Skip to content

Risk and Control Self Assessment - Average or Worst Case?

Risk and Control Self Assessment (RCSA) has become a cornerstone of current Enterprise Risk Management, yet the quality of assessments differ greatly between practitioners. 

Risk and Control Self Assessment - Average or Worst Case?

A risk assessment process commonly involves the identification of risks and related controls within a business area and a determination as to the level of each risk, using an assessment of the risk’s likelihood and consequence, and the effectiveness of controls. Most approaches to risk self assessment involve identifying just one level of consequence and one level of likelihood.

However, for any given risk type there will nearly always be a range of consequence levels, each with a different likelihood of occurrence.

These characteristics are commonly shown as a probability distribution as shown in Fig 1.

 
Risk and Control Self Assessment - Average or Worst Case?
 

In order to understand a given risk, we therefore need to understand the probability distribution line, that is the range of consequences against their related likelihoods.

Theoretically this would require us, as part of the RCSA process, to firstly define the range of possible consequences and, secondly, define the likelihood of them occurring. The question is: “How many consequences do we evaluate and how will those consequences be defined?” By default, and due to time and cost constraints, many RCSA processes require just one consequence but do not define whether this consequence is the average, worst case, or something else. This results in confusion for the assessed business and inconsistency across the organisation.

In order to address this issue and improve the quality of your RCSA process, the following questions should be answered:

  1. How will the RCSA output be used by the business? If the purpose of the RCSA is to better manage “business as usual” risks, then an average consequence makes sense. If on the other hand, the purpose is to protect the business from major disasters, a worst case consequence will be more useful.
  2. How many consequences will you require to be identified and how will they be defined? Where there is just one consequence identified, the key choice is between an “average” and a “worst case”. The two are vastly different. A progression from this is to identify two consequences, usually an average and an extreme/worst case. This worst case is often assessed as an extension of RCSA, being a scenario analysis process. The most consequences we have seen being used are three, covering average, exceptional and extreme/worst case.
  3. Have the persons responsible for assessing the risks been adequately informed of what level of consequence(s) is being determined?
    The key issue is that most current RCSA processes do not guide the assessor as to what is required and it is left up to their own choice.

What are you doing in your self assessments? 

As a minimum, ensure that those assessing the risks are aware of how they are supposed to be assessing. Secondly, consider whether the number of consequences you are assessing for all risks is adequate taking into account the extra level of understanding created by multiple consequences weighed up against the extra time taken to carry out multiple consequence assessments.

Note 1: Risk is defined here as the potential for something happening in the future which could have a positive or negative impact. That is, the same risk has a range of potential consequences. Interestingly the ISO 31000 Risk Management: Principles and Guidelines, defines risk in terms of the likelihood of a given consequence. This overcomes the multiple consequence issue but in practical terms still requires us, as part of the RCSA process, to define the consequence of the risk event that we are discussing.

Learn more about the different levels of risk

Join our live webinar to learn more about Inherent, Residual and Targeted Risks and how you can leverage each one to bring real value to your organisation.

Professional hacks for dealing with the issues around using Inherent Risk will also be covered.

About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.