What is wrong with the RCSA and what can we do about it?

The Risk Control Self Assessment (RCSA) is one of the “primary tools typically used to assess inherent operational risks and the design and effectiveness of mitigating controls” (Office the Superintendent of Financial Institutions, Operational Risk Management Guideline – E-21). In Principles for the Sound Management of Operational Risk (Bank for International Settlements (BIS), 2011), the RCSA is described as:

“Risk Assessments: In a risk assessment, often referred to as a Risk Self Assessment (RSA), a bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. A similar approach, Risk Control Self Assessments (RCSA), typically evaluates inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered). Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment.”

In reading this description, it would be reasonable to be very optimistic that we will be able to provide value to management through the Risk Assessment. Any business leader should want to understand the risks, identify the controls to manage those risks, and ensure they were working effectively. If not, they are doomed to fail. It would be reasonable to expect that management would be pleased to be given a resource such as the RCSA. Alas, the RCSA has too often failed to deliver on this promise. Too often I hear criticisms of the RCSA such as:

1)      “I know we have to do this RCSA, make it quick so I can get back to doing business”

2)      “How many of these assessments do I have to do?”

3)      “I did not like being audited but at least they did the work”

4)      “You just finished the RCSA last month, why did you not identify that risk?”

5)      “I rated my risks low, why do I have to hold so much capital?”

Too often, the RCSA has become a low value add regulatory requirement. If we don’t provide value to management, we will undermine risk management, not make it better.

This article will explore two questions with the goal of discussing how we can make the RCSA valuable tool.

1)      How can a self-assessment develop a reliable and complete assessment of the risk and controls?

2)      How can the RCSA continue to collect new information in subsequent years?

First, let’s consider the challenges arising from a self-assessment. On the positive, I agree wholeheartedly that the business leader must understand and effectively manage the risk in each and every decision they make. A self-assessment without question captures how well the business leader understands the risks. On the negative, an RCSA can only capture what is known, the RCSA can be a lot of work do to, and the RCSA competes with other risk assessments and with internal audit for management’s time. The most significant challenge I see with RCSA is management’s ability to complete the self-assessment due to the complexity of risk management today and the need for multiple points of view to ensure reasonable quality.

Risk Management is complex. There are a large number of risk types recognized today, particularly under the umbrella of Operational Risk. Each of these risk types has growing bodies of “expert knowledge” supported by an ever increasing suite of certifications and growing knowledge bases to describe the risk and describe the control options. In the face of this, we must question the ability of the first line of defence, a business leader focused on sales or operations, to be familiar with each and every one of these risks in enough detail to complete a self-assessment.

“Collaborative assessment” would be much better term wherein the business leader contributes the expert understanding of the business objectives and the business processes, and the risk expert contributes in depth understanding of the risk and the control options. One approach to achieve this collaboration is though face-to-face meetings involving business leaders and risk experts. While I agree this is a collaborative approach, I question the efficiency and effectiveness of such a discussion.  Personalities, biases, and groupthink can all undermine the outcome, however, more so this approach does not necessarily lead to a more complete and more robust assessment but rather still focuses on what is known and top of mind during the meeting.

An alternative solution is for each risk expert to develop a detailed list of specific examples of how the risk could be observed in the organization and for each specific example, determine the appropriate control. I believe Bank for International Settlements recognized this problem and provided guidance when they wrote “library of potential threats and vulnerabilities”. This, I suggest, is one of the key requirements for a successful RCSA: A library of risks and controls from which management can select applicable risks and therefore the required controls.  I acknowledge that developing these libraries within an organization has the potential to be large. Risk Management needs to make it easy for the business leader to reliably and robustly identify the risks and required controls!

Second, let’s consider the RCSA in the long run. Consider the case where the business leader has completed the RCSA for several years. The information gathered in prior years is stored in a database, multipage reports are produced, and problems from prior years have been fixed. Management is now asked to prepare the RCSA for this year. They bring forward last years, review it, and indicate that nothing has changed. Operational Risk Management reviews it, draws on loss data and other monitoring tools, and concludes that nothing has changed. Audit reviews and also agrees. This sound great! This sounds like management is effectively managing risk. However consider the case of Dr. Michael Burry who made a fortune on this type of groupthink. “Effective Challenge”, meaning the critical analysis by objective, informed parties, aims to counter this groupthink. The RSCA, given the volume of data and effort to produce, is prone to groupthink through all the lines of defence.

How do we prevent groupthink in the RCSA? The obvious answer is data: Key risk indicators, internal loss data, external loss data, etc. however this has been a key component of operational risk management for a long time and yet we still have the issue! Perhaps the issue is with the data? Do we have complete data? Are we making effective use of the data we have? I suspect not but I also suggest that this is not the only problem. The other problem is the use of the RCSA to identify risks. The first few times an RCSA is completed it does a good job of identifying the risks but after time it loses the ability to reliably identify new risks. The solution, in the long run, is to view the RCSA as an “investigative tool” not an identification tool. There is little point running an RCSA on a periodic basis unless the data tells us that something has changed. The key to a sustainable RSCA process is in how we use the data to identify changes in the risk profile of a specific process, and then use the RSCA to investigate these changes and determine what changes need to be made to the controls.

An RSCA which is has become a bureaucratic annual process of ticking the boxes is of low value and probably increases the risk profile by lulling managers into believing they understand the risks. The RCSA does not need to be like this. Risk managers need to take a critical look at our own processes and question their effectiveness. We need to judge what we do by the benefit it provides our business leaders not by some measure of assessments completed.

The RCSA has the potential to be a high value investigative tool when implemented as part of well-defined fully integrated risk management program used to investigate anomalies. We must be clear about what value the RCSA is capable of providing, and what it is not.