Introduction
Around the world, the escalating number of operational loss events is keeping risk managers up at night. According to the data from ORX, the largest operational risk management association in the financial services sector, there were 76,620 operational risk loss events in 2022, totaling a staggering €17.8 billion. So, it isn’t a surprise when organizations are increasingly considering operational risk management as an integral part of the overall risk management program.
Operational risk management, i.e. the process of identifying, assessing, and monitoring operational risks and associated controls, is being widely applied by organizations to thwart operational disruption and minimize losses. Risk and Control Self-Assessment (RCSA) is one of the crucial steps in the operational risk management process.
Risk and Control Self-Assessment (RCSA) is an important process for identifying and assessing the key operational risks faced by an organization and the effectiveness of controls that address those risks. A key element of a strong operational risk management program, RCSA is an excellent means of assessing operational risks to improve visibility, understanding the risk posture, and identifying control deficiencies.
In its Revisions to the Principles for the Sound Management of Operational Risk, the Basel Committee on Banking Supervision states, “Banks often perform self-assessments of their operational risks and controls on various different levels. The assessments typically evaluate inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered) and contain both quantitative and qualitative elements.”
A dynamic, continuous approach to conducting RCSAs, supported by a positive risk culture, strong governance and reporting, and business continuity planning can empower organizations to take a proactive approach to managing risks, strengthen business resilience, and thrive on risk.
In this eBook, we will delve into the key steps of conducting an effective RCSA and the essential elements that chief risk officers (CROs) must implement to modernize their RCSA framework.
“There is an opportunity in the market right now to look at risk and resilience in the context of growth and how they come together.”
- Gaurav Kapoor, Co-CEO and Co-Founder, MetricStream
Why a Traditional Approach to RCSA Alone Does Not Work Anymore
Traditionally, organizations performed RCSA in a periodic manner – as an annual, semi-annual, or quarterly exercise with the onus mainly on risk managers. This approach involves the following steps:
Risk Identification and Documentation
Create a comprehensive operational risk management program that includes a detailed plan to identify and document critical processes, risks, and associated controls aligned with key business objectives. Define the organizational hierarchy and identify the executives, process owners, business units, etc., that will perform RCSA.
Risk Assessment and Analysis
Perform risk assessments, qualitative and quantitative, to gain a clear view of organizational risks and develop optimal risk and reward strategies. Analyze the risks to determine the level of risk both before controls (inherent risk) and after controls (residual risk).
Control Definition and Implementation
Identify and create required controls and map its relationship with various business processes, products, risks, regulations, and audits.
Control Testing and Assessment
Define control test plans and assess the controls to determine their operational and design effectiveness. The tests or self-assessments can be conducted in the form of surveys and questionnaires.
Issue Identification & Corrective Action
Record identified control gaps and report/route them to appropriate executives for remediation.
Limitations of the Traditional RCSA Approach
The traditional approach is no longer effective in addressing the dynamic and complex risks of today. Here are some of the key limitations of the traditional approach:
- Lack of complete visibility into operational risks and effectiveness of controls
- RCSA may become a check-in-the-box activity and result in missed risks, control gaps, and potential losses
- Self-assessment without proper data can be biased and may lack completeness
- Time and resource-intensive due to the manual approach to conducting assessments
- Inefficiencies resulting from a low level of frontline engagement
- Poor quality, delayed, or incomplete assessments providing no valuable risk intelligence
- Lack of proper workflow to verify if recommended actions were implemented to address control weaknesses
- Inability to look at the big picture with the RCSA program not aligned with strategic business goals
Critical Factors to Modernize Your Risk and Control Self-Assessment
Here’s a look at six critical factors that can help you transform and modernize your RCSA program to make it forward-looking and future-ready.
Align RCSA with Business Strategy
More often than not RCSAs become a periodic box-ticking exercise. However, for organizations to derive maximum value from their RCSA program, it is important to align it with strategic business goals and embed into the overarching business strategy. This will enable risk managers to analyze RCSA results through the lens of organizational risk appetite and focus on material risks and key controls, driving optimum utilization of resources. To align the RCSA program with business goals, the first step is to get the buy-in from the top management that will help to set the tone across the enterprise. It is important to note here that organizations must have a standardized risk and control taxonomy to efficiently document all key elements.
Establish a Dynamic, Iterative Process
In today’s hyper-digitized and connected business environment, organizations face high-velocity risks. Performing RCSAs in a sporadic fashion will result in blind spots, hampering an organization’s visibility into risks and controls and its ability to manage risks proactively. Also, with the evolving risk and regulatory landscape, the controls that are effective today might not remain effective tomorrow.
