This blog focuses on the Risk and Control Self Assessment (RCSA) process. The experiences we have in our personal lives can provide excellent guidance as to how a good RCSA should be carried out in our professional lives as risk and compliance managers — and the value-add of the RCSA process when done well.
In our personal lives, risk assessments are sometimes performed formally, such as for your motor vehicle’s annual service. Other times, however, they are performed informally, from checking the risks and controls relating to your swimming pool to assessing the risks of your home when your first child is born.
The example I will use here is your annual medical check-up. As in the business world, not all of us subscribe to the annual check-up. Maybe we do not see the value. Hopefully after this blog, you will! Let’s take a closer look.
We have created a downloadable RCSA template in Excel format that you can use to identify, evaluate and manage the risks within your business. Find out more and download it now:
An RCSA example: The annual medical check-up
I went for my first annual medical check-up some 10 years ago, and annually since then. First I organized the appointment, and when I arrived, the doctor had read up on my history so he had full knowledge of all visits, issues, medications, etc. The first step to a risk assessment is therefore for the risk assessors to prepare, gaining full knowledge of the area (body), being assessed. The doctor then carried out a series of tests and analysis looking for risks. Some time later I received my report; a spreadsheet analyzed in Red, Amber and Green for all results (he knows I am a risk manager!).
For the first report 10 years ago, it was mostly green with one very bright red – cholesterol, at a level of 8.7. This was my high risk and related medical issue, one I was not aware of at the time. I, therefore, booked a further appointment to discuss the issue and potential treatment methods.
Changing diet was the first suggestion but after six months of eating salad sandwiches on brown bread and no butter, the cholesterol reading was still red at 8.4 – the treatment method was not working.
Next, the suggested action was to implement a medical control, being 20 mg of Lipitor per day. After an additional six months, a retest showed a level of 5.4, still in amber but better than bright red! After further consideration, the conclusion was that there was nothing further I could do to lower the level, and I have chosen to accept the risk at this point.
Subsequent check-ups confirmed that my residual risk remains around 5.4 and showed that my treatment method is still working. A couple of times, I have been asked to cease taking the medication before the checkup to measure the level without Lipitor – my inherent risk. This confirmed it is still in the high 8s and that the control is still important and valid.
In addition to highlighting higher risk areas, where the results are green, this gives me ongoing assurance that all is well as a basis for heading into the next year of meeting my objective of a healthy and active life!
Let’s now consider this assessment based on how we should carry an RCSA in the business world.
Step 1: Objectives
Risk is the effect of uncertainty on our objectives. We start the RCSA process, therefore, with the objective of the thing we are risk assessing – our body.
Objective: To live a long, active and healthy life.
Step 2: Critical processes
The second step is to identify the critical things we need to ensure operate well for us to achieve our objectives.
Critical processes: There will be many, which will most likely include such things as:
- Breathing
- Blood flow
- Blood composition
- Brain function
Step 3: Risks
Risks are things that could stop the critical processes from being achieved, which in turn leads to the objective(s) not being achieved.
Risks will include:
- High cholesterol, leading (apparently!) to narrowing arteries
- Heart defects
- Lung disease
Step 4: Controls
Existing controls can cover many of these health risks. They may include:
- Medications
- Diet
- Exercise
Step 5: Risk analysis
Once the key risks and related controls have been identified, we need to determine the level of risk both before considering controls (inherent risk) and after considering controls (residual risk). Residual risk highlights where current issues exist that need to be addressed, and inherent risk highlights the importance of current controls, such as current medication.
Step 6: Risk evaluation
Once analyzed, the risks need to be assessed against pre-determined levels (risk appetite). The doctor uses guidance scales for risk levels to assess this.
Step 7: Issues and actions
Risk evaluation then highlights which risks are outside of the acceptable range and as a result, where an issue may exist. Each issue then needs to be addressed by considering possible remedies, from changed diet to medication.
Conclusions and next steps for your organization
We should apply the same seven steps to the risk and control self-assessment process as part of your overall enterprise risk management framework. In a follow-up blog, we apply these seven steps to a business scenario to illustrate how it transports across into any business situation.
The RCSA framework is an essential component of any good ERM or GRC software system. But you don’t need to have an ERM solution in place to start producing an RCSA. We recommend that all organizations should complete an RCSA of their own irrespective of their digitization plans or current status.
We have created a downloadable RCSA template in Excel format that you can use to identify, evaluate and manage the risks within your business, based on the best practices of our Protecht ERM SaaS solution. Following the steps to complete the form will give you new insights into your business’s risk profile and risk maturity.
This blog was originally published in February 2016 and updated in May 2024.