RCSA: A Top-Down Approach to Risk and Control Management within Financial Services

As the name suggests, a risk and control self-assessment (RCSA) exercise is a process in which a business line, entity, or division, known as the risk assessment unit (RAU), evaluates the likelihood and impact of each significant operational risk it faces.

RCSAs involve workshop-style discussions leading to the self-assessment of a unit's main inherent risks and the key controls mitigating those risks, along with their effectiveness. This process leaves the unit with only residual risks, given the current control environment. Inherent risks are typically understood as the size of risk exposure before the application of any controls. However, this theoretical definition can seem unrealistic to line managers, especially those in highly controlled environments like IT or finance departments. An alternative, more practical definition is a risk that could materialize in the event of multiple control failures.

In RCSAs, risks are most often assessed in their two best-known dimensions: the probability of occurrence and impact if occurring. Some organizations add the notion of "velocity," understood as the speed at which the impacts of a risk materialize in an organization. Velocity may also refer to the pace at which a risk evolves in the environment, relating to the concept of risk horizon, i.e., the timeframe in which the risk will become significant for the bank. This is particularly relevant for top-down risk analysis concerning emerging risks and market trends in various risk environment characteristics: competitive, technological, political, regulatory, or criminal. While velocity and horizon can be valuable in describing and qualifying significant risks to the bank, the additional complexity they introduce is justified only for strategic, top-down risk assessments at the group level and should not be generalized to all risk assessment units.

There are many variants of RCSA in the industry, such as risk and control assessment (RCA) by an independent party and residual risk self-assessment (RSA). The latter often obscures the reliance on key controls for large risk exposures, representing inherently small risks and those small due to heavy control systems similarly. Risk and control assessments are usually qualitative and judgment-based, though some banks require evidence of control testing before controls can be rated as effective and inherent risks reduced to acceptable levels. Other banks simply rely on the business's word. Mature organizations back-test the results of risk assessments against the incident experience at the end of the period—usually a year; incidents and losses are compared to the initial assessments.

RCSA exercises have become a staple in the operational risk manager's toolkit and are now the principal operational risk assessment method for banks. Line managers typically perform RCSAs with support from the risk function. For banks still maturing in risk management, it is advisable for risk managers to assist the business in conducting risk assessment workshops and facilitating discussions and reflections. The results of assessments must be documented and submitted to line managers for approval and sign-off. Line managers are responsible for the output and for implementing any actions resulting from the analysis.

Line managers and risk managers should expect the following from RCSA exercises:

1. Key risk exposures (inherent risks): an understanding of the magnitude of impacts if key controls are missing or failing.
2. An assessment of controls, both preventive and detective, reducing the risk exposures to residual levels.
3. Estimates of the expected losses, i.e., the most likely impacts and likelihood of those risks materializing under normal business conditions and controls (typical case).
4. Estimates of stress shortfalls or stressed losses, i.e., a pessimistic assessment of the impact if the risk materializes in an adverse business environment and/or in case of multiple control failures; this assessment can be closer in impact to inherent risks but with a lower likelihood (adverse case).
5. A list of further mitigating action plans for residual risks sitting above the risk appetite. This is the central outcome of an RCSA: Should we do more? As a risk manager in a highly secure technological bank once put it: "Risk assessment is not important; what's important is what we must do."

The key value of risk and control self-assessments is determining whether the control environment of a given unit or activity aligns with the bank's risk appetite. If the answer is yes, then the actions are simply to maintain the status quo and continue monitoring the activity. If the answer is no, further risk mitigation is required through action plans. Risk mitigation does not necessarily mean adding controls; other options include reducing risk exposure by minimizing transaction volumes, limiting access rights, redesigning or improving existing controls, and purchasing external insurance. Action plans should have business owners, milestones, and deadlines. These plans are tracked and reported similarly to audit recommendations.

RCSA exercises are typically performed annually and updated, in mature banks, after each trigger event, i.e., any significant and relevant change in the bank's risk environment. Often, this will be an incident at a peer bank that changes the perspective on the risk, such as cyberattacks, third-party failures, rogue trading, or fines for misconduct.

Risk and Control Self-Assessment (RCSA) in Banking

RCSA is a structured process where business units, entities, or divisions within a bank evaluate the likelihood and impact of significant operational risks they face. This assessment is typically conducted through facilitated workshops involving key stakeholders from the assessed unit.