A continuous or regular approach to conducting RCSAs, enabled through a software solution, will provide organizations with a real-time view of their risks and effectiveness of associated controls as well as help them save time and effort. This will also enable risk managers to verify if the corrective actions have been implemented to rectify any identified control weakness and if the controls are working as intended. With information on risks and controls more readily available, the board and executive management will be able to make more agile and better-informed business decisions.
Enable an Integrated Approach
In the AXA Future Risks Report 2023, 75% of risk experts surveyed think that risks are increasingly interconnected. To effectively navigate today’s ever-evolving risk landscape, organizations must understand the interconnected of risks and risk relationships; not look at risks in isolation. It is critical to implement an integrated approach to RCSA that helps to map risks, business processes, assets, controls, objectives, etc. so that organizations get a 360-degree view of their risk posture and understand the risk impact. It will help them to efficiently manage the complex risks of today and their domino effect.
Organizations can use software solutions that simplify the process by allowing them to capture the key processes, risks, and controls and establish links between them on a many-to-many basis that helps eliminate redundancies. It also provides a quick snapshot of how a particular risk is mapped various processes, assets, controls, and other organizational functions.
Quantify Risk in Monetary Terms
Risk assessment and analysis is a critical step in RCSA. Risk managers are often faced with a difficult choice: Which type of risk assessment should they go with – qualitative or quantitative? Today, qualitative risk assessments, such as red, yellow, and green heatmaps, high, med, and low ratings, etc., are being widely used by organizations. However, these assessments, though important to understand the severity and likelihood of risks, are greatly influenced by the bias and the perception of the risk assessor and often left to interpretation – Why is a particular risk in the red/high category? If two different risks have been identified as red, how do we prioritize them?
Such ambiguity can be addressed with quantitative risk assessments. Associating a monetary or financial value to risk will enable chief risk officers to communicate the risk exposure to the executive management in a language that is easy to interpret and act upon. It will also help prioritize risks and associated mitigation actions. That said, the decision of whether to go with qualitative or quantitative assessment also depends on what the risk managers are trying to assess. The best approach would be to use a combination of both approaches to better suit assessment objectives.
Increase Frontline Engagement
Traditionally, the ownership and accountability of RCSAs have been with the second line. A major requirement for this model to work is ensuring regular communication between the first two lines as it is the first line that is more likely to “self” identify and assess risks and controls being closely engaged in daily business activities. It is the first line that knows where the lurking risks are. So, it is not surprising when industry experts recommend entrusting RCSA to the first line. That, however, is easier said than done. Ensuring that the first line has the knowledge and the expertise to perform RCSA remains a challenge. Organizations must focus on improving the skills and capabilities of the first line, equip them with user-friendly tools to effectively conduct RCSAs, and establish well-defined workflows for routing issues to higher levels for quick remediation.
Leverage Advanced Technologies and Automation
With the amplified pace of digital transformation in organizations, agility and speed of execution have become business imperatives. Moreover, to manage today’s high-velocity, high-impact risks, organizations need real-time risk insights. Leveraging advanced technologies and automating workflows can empower risk professionals to spot any control gaps, risks, and areas in a proactive manner. Data analytics, along with visualization tools, further enhance the ability of risk managers to quickly understand the organizational risk posture and perform trend analysis.
It is also important to note that while quantifying risks is crucial, it greatly depends on availability of reliable data and the scale and maturity level of risk function. To truly understand and assess risks, organizations must employ both qualitative and quantitative risk assessment methodologies.
- Qualitative or Quantitative? A Practical Guide to Assessing Non-Financial Risks
MetricStream’s RCSA Framework for an Effective Operational Risk Management Program
Risk Control Self-Assessment (RCSA), a part of the MetricStream Operational risk Management product, enables organizations to document and evaluate their risk frameworks and key controls at multiple levels including corporate, business unit, and process levels. It simplifies data aggregation, reporting, and comparison to provide enterprise-wide visibility into the RCSA process and highlight issues that need to be addressed on priority. It provides real-time visibility that enables organizations to track RCSA throughout its life cycle from initiation to closure.
Leading banking and financial organizations have been leveraging MetricStream’s RCSA framework, aligned to industry best practices, to effectively manage operational risks and streamline risk and control self-assessments. It has helped organizations achieve around 80% increase in risk and control framework-related operational efficiency.
