Adapted from Operational Risk Management: Best Practices in the Financial Services Industry by Ariane Chapelle.
What is RCSA
As the name implies, RCSA is process when business line (called Risk Assessment Unit in risk lingo) evaluates risks they are facing. In evaluation, we mean estimating the likelihood and the impact.
Why is RCSA important
RCSA is essential part of overall risk management process, which apart from RCSA, includes
- External loss data
- Internal loss data, large past incidents and near misses
- Key risk indicator scores
- Audit issues
- Exposures/vulnerabilities
RCSA leads to assess not only risks, but also key controls and their effectiveness in mitigating those risks. In result, RCSA process leaves the unit with only residual risks.
Risk and control assessments are usually qualitative and judgment-based, although some firms demand evidence of control testing before controls can be rated as effective and inherent risks decreased to acceptable levels. Other firms simply rely on the business’s word. Mature organizations backtest the results of risk assessment against the incident experience at the end of the period – usually a year; incidents and losses are compared to what had been assessed initially.
RCSA Process
Line managers usually perform RCSAs themselves with support from the risk function. The following activities are part of RCSA process:
- Identify risk scenarios and risk exposures
- Evaluate likelihood and impact
- Identify and assess existing controls
- Evaluate how these controls mitigate likelihood and/or impact (to get to Residual Risk)
- Action plans to further treat the risk (usually considering Risk Appetite of the organization)
- Check RCSA result against risk loss database (if organization has any) to cross-reference impact and likelihood evaluations
Key outcome of RCSA is answer to the question: should we do more?
Though RCSA process does not stop with just drafting action plan. Monitoring implementation of the plan is part of the process.
What do you need in RCSA process?
Qualified personnel – line managers should know their job well. They do not need nay particular risk training. Process can be assisted by Risk Managers. Though to analyze all results (given by different line units), you needs Risk Managers who have some experience and qualification. You also need to make results presentable to bring it to top management, especially if action plan requires some budget and resources (which you need to ask to Top Management).
Risk Matrix – organization should have risk matrix, which is basically formula how risks are classified after evaluating likelihood and impact. According to risk matrix you then create risk heatmaps, pie charts, graphs or whatever visual representation meets your needs.
Risk Taxonomy – taxonomy is list of potential/usual risks or scenarios (for example, Basel Risk Taxonomy of Operational Risks). This can be given by regulator, industry standard or international standards.
List of Controls – usually organizations use control lists given by some international standards. You need some standardized set to enable comparing results from year-to-year and across different departments
Other helping info:
- Risk loss database
- List of Threats – usually used in cyber risk evaluation process
- List of Vulnerabilities – usually used in cyber risk evaluation process
How can we help
Our tool is designed by risk people with involvement of business line representatives, who have hands-on experience in risk management.
While small organizations are advised to master the process in Excel spreadsheets and not jump to some tool, more mature organizations can greatly benefit from automatization.
Our solution simplifies collaboration, enhances process by automatization, provides unified view of all risks and by visualizing results helps both in analytics and in presentation of the results. You can build your own matrices, lists of taxonomies, controls, threats and vulnerabilities to use in the assessment process. You can create action plans with notifications and monitor implementation.