Key Components of RCSA:

1. Inherent Risk Identification: The process begins with identifying inherent risks - those existing before considering control measures. In banking, these might include risks related to credit processes, market operations, cybersecurity, or regulatory compliance.
2. Control Effectiveness Evaluation: Participants assess the effectiveness of existing controls designed to mitigate identified risks.
3. Residual Risk Assessment: After evaluating control effectiveness, the remaining risk exposure (residual risk) is assessed.

Risk Assessment Dimensions:

• Probability: The likelihood of a risk event occurring.
• Impact: The potential consequences if the risk materializes.
• Velocity: The speed at which risk impacts manifest or evolve (used in some institutions).
• Risk Horizon: The timeframe in which a risk is expected to become significant for the bank (used in some institutions).

Expected Outcomes of RCSA:

1. Key Risk Exposures: Understanding of impact magnitude if key controls fail.
2. Control Assessment: Evaluation of preventive and detective controls.
3. Expected Loss Estimates: Predictions of likely impacts under normal conditions.
4. Stress Loss Estimates: Pessimistic assessment of impact in adverse scenarios.
5. Mitigating Action Plans: Further actions to address residual risks exceeding risk appetite.

RCSA Process and Frequency:

• Typically conducted annually and updated following significant changes in the risk environment.
• May be triggered by incidents at peer banks that alter risk perspectives.

Variants and Maturity:

• Some banks require evidence of control testing before rating controls as effective.
• Mature organizations back-test RCSA results against incident experiences.

Role of Risk Managers:

• Support line managers in conducting RCSAs.
• Facilitate risk assessment workshops, especially in banks with developing risk management practices.
• Ensure documentation and sign-off by line managers.

Key Considerations for Banking Risk Managers:

1. Regulatory Alignment: Ensure RCSA processes align with regulatory expectations.
2. Integration with Risk Appetite: Link RCSA outcomes to the bank's overall risk appetite framework.
3. Data Quality: Emphasize accurate and comprehensive data in risk assessments.
4. Emerging Risks: Consider the application of velocity and risk horizon concepts for strategic risks.
5. Control Environment Context: In highly regulated areas, contextualize inherent risk as exposure in the event of multiple control failures.
6. Action Plan Implementation: Track and report on risk mitigation action plans.
7. Continuous Improvement: Use RCSA outcomes to drive ongoing enhancements in risk management practices.

IMPACT AND LIKELIHOOD RATINGS AND ASSESSMENTS

Risk and Control Self-Assessment (RCSA) is a straightforward exercise that employs a simple tool. Judgment-based assessments using a heatmap are accessible to almost anyone. However, achieving high-quality output can be challenging due to factors such as the subjectivity of judgments, behavioral biases, and the difficulty of comparing results. The main challenge is ensuring comparable results, meaning that definitions of likelihood and impact must be calibrated so that a “high” risk for one person is not considered “low” for another. Without comparable assessments, risk cannot be properly ordered, and risk management actions cannot be effectively prioritized.

Defining Impacts

Operational risk events extend beyond financial impacts to include remediation time, customer experience, regulatory scrutiny, and reputational damage. Most banks now assess risks against four types of impact: financial, regulatory, customer, and reputation. A common variant includes: financial, regulatory, service delivery, customer, and reputation. Traditionally, impact ratings used a five-point scale, ranging from “insignificant” to “catastrophic.” Today, a four-point scale is more common, often omitting the lowest point. Assessing risks with “insignificant” impacts may not be a valuable use of resources. Furthermore, repetitive and minor losses, which are considered “expected losses,” are better included in the cost base and pricing of an activity.

The impact scales in the table below (Impact Scale per Type) are expressed in relative terms (percentages) rather than absolute quantities (amounts in AED or the number of customers impacted), and also in qualitative terms (limited/significant). Relative definitions are slightly more complex to use, as respondents may not know how much 1% of the budget is in AED, but they are more adaptable to risk assessment units of different sizes.

Harmonizing Risk Rating Scales in RCSA Processes

A major point of debate in the Risk and Control Self-Assessment (RCSA) process is whether to use a single risk rating scale for the entire bank or allow for different scales across various units. Utilizing the same impact ranges bank-wide can result in high thresholds that are irrelevant for smaller business lines and divisions, except in the smallest organizations. Even in mid-sized financial firms, an impact significant at the division level might be minor at the group level, while a moderate impact for the group could be extreme for a regional office or department.

