Conducting impactful RCSAs to identify material risks

How do you ensure a risk-based approach when identifying material risks?

The key to identifying the material risks within an RCSA is dependent on several key deliverables:

Ensuring risk coverage 

• Identification of the RCSA scope, what areas of risk are in scope
• Comprehensive risk taxonomy with identified ownership and a process that recognizes new or emerging risks
• An informed discussion on the applicable risks involving the correct experts from the 1^st and 2^nd line into the risk assessment.
• Supporting the discussion with available facts that can deepen the discussion

Timeliness of RCSA

• RCSA requires a regular cadence so that all dependencies can have a current view of risks
• A triggered process enables ad-hoc updates when a situation calls for it, such as a potential rise in materiality for emerging or existing risk.

Appropriate governance

• Materiality controlled escalation path and tiered reporting

Holistic Framework

• Identification of risks through other risk processes should connect with relevant RCSA’s

Now when we have these building blocks in place, there comes a time when a new question arises about development or risk that is on the horizon. There is a need to identify its impact and define materiality.

1. Examine what areas have risk-based sensitivity to that new risk/development and gather the latest RCSA’s for those areas.
2. Trigger a discussion for the areas in scope to define what identified risks could materially change within this new risk/development lens. Does it have a causal effect that might call for new controls and mitigation? Does it affect potential risk impacts?
3. Is this risk/development adding any other risk taxonomy items previously not impactful to the list of the areas in scope? Add new risk to the risk taxonomy.
4. Aggregate the changes and complete the analysis of the materiality of the new risk/development required responses that will need to be in place to mitigate it.

In my experience, this methodology creates a focused response by utilizing previously gathered information and challenging it with a new risk/development. This method informs the framework and therefore is sustainable as the new data is now available within the most current assessments.

What critical processes do you prioritize when identifying inherent risk?

The identification occurs in the build-up to an RCSA. During the scoping of new or existing organizational units, identify all critical processes and the experts for them and include them in the RCSA discussions. Critical processes can also be low-frequency if they have high exposure. Preferable is to have a standardized process inventory/taxonomy to ease the activity and create connectivity of risk results and other variables within the organization. Repeat this process before re-assessment.

Critical process identification relies on communication and collaboration between 1^st and 2^nd lines of defence to best inform the assessment.

How do you ensure key controls are effective when mitigating risk?

The effectiveness of controls comes down to testing and documentation. High-frequency controls should, if possible, have identified metrics. All incidents and events of specified criteria can also provide information on the state of the control environment, including near misses, as they are often a control failure caught by another control and can provide valuable lessons. Issue management can be a great tool to tie up loose ends in a risk-prioritized manner.

Why do institutions conduct RCSAs and what are the most common material risks to look out for?

RCSA should have a risk taxonomy and provide coverage and inclusion of all applicable risks. I believe an RCSA program should be a comprehensive tool that cuts across all risk types. If the goal is to identify a specific material risk, then the program will likely miss others. Not because they do not exist, but because they are not in scope. If we are not careful, the most common material risks might be all the risks you document.

That brings us to why I think they should conduct an RCSA.

1. To build a risk profile of an area
2. Prioritize risks
3. Connect risk activity to the profile to mitigate or measure
4. Identify Material risks and control environmental weaknesses is an obvious bonus
5. Allowing experts to opine on the risk in areas they know best and document concerns or identify a weakness through the joint conversation with 2nd line partners should improve the risk culture if done correctly.