Risk and Control Self-Assessments: RCSA or RCFA?
Risk and Control Self-Assessments (RCSAs) is one of the most interactive and engaging risk management tools; yet at times they generate a mixed response.?Sceptics question whether they bring any benefits; critics suggest that they are a waste of time.?
Examining what works well, live poll conducted by the Best Practice Operational Risk Forum revealed that majority (82%, graph above) of Operational risk practitioners are significantly involved in the RCSA process. Indeed,?risk teams play a crucial role here. Although RCSA has the word?self?in its name, business units rarely, if at all, have the maturity and understanding to conduct self-assessments on their own, without expert support. They need guidance on
Therefore, where they work well, RCSAs are?facilitated by a knowledgeable individual.
Perhaps the tool needs to be officially renamed to RCFA, risk and control?facilitated?assessment.?
To provide the required level of support, risk teams, both second and first line where they exist, should have extensive experience not only in the risk discipline itself but also in the softer skill of facilitation.?
领英推荐
Also, as American author and lecturer Dale Carnegie said,?put enthusiasm into everything you do. Robust risk conversations, energy and excitement shared by risk practitioners will send ripples through the business and will repeat and reinforce themselves, making the RCSA exercise more enjoyable and generating better results.
Risk professionals agree that RCSAs in most organisations have become the norm, where the executive of the area presents the outcomes to the senior governance committees (graph above). It works well when non-executive directors also take an active interest in the results; this requires being selective, highlighting only significant risks that threaten the achievement of business objectives. Increasing number of firms link risk management, including RCSAs, to pay and performance; although this is not yet widely implemented. ??
Another quote from Dale Carnegie, 'People rarely succeed unless they have fun in what they are doing'.?Risk and Control Self-Assessments are a key forward-looking component of the Operational risk framework, and an excellent tool available to risk practitioners.?Let's use it to derive the maximum benefits - and enjoy the process at the same time.
Senior Risk Officer at Cains
3 年I agree that often risk practitioners often have an up hill battle even with the first step of engagement and I often believe this is born from a less than mature first line business not understanding what is in it for them. RP’s should look for a positive believer and work one on one with them, let that business owner find their way to understand how an RCSA can open up a new perspective and understanding of their own business. Now help facilitate your new best to friend to share their experience with “their” peers which then doesn’t make it feel like a 1LOD or 2LOD “requirement” for something they need to do their job. I think the RCSA is about negotiating with the first line so they can see tangible benefit as every second of their day counts to them so to invest this time has to have strong results. So as a first line “believer” RPs need to walk in their shoes and negotiate from the angle of the first line client and RCFA will soon become a robust RCSA. Hands off to our RM Laura Morris IRMCert who has worked side by side with myself to adopt this philosophy and share what we have achieved and now it’s time to share with my peers and I want to be at her side to show the business benefits so it’s a level sided supported approach
Managing Director, Operational Risk at ICBC Standard Bank Plc
3 年"A failure of a control is?not?a risk!" - I used to agree completely with this statement, however, I now think that there is an exception - namely regulatory sanctions for weaknesses in systems & controls. For example, a number of banks have been fined for weaknesses in their KYC. controls despite there being no evidence of any money laundering etc taking place. So in this case: weak controls = a regulatory breach = an Op Risk event.
MBA, RM ISO 31000, LI ISO 22301, Ing Civil Industrial
3 年RCFA!!! ?? totally agree! Thank's for sharing
Risk, Compliance and Governance Professional
3 年Love this... the name should definitely be changed
Senior Leader/ Risk Advisory / Transformation / Remediation
3 年Linking Risk Management to pay and performance is certainly an interesting concept.