Only a small number of banks maintain a single RCSA matrix for the entire institution. Some use only a group-level matrix, which may lack relevance for business units. Others adopt a single RCSA matrix at the process level, facing the significant challenge of aggregating numerous granular risks. Best practices have evolved towards using differentiated sets of impact scales. Generally, there are two primary scales: one at the group level for top-down risk assessment and another for business units. Additionally, many banks allow each business unit to define its own impact ranges, effectively enabling customized risk assessment tools. However, this practice can create mapping challenges when comparing results.

For instance, a case study at the end of this article illustrates how a mid-sized bank effectively uses two ranges of impact scales: one at the bank level and one at the division level. This approach allows for more precise risk assessments while maintaining coherence across the organization.

By adopting differentiated impact scales tailored to specific units while maintaining an overarching framework for comparison, banks can ensure that their RCSA processes are both relevant and effective, ultimately enhancing their overall risk management capabilities.

Defining Likelihood in RCSA

Likelihood scales are most commonly defined in terms of timeframes, such as “occurring once in x years.” While this definition is intuitive and easy to discuss, it can be slightly misleading as it actually implies: “occurring once if the next year is replicated x times.” When risk managers refer to a 1-in-10-year event, they mean an event with a 10% chance of occurring in the next year. This distinction is particularly important when assessing rapidly evolving risks, such as cyberattacks, technological changes, or regulatory sanctions. The table below (Likelihood Scale) presents an example of likelihood scales.

As with impact scales, the general practice for likelihood scales has evolved from a 5-point scale to a 4-point scale. Workshop facilitators should ensure that all participants in the risk assessment use the same definitions, thus avoiding conflicting interpretations when qualifying risks.

By clearly defining and standardizing likelihood scales, banks can improve the accuracy and reliability of their risk assessments, enabling more effective risk management strategies.

Practical Assistance in Risk Assessment

Although simple on paper, risk assessment can be particularly challenging in practice. The following suggestions may help risk managers run RCSA workshops more effectively. The table below (Impact Scales) provides an example of an overall impact scale definition, valid at the bank level, aggregating various possible impacts into a more intuitive definition. This table also draws parallels from recent market events to help contextualize the assessment.

Impact Scales – Intuitive Definitions

To illustrate the scales more clearly, consider the following examples:

• Low Impact: Equivalent to a shrug of the shoulders (“Whatever… let's fix it and move on”).
• Moderate Impact: A major embarrassment without significant consequences, such as when a young credit risk professional accidentally deleted hundreds of documents from the department server, resulting in lost work but resolved within a few hours thanks to overnight backups. Today, such an incident would likely require an action plan for server file access.
• Major Impact: An event triggering immediate alerts to senior management.
• Extreme Impact: An event placing the bank in crisis management mode, demanding immediate and extensive intervention.

Many risk assessments tend to overestimate impact and underestimate likelihood. The overestimation of impact often stems from assessors not considering the significant role of incident management in reducing net impact. Rapid reaction and effective crisis management plans can significantly mitigate the actual impacts of material incidents.

Practical Tips for Running RCSA Workshops

1. Unified Definitions: Ensure all participants use the same definitions for likelihood and impact to avoid conflicting interpretations.
2. Contextual Examples: Use real-life scenarios and market parallels to help participants understand and accurately assess risks.
3. Clear Communication: Facilitate open and clear communication among participants to ensure comprehensive understanding and agreement on risk assessments.

It's worth noting that in many risk assessments, there's a tendency to overestimate impact while underestimating likelihood. This bias often stems from not fully accounting for the mitigating effects of incident management and crisis response protocols. Effective crisis management can significantly reduce the net impact of material incidents. For instance, in today's regulatory environment, even seemingly minor operational risks, such as unauthorized access to restricted information or falling for a simulated phishing attempt, would likely necessitate formal incident reporting and corrective action plans. This reflects the evolving landscape of risk management in banking, where operational resilience and cybersecurity have become paramount concerns. A balanced approach to risk assessment should consider both the potential severity of an incident and the probability of its occurrence, while also factoring in the effectiveness of existing control measures and response capabilities. This comprehensive view allows for more accurate risk prioritization and resource allocation in the banking risk management framework.