With MetricStream Operational Risk Management, you can:
Streamline Risk Management
Create and maintain a centralized risk repository to document all organizational risks. Map the risks to processes, critical assets, controls, products, area of compliance, etc. to understand their interrelationships.
Improve RCSA Processes
Drive Effective Risk Assessments
Plan, schedule, and perform top-down and bottom-up risk assessments by leveraging configurable methodologies and algorithms. Define the logic for computing inherent and residual risk scores and analyze them through heat maps. Leverage advanced risk quantification capabilities, including the Monte Carlo simulation model, to assess risk exposure in monetary terms.
Enable Well-Defined Risk Mitigation and Control Measures
Define a set of key controls to mitigate those risks by leveraging industry frameworks such as COSO. Enable multiple control-level tests, including independent evaluations of control testing, as well as control scoring and reporting.
Ensure Timely Review of Issues and Corrective Actions
Route any identified issues, control gaps, or weaknesses to the concerned stakeholder for timely resolution. Track and monitor the issues and corrective actions until their closure.
Efficiently Manage Key Risk Indicators
Define, measure, and monitor key indicators for risks (KRIs), controls (KCIs), and performance (KPIs). Perform correlative analyses between various key metrics to understand relationship and impact. Set threshold limits and trigger automated alerts on any breach to relevant personnel.
Enhance Loss Data Management
Record, analyze, and remediate internal risk events and losses in line with industry regulations like the Basel Accords. Consolidate risk events in various currencies in a single currency. Define loss thresholds, aggregate data from external loss data exchanges, analyze trends, determine root causes, and initiate corrective actions.
Encourage Frontline Engagement
Facilitate frontline engagement and participation in risk identification and reporting with a user-friendly interface, AI chatbots, recommendations on duplicate or semantically similar risks or issues, etc.
A leading European financial institution was struggling with its manual approach to operational risk management. It established a new department for risk prevention and compliance and sought to build an integrated risk management program, strengthen responses to emerging technology risks, and improve risk management efficiency.
Towards these goals, the organization implemented MetricStream Operational Risk Management (ORM). As a result, risk teams are now able to better identify, assess, monitor, and mitigate operational risks. They can plan, manage, and perform risk-control self-assessments (RCSAs) more efficiently. They can also capture losses, track KRIs, set risk thresholds to identify potential threats, and manage action plans to mitigate risks – all through one system.
Around the world, the escalating number of operational loss events is keeping risk managers up at night. According to the data from ORX, the largest operational risk management association in the financial services sector, there were 76,620 operational risk loss events in 2022, totaling a staggering €17.8 billion. So, it isn’t a surprise when organizations are increasingly considering operational risk management as an integral part of the overall risk management program.
Operational risk management, i.e. the process of identifying, assessing, and monitoring operational risks and associated controls, is being widely applied by organizations to thwart operational disruption and minimize losses. Risk and Control Self-Assessment (RCSA) is one of the crucial steps in the operational risk management process.
Risk and Control Self-Assessment (RCSA) is an important process for identifying and assessing the key operational risks faced by an organization and the effectiveness of controls that address those risks. A key element of a strong operational risk management program, RCSA is an excellent means of assessing operational risks to improve visibility, understanding the risk posture, and identifying control deficiencies.
In its Revisions to the Principles for the Sound Management of Operational Risk, the Basel Committee on Banking Supervision states, “Banks often perform self-assessments of their operational risks and controls on various different levels. The assessments typically evaluate inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered) and contain both quantitative and qualitative elements.”
A dynamic, continuous approach to conducting RCSAs, supported by a positive risk culture, strong governance and reporting, and business continuity planning can empower organizations to take a proactive approach to managing risks, strengthen business resilience, and thrive on risk.
In this eBook, we will delve into the key steps of conducting an effective RCSA and the essential elements that chief risk officers (CROs) must implement to modernize their RCSA framework.
“There is an opportunity in the market right now to look at risk and resilience in the context of growth and how they come together.”
- Gaurav Kapoor, Co-CEO and Co-Founder, MetricStream
Traditionally, organizations performed RCSA in a periodic manner – as an annual, semi-annual, or quarterly exercise with the onus mainly on risk managers. This approach involves the following steps:
Risk Identification and Documentation
Create a comprehensive operational risk management program that includes a detailed plan to identify and document critical processes, risks, and associated controls aligned with key business objectives. Define the organizational hierarchy and identify the executives, process owners, business units, etc., that will perform RCSA.
