RCSAs: Industry study reveals a move towards drastic reduction in the number of entries
Best Practice Operational Risk Forum conducted a deep dive into the topic of Risk and Control Self-Assessments (RCSAs).
Despite being the core forward-looking tool of the Operational risk framework, RCSAs typically generate a mixed response, with multiple industry studies reflecting the view that they are time consuming, not delivering enough value, perceived as a tick-box exercise.
One of the key challenges has always been the level of granularity at which risks and controls are described. If the approach is too granular, RCSAs may end up with thousands of entries – emphasizing quantity over quality and quickly leading to organizational fatigue. After all, no firm will be actively managing 500+ risks.
The poll conducted by Best Practice Forum members reflected the latest trend towards significant reduction in the number of entries. All participants - from smaller institutions comprised of less than 1,000 staff to sizable firms with over 200K employees - noted the total number of risks not exceeding 500 (see Fig 1). Many practitioners described how they embarked on a recent program with business units to revisit lengthy RCSAs and achieve drastic decrease in the number of risks, bringing the number down from thousands to less than 500 records.
领英推荐
As a result of the programs, 50% of respondents were satisfied that they have reached the right level of granularity, eliminating the disproportionate effort of continuously maintaining and updating an overly detailed risk register (see Fig 2). Not all risks require to be recorded; the focus must be on material items, enabling to actively manage, mitigate or accept the risks to answer the crucial ‘so what?’ question. This is even more important in the current testing environment, when demands are continuing to increase while budgets and resources (at best) remain at the same level. There is less room for risk administration and more impetus for value-added risk management.
Despite the overall improvement, 41% of respondents saw further optimization opportunities.
Have we mastered RCSAs or are we still on a journey? Majority of Best Practice Forum members were looking for further improvements (see Fig 3). Apart from granularity, the right methodology, correct risk and control formulation to achieve meaningful results, better use of (better) technology, links to risk appetite and capital assessment were all on the list of enhancements.
Re-injecting the energy with expert facilitation, re-engaging the stakeholders into meaningful discussions, and deriving value by making the results actionable will keep the momentum going.
Experienced Consumer Finance Operational and Conduct Risk Leader
1 个月Great to see and I’ve been pushing this for a number of years in a few roles. RCSA is a great tool for managing key risks, and reporting risk profiles and control effectiveness to senior management and board. However it’s only worthwhile if led by risk SMEs who really understand how to maximise its impact and value to support strategic decision making.
Former UK banking regulator, Risk and Compliance professional. Operational Risk, Operational Resilience, TPRM and Regulatory Affairs Consultant and Trainer. Former Chairman IOR England & Wales
1 个月Do you think this trend is driven by efforts to improve the quality and value of RCSA as a tool (focusing on key risks) or due to limited resources in 1st and 2nd lines, so something forced rather than chosen as a way to improve ORM?