Combining Likelihood and Impact: The Heatmap

The probability/impact matrix, also known as the "P/I matrix" or heatmap, combines two dimensions of risk. This matrix is often referred to as the RCSA matrix or heatmap (see the figure below for an operational risk heatmap). It serves as the most tangible expression of a bank's risk appetite, determining the limits of risk-taking and exposure. When residual risks are assessed and land in a map zone outside the bank's risk appetite, further mitigating actions are required.

Operational Risk Heatmap

The various combinations of impact and likelihood are represented by colors that denote the intensity of the risk. The most commonly used colors are red, amber, and green, or a four-color scheme of red, amber, yellow, and green. Some banks use shades of red, black, or even purple for the highest impact and likelihood combinations, while shades of green are used for the lowest risks. In some rare cases, shades of blue are employed, sometimes because management prefers to avoid red; in these cases, the darker the blue, the higher the risk.

This heatmap visualization helps in identifying and prioritizing risks effectively, ensuring that the bank's risk management strategies are aligned with its risk appetite.

Colors and Risk Appetite in the Heatmap

The colors and corresponding risk appetite on a heatmap are entirely dependent on the definitions of impacts and likelihood on the axes. It is crucial that these axes and their associated colors are defined jointly to ensure consistency and clarity.

Qualitative vs. Quantitative Risk Ratings

It is important to note that only colors or qualitative ratings should be used to qualify risks. A common mistake is to multiply probability and impact to reduce risks to a single numerical value. This approach is flawed because it equates risks with vastly different characteristics. For example, a frequent but low-impact risk (1×4) is not the same as a rare but extreme-impact event (4×1). Performing arithmetic on qualitative ratings is inaccurate and can lead to misleading results.

Challenges in Aggregating RCSA Results

Aggregating RCSA results can be challenging, particularly when qualitative impact scales are used. To address this, some banks have reverted to using impact scales expressed solely in financial terms. Indirect potential impacts on customer experience, regulatory scrutiny, and remediation costs are quantified in financial terms and added to the total impact. This approach provides a clearer and more consistent basis for aggregating and comparing risks across different units and scenarios.

Example : Presentation of RCSA for a medium size bank at United Arab Emirates.

The figure below replicates the group RCSA matrix of a mid-sized insurance company in Europe. For a more intuitive representation, we have adjusted the size of each rating box to be roughly proportional to its range, rather than using similar-sized squares or rectangles.

In this matrix, almost certain events (>50%) are represented by larger boxes to reflect their higher frequency. The second range of likelihood (1/2 to 1/6) is represented by smaller boxes, and so on. Similarly, the impact boxes are wider if the ranges of impacts are more severe. Although the matrix is not exactly to scale, this approach provides a clearer visualization of the magnitude of risk exposures.

This proportional representation helps stakeholders better understand and prioritize risks based on their likelihood and impact, leading to more effective risk management decisions.

The Risk Appetite Matrix

The matrix reflects the company's risk appetite limits and is often referred to as a “risk appetite matrix.” It emphasizes the definitions of zones within appetite (on or below the curve line and green in a RAG rating) and outside of appetite (above the curve line and typically red), which require further mitigation. The “tolerated” areas (on or just above the curve line, often yellow or amber) are limited to one range per type of impact, representing the bank's risk tolerance thresholds. Managers have a “neutral” view of these areas, and they should not be larger than necessary. This zone interestingly mirrors the shape of the operational loss distribution.

This type of RCSA matrix illustrates how opinion-based risk assessments qualitatively mirror quantitative loss distribution modeling. It is crucial that P/I matrices always represent likelihood on the vertical axis and impact on the horizontal axis. Over time, forecast-based risk assessments should be compared with actual loss experiences. Ideally, the distribution of loss experiences would closely match the distribution of the risk assessment. While perfect alignment is unrealistic, it is beneficial to compare assessments with actual outcomes at the end of each year to inform future assessments.

Group and Departmental Matrices

The group-level matrix is complemented by a second matrix used for risk assessments at the departmental level. In the departmental matrix, the likelihood ranges remain unchanged, but the impact ranges are adjusted by one notch. For example, the lowest impact range is AED 50k–200k, while the highest is AED 5 million and above.

