Skip to content

Risk and Control Self Assessment in an integrated risk management framework.

In this video, David Tattam talks about the eight key steps of the Risk and Control Self Assessment process aligned with the ISO 31000 risk management standards:


Subscribe to our Knowledge Hub to make sure you catch our regular blog updates:

Subscribe now

Video transcription:

Hi, I'm David Tattam, Chief Research and Content Officer at the Protecht Group. We at Protecht believe that there are six key building blocks required to support a strong integrated enterprise risk management framework.

These are:

  1. Number one, risk taxonomy: A good risk classification, risk libraries to which all of your information can be connected.
  2. Number two: the risk assessment process, which is what we're going to be covering today.
  3. Number three: controls assurance, testing of our key controls.
  4. Number four: our key risk indicators to give us more up-to-date risk information.
  5. Number five: incident management, how do we manage and deal and learn from incidents.
  6. Finally, issues and actions, identifying weaknesses and fixing them.

So today, we're going to be looking at the risk assessment process, otherwise known as the risk and control self-assessment. Now the objective of this process is to identify, analyse and understand our key business risks, and their related controls and evaluate those against our risk appetite and the desired risk levels and to see if we need to make any improvements.

Now there are many approaches to risk assessment. We will outline Protecht's preferred approach. This is made up eight key steps which really are aligned to the ISO 31000 Risk Management Standards. Now the process begins from the principle of risk as defined in ISO 31000 which is "risk is the effect of uncertainty on objectives".

Risk and Control Self Assessment steps

  1. Identify business objectives
  2. Identify operating model
  3. Identify the risk
  4. Assess the risk (using likelihood and impact)
  5. Evaluate against the appetite
  6. Identify issues and actions
  7. Monitor and review
  8. Incident management

So step number one, is identification of the business's objectives. Step number two is to identify the operating model, the key processes that need to be working to be able to deliver against those objectives and only now can we then go to step three, identify the risks that could cause the operating model to fail or not deliver the expected outcome.

Once we've identified the risks, we then need to assess the risks typically using likelihood and impact. Once we've assessed and analyzed the size of risk, we need to evaluate it against our risk appetite, risk evaluation and determine whether we need to make any improvements if it is outside of appetite.

If we do need to make improvements, this allows us to identify any issues, risk assessment control weaknesses, and control gaps and from there, we can identify the actions required to remediate those. This then moves us onto this process being repeated on a periodic basis, ongoing monitoring, and review. And finally, the importance of recording and reporting the risk assessment. This is often done on a traffic light report using red, amber and greens.

They're the basic building blocks of the risk assessment process.

Next steps for your organization

At the heart of enterprise risk management (ERM) is the risk and control self-assessment (RCSA) framework. The objective of this process is to identify, analyze and understand your key business risks and their related controls, to evaluate those against your risk appetite and the desired risk levels, and to see if you need to make any improvements.

The RCSA framework is an essential component of any good ERM or GRC software system. But you don’t need to have an ERM solution in place to make a start at producing an RCSA, and we recommend that all organisations should complete an RCSA of their own irrespective of their digitization plans or current status.

We have created a downloadable RCSA framework template in Excel format that you can use to identify, evaluate and manage the risks within your business, based on the best-practice design of our Protecht ERM SaaS solution.

Find out more and download the RCSA framework now:

Download our simple RCSA framework now


Originally published May 2019, updated September 2023.

About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.