Risk Assessment and Analysis
Perform risk assessments, qualitative and quantitative, to gain a clear view of organizational risks and develop optimal risk and reward strategies. Analyze the risks to determine the level of risk both before controls (inherent risk) and after controls (residual risk).
Control Definition and Implementation
Identify and create required controls and map its relationship with various business processes, products, risks, regulations, and audits.
Control Testing and Assessment
Define control test plans and assess the controls to determine their operational and design effectiveness. The tests or self-assessments can be conducted in the form of surveys and questionnaires.
Issue Identification & Corrective Action
Record identified control gaps and report/route them to appropriate executives for remediation.
Limitations of the Traditional RCSA Approach
The traditional approach is no longer effective in addressing the dynamic and complex risks of today. Here are some of the key limitations of the traditional approach:
- Lack of complete visibility into operational risks and effectiveness of controls
- RCSA may become a check-in-the-box activity and result in missed risks, control gaps, and potential losses
- Self-assessment without proper data can be biased and may lack completeness
- Time and resource-intensive due to the manual approach to conducting assessments
- Inefficiencies resulting from a low level of frontline engagement
- Poor quality, delayed, or incomplete assessments providing no valuable risk intelligence
- Lack of proper workflow to verify if recommended actions were implemented to address control weaknesses
- Inability to look at the big picture with the RCSA program not aligned with strategic business goals
Here’s a look at six critical factors that can help you transform and modernize your RCSA program to make it forward-looking and future-ready.
Align RCSA with Business Strategy
More often than not RCSAs become a periodic box-ticking exercise. However, for organizations to derive maximum value from their RCSA program, it is important to align it with strategic business goals and embed into the overarching business strategy. This will enable risk managers to analyze RCSA results through the lens of organizational risk appetite and focus on material risks and key controls, driving optimum utilization of resources. To align the RCSA program with business goals, the first step is to get the buy-in from the top management that will help to set the tone across the enterprise. It is important to note here that organizations must have a standardized risk and control taxonomy to efficiently document all key elements.
Establish a Dynamic, Iterative Process
In today’s hyper-digitized and connected business environment, organizations face high-velocity risks. Performing RCSAs in a sporadic fashion will result in blind spots, hampering an organization’s visibility into risks and controls and its ability to manage risks proactively. Also, with the evolving risk and regulatory landscape, the controls that are effective today might not remain effective tomorrow.
A continuous or regular approach to conducting RCSAs, enabled through a software solution, will provide organizations with a real-time view of their risks and effectiveness of associated controls as well as help them save time and effort. This will also enable risk managers to verify if the corrective actions have been implemented to rectify any identified control weakness and if the controls are working as intended. With information on risks and controls more readily available, the board and executive management will be able to make more agile and better-informed business decisions.
Enable an Integrated Approach
In the AXA Future Risks Report 2023, 75% of risk experts surveyed think that risks are increasingly interconnected. To effectively navigate today’s ever-evolving risk landscape, organizations must understand the interconnected of risks and risk relationships; not look at risks in isolation. It is critical to implement an integrated approach to RCSA that helps to map risks, business processes, assets, controls, objectives, etc. so that organizations get a 360-degree view of their risk posture and understand the risk impact. It will help them to efficiently manage the complex risks of today and their domino effect.
Organizations can use software solutions that simplify the process by allowing them to capture the key processes, risks, and controls and establish links between them on a many-to-many basis that helps eliminate redundancies. It also provides a quick snapshot of how a particular risk is mapped various processes, assets, controls, and other organizational functions.
Quantify Risk in Monetary Terms
Risk assessment and analysis is a critical step in RCSA. Risk managers are often faced with a difficult choice: Which type of risk assessment should they go with – qualitative or quantitative? Today, qualitative risk assessments, such as red, yellow, and green heatmaps, high, med, and low ratings, etc., are being widely used by organizations. However, these assessments, though important to understand the severity and likelihood of risks, are greatly influenced by the bias and the perception of the risk assessor and often left to interpretation – Why is a particular risk in the red/high category? If two different risks have been identified as red, how do we prioritize them?
Such ambiguity can be addressed with quantitative risk assessments. Associating a monetary or financial value to risk will enable chief risk officers to communicate the risk exposure to the executive management in a language that is easy to interpret and act upon. It will also help prioritize risks and associated mitigation actions. That said, the decision of whether to go with qualitative or quantitative assessment also depends on what the risk managers are trying to assess. The best approach would be to use a combination of both approaches to better suit assessment objectives.