This dual-matrix approach allows for more granular and context-specific risk assessments, ensuring that both group-level and departmental risks are effectively managed within the bank's overall risk appetite framework.

LINKS WITH OTHER PARTS OF THE FRAMEWORK

A single point, representing a single combination of probability and impact, can hardly summarize a comprehensive risk assessment. Each risk can manifest in various degrees of severity, typically with an inverse relationship between impact and likelihood. For instance, consider system downtime: minor interruptions of a few minutes are almost certain over a one-year horizon, whereas 1–2 hour interruptions are less likely, and 2–4 hour interruptions should have no more than a 5–10% likelihood, sometimes much lower depending on the bank and its systems. A shutdown lasting more than a business day is a rare scenario with extreme impacts for nearly every bank.

For any given risk, there are multiple likelihood-impact combinations. To manage this continuum of possibilities, banks generally use three types of assessments:

1. Mild Case of Expected Loss: Incidents resulting from control failures or mishaps under normal business conditions.
2. Stressed Case: A pessimistic scenario involving potential losses due to key control failures, multiple control failures, and/or adverse business circumstances (e.g., an accounting error at year-end or a system halt during peak times).
3. Worst Case: A low-likelihood but extreme loss scenario, occurring under particularly adverse business circumstances or in conjunction with other aggravating factors (e.g., personal data loss involving high-profile individuals immediately following an awareness campaign, coupled with a massive social media impact).

By categorizing risks into these three types, banks can better prepare for and manage a range of potential incidents, ensuring their risk assessment framework is robust and comprehensive. This structured approach allows for a more nuanced understanding and prioritization of risks, facilitating targeted risk management actions and resource allocation.

Comprehensive Risk Assessments in Large Institutions

Many large institutions assess these three versions of outcomes per risk. Those assessing only one point usually focus on the stressed case. Less mature banks often fail to provide businesses with clear guidance on assessing risks, leading to confusion, disparity in results, and nearly useless outcomes. One of the main challenges of RCSA exercises is ensuring that all assessors use the same types of assessments to produce comparable results. Achieving this consistency requires active involvement from the risk function.

Linking RCSA to the Risk Management Framework

A possible alternative used by some mature institutions is to explicitly link the RCSA matrix to other elements of the risk management framework. This approach acknowledges the continuum between different severity and likelihood levels at which a risk may materialize (see the figure below - RCSA and Risk Continuum).

Expected Losses and Catastrophic Scenarios

On the left-hand side of the matrix are the expected losses (EL), which include inevitable processing errors, halts, and incidents that are part of the cost of doing business. It is important to identify and quantify these losses so they can be included in pricing, but dedicating time and effort in RCSA workshops to petty incidents is inefficient. Effective risk management is fundamentally good management.

On the right-hand side of the RCSA matrix lie the extreme, but hopefully unlikely, catastrophic scenarios. While large losses are not inherently rare, they are rare in occurrence because they are usually prevented when the right controls are in place. Scenarios are useful for identifying tail risks, crisis management, continuity planning, own risk and solvency assessment (ORSA), and capital assessment. These scenarios can be run in related exercises, consistent with the findings of the RCSAs.

Integrating Scenario Assessments

Scenario assessment, ORSA, and capital assessment are discussed in other articles. Integrating these elements with the RCSA framework helps institutions recognize the continuum of risk severity and likelihood, ensuring a comprehensive approach to risk management. This integration supports the identification of expected losses for inclusion in pricing and the preparation for catastrophic scenarios to enhance crisis management and continuity planning.

By actively involving the risk function and linking the RCSA matrix to other risk management elements, institutions can achieve more consistent, comparable, and useful risk assessments, ultimately leading to better risk management practices.

The Balanced Approach of RCSA

With its left and right borders defined, RCSA positions itself as the optimal balance in risk assessment. Much like the tale of Goldilocks, our selections are neither too mild nor too severe, but sit comfortably in the middle. This balanced approach ensures that risks are assessed with a practical perspective, focusing on both realistic and significant potential impacts.

As one manager aptly put it, when you focus on "the stuff in the middle," and engage business partners fully, risk conversations deliver substantial business value. This middle-ground focus helps in identifying and managing risks that are both manageable and impactful, thus ensuring that risk management efforts are both efficient and effective. By achieving this balance, RCSA helps institutions navigate the complex landscape of operational risks with greater confidence and clarity.