What is an RCSA framework?
At the heart of enterprise risk management (ERM) is the risk and control self-assessment (RCSA) framework. The objective of this process is to identify, analyze and understand your key business risks and their related controls, to evaluate those against your risk appetite and the desired risk levels, and to see if you need to make any improvements.
How do I use an RSCA framework?
A risk and control self-assessment process involves identifying risks and related controls within a business area and determining the level of each risk. For this, we use an assessment of the risk’s likelihood and its consequences, and the effectiveness of controls for prevention or mitigation.
The RCSA process integrates into an enterprise risk management framework. The results of RCSA can be used in scenario analysis, key risk indicators, incident management and compliance.
While the RCSA framework is an essential component of any good ERM or GRC software system, you don’t need to have an ERM software solution in place to begin producing an RCSA. We recommend that all organizations complete an RCSA of their own, independent of digitization plans or the current status of your risk program.
What are the steps to building my RCSA framework?
There are seven steps to a successful risk and controls self-assessment process.
- Business objectives – Identification of the business's objectives.
- Identify critical processes – Identification of the operating model (the key processes that need to be working to be able to deliver against those objectives).
- Identify risks – Identification of the risks that could cause the operating model to fail or not deliver the expected outcome.
- Identify controls – Identification of the control measures that are currently in place to reduce the likelihood or limit the impact of the identified risk.
- Assess and analyze the risks – Typically using likelihood and impact.
- Evaluate – Evaluate the risk against our risk appetite and determine whether we need to make any improvements to the underlying risk or to risk controls if it is outside of appetite.
- Issues and actions – Ensure that the process is repeated, monitored, reviewed, recorded and reported.
Hopefully, you will already have identified your business objectives and critical processes as part of your broader business planning. If not, then this is a useful step that you should take before getting into the specifics of risk management.
Once you have the first two steps in hand, our template will lead you through the rest of the process steps for each risk you identify.
RCSA example: Employee data breach
Let’s take a specific sample risk example that's particularly common in today’s workplace: the risk of unauthorized access to sensitive or employee data.
We can go through the key steps of the risks and controls process to identify the risk, identify the controls, assess and analyze the risk, evaluate against risk appetite and determine issues and actions.
- Risk: The risk of sensitive data and employee data being exposed due to unauthorized access, resulting in a breach of regulation.
- Cause: People – accidental mistake.
- Impact: Financial – regulatory fines.
- Risk owner: Head of IT.
- Key controls: Access to the system requires authentication, and data is encrypted.
- Controls rating: Effective.
- Risk likelihood: Unlikely.
- Risk consequence: Extreme.
- Overall risk rating: Moderate.
- Accept or treat: Accept – controls are in place to mitigate risk to an acceptable level.
- Action plans: Continue monitoring IT data access on a bi-weekly basis.
As you’ll see when you download our RCSA framework template, the structure of the template prompts you to fill out the example in the way that brings out risks and controls most effectively.
One more important note: When you capture risks in your RCSA, it is important to ensure that you are correctly identifying risk events, as opposed to their underlying causes, secondary causes or outcomes.
For more information on how to correctly identify and categorize risks, please see our Enterprise Risk Management eBook.
How can I take my RCSA framework to the next level?
Creating an RCSA framework is a great start for understanding your business’s risk profile and identifying the status of your enterprise risks. But it’s very much a starting point rather than an end goal. Once you’ve got the basics of the risk and control self-assessment in place, you can move on to perfecting and enhancing the process to ensure that you’re truly capturing an accurate picture of your business.
Additional resources from Protecht:
- Protecht’s on-demand webinar, "Risk & Control Self-Assessments: How to unlock enterprise value," will help you understand the details of how to ensure your RCSA methodology engages front-line staff and delivers high-quality relevant data. Watch the RCSA webinar now.
- Watch how we facilitate your RCSA process in our 20-minute product demonstration video, "Risk and control self-assessment in Protecht ERM."
- To really build your knowledge of the RCSA framework process, you can take our on-demand Protecht Academy Risk and Control Self-Assessment course. You can buy this course online and take it immediately – it will take about 5-6 hours and will help you build a detailed assessment at the end of the course. Buy the course online and take it now.
- Although the RCSA process is useful as a standalone addition to your business, it becomes especially powerful when used as the basis for a digitized ERM software system. To find out more about why and how you can build an ERM system for your business, check out our Digitization of Risk Management eBook and our Enterprise Risk Management buyer’s guide.