Increase Frontline Engagement
Traditionally, the ownership and accountability of RCSAs have been with the second line. A major requirement for this model to work is ensuring regular communication between the first two lines as it is the first line that is more likely to “self” identify and assess risks and controls being closely engaged in daily business activities. It is the first line that knows where the lurking risks are. So, it is not surprising when industry experts recommend entrusting RCSA to the first line. That, however, is easier said than done. Ensuring that the first line has the knowledge and the expertise to perform RCSA remains a challenge. Organizations must focus on improving the skills and capabilities of the first line, equip them with user-friendly tools to effectively conduct RCSAs, and establish well-defined workflows for routing issues to higher levels for quick remediation.
Leverage Advanced Technologies and Automation
With the amplified pace of digital transformation in organizations, agility and speed of execution have become business imperatives. Moreover, to manage today’s high-velocity, high-impact risks, organizations need real-time risk insights. Leveraging advanced technologies and automating workflows can empower risk professionals to spot any control gaps, risks, and areas in a proactive manner. Data analytics, along with visualization tools, further enhance the ability of risk managers to quickly understand the organizational risk posture and perform trend analysis.
It is also important to note that while quantifying risks is crucial, it greatly depends on availability of reliable data and the scale and maturity level of risk function. To truly understand and assess risks, organizations must employ both qualitative and quantitative risk assessment methodologies.
- Qualitative or Quantitative? A Practical Guide to Assessing Non-Financial Risks
Risk Control Self-Assessment (RCSA), a part of the MetricStream Operational risk Management product, enables organizations to document and evaluate their risk frameworks and key controls at multiple levels including corporate, business unit, and process levels. It simplifies data aggregation, reporting, and comparison to provide enterprise-wide visibility into the RCSA process and highlight issues that need to be addressed on priority. It provides real-time visibility that enables organizations to track RCSA throughout its life cycle from initiation to closure.
Leading banking and financial organizations have been leveraging MetricStream’s RCSA framework, aligned to industry best practices, to effectively manage operational risks and streamline risk and control self-assessments. It has helped organizations achieve around 80% increase in risk and control framework-related operational efficiency.
With MetricStream Operational Risk Management, you can:
Streamline Risk Management
Create and maintain a centralized risk repository to document all organizational risks. Map the risks to processes, critical assets, controls, products, area of compliance, etc. to understand their interrelationships.
Improve RCSA Processes
Drive Effective Risk Assessments
Plan, schedule, and perform top-down and bottom-up risk assessments by leveraging configurable methodologies and algorithms. Define the logic for computing inherent and residual risk scores and analyze them through heat maps. Leverage advanced risk quantification capabilities, including the Monte Carlo simulation model, to assess risk exposure in monetary terms.
Enable Well-Defined Risk Mitigation and Control Measures
Define a set of key controls to mitigate those risks by leveraging industry frameworks such as COSO. Enable multiple control-level tests, including independent evaluations of control testing, as well as control scoring and reporting.
Ensure Timely Review of Issues and Corrective Actions
Route any identified issues, control gaps, or weaknesses to the concerned stakeholder for timely resolution. Track and monitor the issues and corrective actions until their closure.
Efficiently Manage Key Risk Indicators
Define, measure, and monitor key indicators for risks (KRIs), controls (KCIs), and performance (KPIs). Perform correlative analyses between various key metrics to understand relationship and impact. Set threshold limits and trigger automated alerts on any breach to relevant personnel.
Enhance Loss Data Management
Record, analyze, and remediate internal risk events and losses in line with industry regulations like the Basel Accords. Consolidate risk events in various currencies in a single currency. Define loss thresholds, aggregate data from external loss data exchanges, analyze trends, determine root causes, and initiate corrective actions.
Encourage Frontline Engagement
Facilitate frontline engagement and participation in risk identification and reporting with a user-friendly interface, AI chatbots, recommendations on duplicate or semantically similar risks or issues, etc.
A leading European financial institution was struggling with its manual approach to operational risk management. It established a new department for risk prevention and compliance and sought to build an integrated risk management program, strengthen responses to emerging technology risks, and improve risk management efficiency.
Towards these goals, the organization implemented MetricStream Operational Risk Management (ORM). As a result, risk teams are now able to better identify, assess, monitor, and mitigate operational risks. They can plan, manage, and perform risk-control self-assessments (RCSAs) more efficiently. They can also capture losses, track KRIs, set risk thresholds to identify potential threats, and manage action plans to mitigate risks – all through one system.