Risk and Control Self Assessment (RCSA) has become a cornerstone of current Enterprise Risk Management, yet the quality of assessments differ greatly between practitioners.
A risk assessment process commonly involves the identification of risks and related controls within a business area and a determination as to the level of each risk, using an assessment of the risk’s likelihood and consequence, and the effectiveness of controls. Most approaches to risk self assessment involve identifying just one level of consequence and one level of likelihood.
However, for any given risk type there will nearly always be a range of consequence levels, each with a different likelihood of occurrence.
These characteristics are commonly shown as a probability distribution as shown in Fig 1.
In order to understand a given risk, we therefore need to understand the probability distribution line, that is the range of consequences against their related likelihoods.
Theoretically this would require us, as part of the RCSA process, to firstly define the range of possible consequences and, secondly, define the likelihood of them occurring. The question is: “How many consequences do we evaluate and how will those consequences be defined?” By default, and due to time and cost constraints, many RCSA processes require just one consequence but do not define whether this consequence is the average, worst case, or something else. This results in confusion for the assessed business and inconsistency across the organisation.
In order to address this issue and improve the quality of your RCSA process, the following questions should be answered:
- How will the RCSA output be used by the business? If the purpose of the RCSA is to better manage “business as usual” risks, then an average consequence makes sense. If on the other hand, the purpose is to protect the business from major disasters, a worst case consequence will be more useful.
- How many consequences will you require to be identified and how will they be defined? Where there is just one consequence identified, the key choice is between an “average” and a “worst case”. The two are vastly different. A progression from this is to identify two consequences, usually an average and an extreme/worst case. This worst case is often assessed as an extension of RCSA, being a scenario analysis process. The most consequences we have seen being used are three, covering average, exceptional and extreme/worst case.
- Have the persons responsible for assessing the risks been adequately informed of what level of consequence(s) is being determined?
The key issue is that most current RCSA processes do not guide the assessor as to what is required and it is left up to their own choice.
What are you doing in your self assessments?
As a minimum, ensure that those assessing the risks are aware of how they are supposed to be assessing. Secondly, consider whether the number of consequences you are assessing for all risks is adequate taking into account the extra level of understanding created by multiple consequences weighed up against the extra time taken to carry out multiple consequence assessments.
Note 1: Risk is defined here as the potential for something happening in the future which could have a positive or negative impact. That is, the same risk has a range of potential consequences. Interestingly the ISO 31000 Risk Management: Principles and Guidelines, defines risk in terms of the likelihood of a given consequence. This overcomes the multiple consequence issue but in practical terms still requires us, as part of the RCSA process, to define the consequence of the risk event that we are discussing.
Learn more about the different levels of risk
Join our live webinar to learn more about Inherent, Residual and Targeted Risks and how you can leverage each one to bring real value to your organisation.
Professional hacks for dealing with the issues around using Inherent Risk will also be covered.