RCSA: Simplifying the process to maximize benefits and business uses

RCSA: Simplifying the process to maximize benefits and business uses

By Gus Ortega, Head of Technology, Innovation and Operations Risk Management, Voya Financial

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I started my career in 1999 working for an online trading firm, which led to a 20-year journey as an operational risk management specialist in the financial services industry focused on investment banking and, most recently, the insurance sector. I am currently the head of Technology, Innovation and Operations Risk Management at Voya Financial, with primary focus on technology, operational and third-party risk governance and oversight activities. Prior to Voya Financial, I served as the head of operational risk at AIG. I’ve also held various other senior risk management positions at banking institutions, including UBS Investment Bank, Morgan Stanley and Dresdner Kleinwort.   I am an active advocate for operational risk management and co-authored the 2018 Risk.net book of the year: The Fundamentals of Operational Risk Management for Insurers.

Why is Operational Risk Important for Financial Institutions?

Looking back 20 years at the financial services industry, there were no dedicated IT-risk, model-risk, third-party risk or  fraud-risk functions.  It was assumed that all fall under a general operational risk umbrella. Over the years, the operational risk management discipline has branched into specialized functions that are focused on specific, vertical, yet-material risks that can be assessed, measured and monitored in isolation. While the sub-risk categories of the broader operational risk continue to grow, there needs to be consideration and increased attention to the integration of risk and control management and, through data aggregation and management capabilities, provide for an effective risk-based management decision framework. Siloed risk management can very easily become the norm at organizations, potentially causing them to ignore smaller risk exposures that, when combined, present significant and unwanted risks for the organization.  The value of operational risk management teams is their ability to deploy systems, processes and frameworks at an enterprise level that bring together practical risk management methods and help business management proactively identify, assess and remediate aggregate risks to tolerable levels. It should not be forgotten that when looking at key business processes, it is operational risk that is probably the most pervasive type of risk the organizations face — as evidenced through the recent number and size of operational risk losses.

For assessing Operational Risk, how would you describe a Risk and Control Self-Assessment (RCSA)?

RCSAs have been the cornerstone of operational risk management – RCSA is the mechanism to identify risks and provide for a continuous assessment of the business risk and control environment. In a very mature operational risk program, RCSAs are performed by the business or, in other words, by first-line management to proactively self-evaluate their risks against a set of defined expected controls. In a less-mature operational risk programs, RCSAs or Risk and Control Assessments, are typically performed by second-line personnel. In this case, ERM/ORM specialist work closely with business managers to perform an independent assessment of  business processes, risks and controls to proactively identify gaps and  control weaknesses. Over the years, the effectiveness of RCSAs has been questioned due to demanding resource requirements and very minimal value-add to the business. This can be attributed to complex methods used such as tools and bureaucratic processes to perform assessments. However, if designed and performed effectively, the RCSA process can have instrumental value to business operations in self-identifying and correcting issues before incurring potential operational risk losses. RCSAs continue to be an important tool within the operational risk tool-kit, and it is the one technique that provides for continues monitoring capabilities as part of a sound risk and control system.

In your opinion, how can RCSAs be maximized to increase benefits and uses across the business?

Stick to the basics – operational risk is neither a science nor an art but should be treated as a combination of both. The real value of RCSAs is maximized when there is an integrated approach to operational risk management. It is important to have a defined risk and controls library that identifies the most common risks, and enables risk ranking in light of key business objectives. Success of the RCSA process is achieved by having the ability to aggregate results such as business process, risk and controls raking, vertically and horizontally, thus providing timely, complete and comprehensive operational risk information to business leaders and the executive management team.

How do you see Operational Risk evolving over the next 6 to 12 months?

I don’t see Operational Risk evolving much during the next 6 to 12 months; however, what I believe will continue to evolve is further integration among key operational risk disciplines. I can see technology risk, third-party risk, business resiliency, and traditional operational risk teams becoming much more aligned and integrated where increased collaboration is achieved with other assurance, controls and assessment functions like compliance monitoring and testing, special investigations and controls testing units.