the expected outcome.
- Identify controls – Identification of the control measures that are currently in place to reduce the likelihood or limit the impact of the identified risk.
- Assess and analyse the risks – Typically using likelihood and impact.
- Evaluate – Evaluate the risk against our risk appetite and determine whether we need to make any improvements to the underlying risk or to risk controls if it is outside of appetite.
- Issues and actions – Ensure that the process is repeated, monitored, reviewed, recorded and reported.
Hopefully, you will already have identified your business objectives and critical processes as part of your broader business planning. If not, then this is a useful step that you should take before getting into the specifics of risk management. Once you have the first two steps in hand, our template will lead you through the rest of the process steps for each risk you identify.
Worked RCSA example: employee data breach
Let’s take a specific sample risk example, particularly common in today’s work: the risk of unauthorised access to sensitive or employee data. We can go through the key steps of the risks and controls process to identify the risk, identify the controls, assess and analyse the risk, evaluate against risk appetite, and determine issues and actions.
- Risk: The risk of sensitive data and employee data being exposed due to unauthorised access resulting in a breach of regulation
- Cause: People – accidental mistake
- Impact: Financial – regulatory fines
- Risk owner: Head of IT
- Key controls: Access to system requires authentication, data is encrypted
- Controls rating: Effective
- Risk likelihood: Unlikely
- Risk consequence: Extreme
- Overall risk rating: Moderate
- Accept or treat: Accept – controls are in place to mitigate risk to acceptable level
- Action plans: Continue monitoring IT data access on a fortnightly basis
As you’ll see when you download our RCSA framework template, the structure of the template prompts you to fill out the example in the way that brings out risks and controls most effectively.
Just one more important note: when you capture risks in your RCSA, it is important to ensure that you are correctly identifying risk events (as opposed to underlying causes, secondary causes, or outcomes). For more information on how to correctly identify and categorise risks, please see our Enterprise Risk Management eBook.
How can I take my RCSA framework to the next level?
Creating an RCSA framework is a great start for understanding your business’s risk position and identifying your enterprise risk status. But it’s very much a start rather than an end goal. Once you’ve got the basics of the risk and control self-assessment in place, you can move on to perfecting and enhancing the process to ensure that you’re truly capturing an accurate picture of your business.
Protecht’s free one-hour Risk & Control Self-Assessments: How to unlock enterprise value webinar will help you understand more of the details of how to ensure your RCSA methodology engages front-line staff and delivers high-quality relevant data. Watch the RCSA webinar now.
To really build your knowledge of the RCSA framework process, you can out our on-demand Protecht Academy Risk and control self-assessment online course. You can buy this course online and take it immediately – it will take about 5-6 hours with a detailed assessment at the end of the unit. Buy the course online and take it now.
Although the RCSA process is useful as a standalone addition to your business, it becomes especially powerful when used as the basis for a digitised ERM software system. To find out more about why and how you can build an ERM system for your business, check out our Digitisation of risk management eBook and our Enterprise Risk Management buyer’s guide.