Your Risk and Control Self-Assessment (RCSA) should ideally reflect your real Risk Profile, but there are reasons why this may not be the case.
Your RCSA will reflect your risk profile only if management have been involved in the process. This does not mean management ‘signing off’ the RCSA. It does mean management thinking about what will prevent them from meeting their goals, i.e. the firm’s business objectives. (If management’s goals are not the firm’s business objectives you have a much bigger problem.) It also means management thinking about what exists to mitigate what will prevent them and assessing if this is enough.
The first thing to do (but not the last) is to find out what management’s goals actually are. At a firm-wide level these are almost always on the website. At a divisional or departmental level, they should be the same as the departmental manager’s annual appraisal targets. If your firm does not have these, then ask the manager what his/her goals are. If the answer is ‘Making money for the firm’, ask how that is going to be done. There are typically four to six main goals or objectives and linking these to the RCSA will help to ensure that the RCSA reflects the firm’s true risk profile.
Once the objectives have been established and management has agreed that they are indeed the business’s objectives, the risks can be identified through asking management the question ‘What will prevent them from meeting their goals?’. The problem with this question is that responses are often causes of risk (control failures) or consequences of risk rather than the risk themselves. It is up to operational risk staff to challenge the responses and sort out the actual risks from the causes and consequences. And to turn the causes and consequences into risks.
Identifying what we have to mitigate the risks is also fraught with problems. Often management feel that they have done their job by identifying the risks. It is very easy for management to pass control identification to more junior staff. This inevitably leads to a large number of controls being identified as the controls that are used and understood by this group of staff are lower level, more numerous controls that manage parts of the high-level risks. These lower level controls do not mitigate the higher level risks although they are part of the overall control environment.
Such pass-through of control management also implicitly takes away responsibility for controls from business management. While of course management of controls requiring technical knowledge (IT for example) is delegated to particular second line of defence departments, the first line of defence remains ultimately responsible for the controls that mitigate their risks.
The assessment of risks is another area that requires care to involve management. It is simple, for example, to create ranges of risk impact that appear to work. Unless management has been included in the discussions about the size of the impact ranges, the assessment process can easily lose credibility here. A range which is so big that almost any risk can be fitted into it is a common error. This often happens in order to generate a top value that is sufficiently big or a bottom value that is sufficiently small. It is better to add another range rather than use values that reduce (or eliminate) embedding.
Assessment of controls is easier as there are a number of benchmarks such as the frequency and size of losses and the independent assessments of internal audit. The challenge around control assessments is to ensure consistency between the inherent/gross risk assessment, the residual/net assessment and control assessment. A consistency for this triple set of assessments is vital for ensuring that your RCSA really does reflect your risk profile. The reliability of management’s view of the day-to-day risk, how big it could be without controls and the effectiveness of those controls will lead to an RCSA that has business use and reflects the true risk profile of your firm.
Tony Blunden
