Conducting impactful RCSAs to identify material risks

This content has been archived. It may no longer be relevant

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

James Serinese, Head of Front Office Risk and Control and Operational Risk, Scotiabank

What is the importance of ensuring a risk-based approach when identifying material risks, and how can this be done?

It is critical to utilize a risk-based approach when intensifying the inherent risk inventory for an RCSA to eliminate inefficiencies within the RCSA process, and ensure controls are identified and assessed for the key risks.

The 1st line should spend appropriate time and effort on the initial scope of the RCSA early in assessment cycle.  A well-defined scope enables the assessors to execute and prioritize the key areas of material risks.  Once a strong scope has been created, the Bank can utilize internal and external risk data aligned to unit to assist with identifying the key inherent risks.  Some of the data points which can be used to risk prioritize material risks are incidents, testing issues, audits, regulatory exam points, KRIs, self-id issues, scenario analysis outcomes, external data, etc.

To ensure that review is constantly evolving and streamlined, the team should create a risk and control library with strong taxonomy to categorize and name both risks and controls.  This allows one to standardize RCSAs across functional units and easily identify gaps in controls.  Consistency is key.  Manual processes come with operational risk and performing the RCSA is no exception.

Following the completion of the RCSA, it is important to discern tangible action items identifying potential gaps in the risk and control framework.  Once the analysis is complete, one should ascertain the key take-aways and determine timelines for remediation with stakeholders.

What critical processes do you prioritize when identifying inherent risk?

The critical processes should be scoped prior to the start of assessment. Working with RCSA unit owners and utilizing a robust process map will enable prioritization of the key inherent risks.  Assessor’s should review within the scope all activities conducted by the unit and define the key processes with the inherent risks reside.  Working with the process map facilitates a comprehensive analysis of the critical processes.

Handoff from one unit to another, ie business to CSF, control support functions, is critical in identifying the processes containing inherent risk.  Both the business and CSFs will have overlapping risk but likely approach it from different angles.  Their controls will overlap as well, as the business predominantly owning the risk, while CSFs own a portion of the control infrastructure.


Having the previously mentioned taxonomy allows one to identify gaps, allowing for consistency among business lines.  A good example to review is something like incorrect transaction booking.  This risk applies to almost every single business line, but presents itself in different forms.  Subsequently, related controls should also be similar.  Creating that taxonomy and doing the comparison easily identifies strengths and weaknesses among the various businesses.

How do you ensure key controls are effective when mitigating risk?

A two-tiered approach can be used to ensure key controls are assessed accurately and ensuring key controls are effective.

  1. A review and walkthrough with the owner of the identified controls to ensure controls effectively mitigate the aligned inherent risks and it is designed / operating effectively. A well written accurate control description is the key step to start on a successful path of ensuring residual risk is within appetite.  Once description is written, the control owner working with assessor should write a solid rationale on how and why the control is designed and operating effectively.
  2. 1st line testing of controls after the self-assessment is critical to ensure the control mitigates the risk and residual risk is within appetite. An independent tester not associated with the control owner conducts tests with samples to ensure controls are designed and operating effectively.
  3. One must gather relevant data points, ie KRIs, audit findings, testing results, operational risk events, new business initiatives, etc, prior to the assessment to get statistical evidencing on control effectiveness. Controls should be evaluated on both performance and design.  The control may be well designed, but a junior staff may not be able to execute properly, and vice versa.  All controls should be easily replicable by following procedures in place.  Without updated procedures, the control design is flawed.
What are the regulatory expectations when conducting RCSAs to identify material risks?

The regulators have very high expectations that the RCSA program is robust and meets their standards.  The FRB constantly reviews firms to ensure that the components of their RCSA program meets all aspects of their target state.  They have stated that the RCSA is the central pillar of non-financial risk management, monitoring and mitigation. Each few years the FRB pushes the standards higher to increase the quality of assessments and in theory lower residual risk across financial institutions. This usually requires more resources and tools for a firm to meet their expectations.

It is important to understand how the different assessments overlap, the relevant inherent risk impacts, and the impact thresholds.  If items are covered in the CRCA, ie compliance assessment, duplicating efforts is unnecessary; however, when business failure (ie operational risk) leads to a regulatory impact, the regulatory risk should be included in RCSA.  This distinction allows the assessments to compliment one another without unnecessary duplication.


James will be speaking at our upcoming Operational Risk Management USA Congress, taking place on October 12-13 at Etc Venues Lexington.

You may also be interested in…

Have you made your free account?