Risk and Control Self-Assessments – moving in the right direction?
‘There’s a way to do it better – find it’, a quote attributed to Thomas Edison, famous American inventor searching for his next discovery. And it seems fitting to apply it to the perpetual topic of RCSAs, as concluded by Best Practice Operational Risk Forum. Majority of practitioners participating in the live poll believe that methodology could be improved (65%), although some are in a better place, with ‘adequate’(12%) and ‘spot-on’(12%).
First line perception: value-add or time wasted?
First line business units and support functions seem to have embraced RCSAs and accepted that they are a necessity (44%): they help to manage risks, create transparency and demonstrate that reasonable steps have been taken to understand and control the environment.
How to move camps, from ‘time consuming’ to ‘value add’? Success depends on the chosen approach, cultural aspects and organizational maturity. There is no simple recipe; a few personal favourite basic steps that help,
- Less forms and templates, more meaningful discussions facilitated by Operational Risk experts, skilful conductors. What keeps you awake at night? What will prevent you from achieving your objectives? RCSAs need to capture what is important to the business, with methodology enabling and not hindering free flowing conversations.
- Decision and action are key; once significant risks that may prevent the business from achieving own objectives have been identified, acting on the outcomes; sharing success and celebrating it, promoting positive risk management.
- Being prepared. Studying data, from strategy and objectives to past internal and external events, regulatory priority areas, internal audit reports to name a few. Knowledge allows to establish a level playing field and have a productive dialogue.
An interesting benchmark report on RCSAs was also published by ORX https://managingrisktogether.orx.org/research/rcsa-practice-benchmark
A favourite tool despite criticism?
Still, RCSAs were the best pick out of all Operational Risk tools when it came to value-add. Practitioners ranked framework components in order of ‘usefulness’, and RCSAs were deemed the most impactful. They are also interactive, engaging and fun.
Would be interested to hear from the reader, which tool is the most helpful and effective?
Risk Director, MLRO (SMF17) & NED, Financial Services
5 年I come back to my FAQ, Elena. What did they mean by “RCSA”. Seems to me to be little consensus, so hard to compare dysfunctionality.
Chief Risk & AI Officer. Enabling operational risk management professionals to monitor and manage emerging operational risks (including AI risks), best practices, and loss events.
5 年Thank you Elena Pykhova?for sharing these findings. These combined with the ORX RCSA benchmark findings reflect a very sad state for operational risk management discipline -?https://www.dhirubhai.net/posts/manojkulwal_operationalrisk-riskspotlight-activity-6633547708382752768-TpqX It is still a big puzzle for me on why operational risk practitioners are ignoring valuable ideas and practices from standards/disciplines such as ISO 31000, COSO ERM, OCEG GRC Capability Model, Decision Analysis, Behavioural Science, Systems Thinking, Complex Adaptive Systems.?
Risk Management Transformation Strategist, Advisor & Corporate Trainer - Operational Risk | ERM | Fraud Risk | Technology Risk | Risk Appetite Framework Development
5 年An interesting survey...but this confirms the continuous challenge we face...organizations that begin to move away from a 'compliance' mindset to a risk culture building mindset will be able to gradually see the realised benefits of an effective Enterprise RCSA.