When people hear the acronym for risk and control self-assessment, RCSA, the first response typically uttered by those who are familiar with the term is an exasperated sigh. To them it is another activity that checks a box for providing governance functions to C-suite officers and regulators with a bird’s eye view of the identified risk and controls associated with an organization’s myriad business processes. However, it is more than just checking a box.
RCSAs offer a vital framework for organizations to proactively identify, assess and mitigate risk. First, a properly executed RCSA can drive informed business decisions. And within business processes, RCSAs can function as catalysts to help determine where investments, such as automation, should occur. Further, a well-performed RCSA can support the value-add that information technology/information systems (IT/IS) can provide from a control perspective to mitigate risk associated with numerous threats. It is also not specific to any industry; it can be applied to finance, healthcare, manufacturing and a wide range of other sectors.
Identifying Business Objectives, Targets or Processes
Performing an RCSA typically begins with the identification of business objectives, targets or processes, as shown in figure 1. This can include setting a business process objective (e.g., the reduction of order fulfillment), a target (e.g., achieve 20 percent reduction in customer support response time) or processes (e.g., general ledger updates, configuration management or user access management).
Process Mapping
Next come process-mapping activities to illustrate the flow of a process. Although process mapping may not always be considered valuable, maps can be useful for identifying and managing risk, highlighting gaps within the process (which can provide opportunities to strengthen controls), discovering opportunities for automation, supporting business continuity process efforts,1 and assisting with process improvement (value-add activities) by visually identifying weaknesses that may exist in the form of potential risk and control deficiencies. These also benefit security and process resiliency and automatically support regulatory and contractual requirements. The subsequent controls not only are capable of detecting risk, but also can limit or even prevent risk from materializing. Although all the controls employed should be clearly documented, preventive controls are generally the most valuable.
Ranking Risk
Risk should be captured within a risk register, either sequentially or in tandem with the process-mapping activity. The risk register is a collection of identified risk scenarios that are accounted for and incorporated into the enterprisewide risk profile.2 It is used to document identified risk areas and rank them on a quantitative (e.g., 1–5) or qualitative (i.e., very low to critical) scale based on two distinct factors: likelihood (probability) and impact (severity). Certain organizations consider the velocity of the risk, which indicates how fast a risk may affect an organization, as well.3
Controls are critical to managing risk within an organization, and if the RCSA process identifies weaknesses in a control, steps can be taken to strengthen it.
Typically, the largest set of risk areas in the risk register is ranked as moderate. A smaller subset is considered high and an even smaller subset is ranked as critical. If most of the risk is considered high or critical, it might indicate that the organization is not focused enough to make the investment the control environment requires. In that circumstance, it might be best for the assessor to suggest a different approach to the organization’s ranking method (e.g., ordinal or stack ranking).
An RCSA exercise is generally conducted for each business process. Once risk and related controls are documented in a risk register, an independent testing unit (typically separate from the business unit) assesses the effectiveness of the controls and identifies the mitigated or unmitigated risk remaining after the establishment of those controls. The assessments are then collected and compiled to create a comprehensive understanding of risk within an organization and determine whether the control environment is sufficiently mitigating the risk identified. This requires an understanding of the control environment and any rationales for considering revised likelihoods. The environment is reported on from a risk and control perspective, typically focused on areas of concern such as the necessary application of resources (i.e., people, information, capital and time).
Improving the Control Environment
Business decisions can be made throughout the RCSA life cycle based on the development of process maps and risk registers. Risk identification, risk tolerance and risk appetite play important roles in determining an organization’s operational thresholds and its reliance on the control environment. Any new risk that materializes (e.g., due to operational loss or an individual control failure) provides a sanity check as to whether risk likelihood and impact are rated appropriately.
Ensuing activities (e.g., related to a critically rated risk that materializes but does not create a loss event) may include a business unit determining whether the control environment is in alignment with the organization’s risk appetite. Further analysis may be required to determine whether the control environment can be improved or if it should be accepted as is, or if exiting the business process would be the more appropriate action.
One example of control environment improvement is strengthening a control. Controls are critical to managing risk within an organization, and if the RCSA process identifies weaknesses in a control, steps can be taken to strengthen it. These might include implementing new controls, improving existing controls through automation (i.e., changing from detective to preventive) and ensuring that controls are operating adequately or effectively.
Another example of control environment improvement is based on an understanding of control characteristics (e.g., manual vs. automated controls, transaction vs. summary-level controls). Ideally, the performance of control tests indicates that the remaining controls mitigate the risk. In certain instances, there may be an occasion to determine if the control is necessary, e.g., key vs. nonkey. An opportunity exists to analyze the manual control environment because any control identified as manual has a chance to be scrutinized for automation4 and should have a business impact analysis and cost benefit analysis associated with it.
By strategically using the RCSA, organizations can better manage risk and, ultimately, achieve their objectives in a more effective and efficient manner.
Boosting Performance
By strategically using the RCSA, organizations can better manage risk and, ultimately, achieve their objectives in a more effective and efficient manner. Examples of actions that can be taken following performance of an RCSA include:
- Identifying areas of the organization that are at higher risk, allowing management to allocate resources more effectively
- Identifying areas where processes are inefficient or ineffective, driving process improvement initiatives that can elevate the overall performance of the organization
- Providing valuable insights into the organization’s risk profile, helping to inform strategic decision-making (e.g., if the RCSA identifies a significant market risk, the organization may decide to adjust its business strategy to mitigate the risk.)
- Identifying specific risk and vulnerabilities in the organization’s operations, allowing management to implement controls and other mitigation strategies to reduce the likelihood and impact of the risk
Conclusion
RCSA activities have the potential to drive informed business decisions and act as catalysts for strategic investments, such as automation, within business processes. A well-executed RCSA not only supports the value that IT/IS can provide from a control perspective, but also serves as a robust framework for mitigating risk associated with various threats. By enhancing decision-making, fortifying risk management practices, improving control effectiveness, optimizing operational efficiency and elevating overall organizational performance, RCSAs emerge as a crucial tool that significantly contributes to the success and sustainability of businesses in today’s dynamic landscape.
Endnotes
1 Freund, J.; “Yes, Business Process Maps Are Boring,” @ISACA, 15 March 2023, p2a1.1acart.com/resources/news-and-trends/newsletters/atisaca/2023/volume-11/business-process-maps-are-boring
2 Sbriz, L.; “Security Adjustments to Strengthen the Bond Between Risk Registers and Information,” ISACA Journal, vol. 5, 2021, p2a1.1acart.com/archives
3 Wolters Kluwer, “What Is Risk Velocity and Should You Track It?” 7 October 2015, www.wolterskluwer.com/en/expert-insights/what-is-risk-velocity-and-should-you-track-it
4 Dutta, A.; D. Dopp; “A Framework for Estimating ROI of Automated Internal Controls,” ISACA Journal, vol. 5, 2011, p2a1.1acart.com/archives
ANTHONY OTERI | CRISC, CDPSE, AWS CCP, CCSK
Is a senior associate of operational risk management and information risk management at Santander. He has more than 10 years of experience in the first and second line of defense in risk and control environments across various organizations within the financial services industry.
