RCSAs: Industry study reveals a move towards drastic reduction in the number of entries

Best Practice Operational Risk Forum conducted a deep dive into the topic of Risk and Control Self-Assessments (RCSAs).

Despite being the core forward-looking tool of the Operational risk framework, RCSAs typically generate a mixed response, with multiple industry studies reflecting the view that they are time consuming, not delivering enough value, perceived as a tick-box exercise.

One of the key challenges has always been the level of granularity at which risks and controls are described. If the approach is too granular, RCSAs may end up with thousands of entries – emphasizing quantity over quality and quickly leading to organizational fatigue. After all, no firm will be actively managing 500+ risks.

The poll conducted by Best Practice Forum members reflected the latest trend towards significant reduction in the number of entries. All participants - from smaller institutions comprised of less than 1,000 staff to sizable firms with over 200K employees - noted the total number of risks not exceeding 500 (see Fig 1). Many practitioners described how they embarked on a recent program with business units to revisit lengthy RCSAs and achieve drastic decrease in the number of risks, bringing the number down from thousands to less than 500 records.

As a result of the programs, 50% of respondents were satisfied that they have reached the right level of granularity, eliminating the disproportionate effort of continuously maintaining and updating an overly detailed risk register (see Fig 2). Not all risks require to be recorded; the focus must be on material items, enabling to actively manage, mitigate or accept the risks to answer the crucial ‘so what?’ question. This is even more important in the current testing environment, when demands are continuing to increase while budgets and resources (at best) remain at the same level. There is less room for risk administration and more impetus for value-added risk management.

Despite the overall improvement, 41% of respondents saw further optimization opportunities.

Have we mastered RCSAs or are we still on a journey? Majority of Best Practice Forum members were looking for further improvements (see Fig 3). Apart from granularity, the right methodology, correct risk and control formulation to achieve meaningful results, better use of (better) technology, links to risk appetite and capital assessment were all on the list of enhancements.

Re-injecting the energy with expert facilitation, re-engaging the stakeholders into meaningful discussions, and deriving value by making the results actionable will keep the momentum going.