Increasing the effectiveness of Risk and Control Self-Assessment (RCSA)
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
David Box, Vice President, Single Family Operational Risk, Fannie Mae
How has the RCSA evolved throughout the years?
Since its inception, the Risk and Control Self-Assessment (RCSA) has been an effective tool for process and risk owners to identify their risks and associated controls, and then determine their effectiveness in managing the risk identified through the controls in place. Various levels of oversight, both internal and external to organizations, have found value in this data as part of their assurance and regulatory functions. As time has progressed, Enterprise Governance, Risk, and Compliance(eGRC) technology tools have increased their scope and value related to RCSA, now providing automated heat mapping, smart searchable risk and control inventories, and much more. The rise of predictive analytics opens a new frontier for the RCSA to evolve as a tool to get in front of risk rather than a lagging indicator established through a point in time exercise.
What are the best practices to improve the process, risk, and control data?
Accurate and timely information is key to an effective RCSA and it all starts with the risk and control data aligned to your enterprise process taxonomy. As a best practice, resources and capacity should be spent initially to create an enterprise taxonomy if one does not exist. If there is already a taxonomy in place, focus should be spent on reviewing for relevancy to pockets of risk and revised to ensure completeness. After this body of work is underway and substantially completed, focus moves to creating an initial baseline of your risk and control population, aligned to the process taxonomy – commonly referred to as the process, risk, and control relationship, or PRCR. This establishes the initial baseline that must be reviewed and updated regularly based on process changes and new initiatives. To be effective, this update must be integrated into the organization’s risk assessment policies and standard process, and also incorporated into the second line risk’s effective challenge review.
Why are first and second line partnership important?
In today’s business and regulatory environment, additional responsibility has been granted to and is expected of the first line to manage and own its risk. While this may not be a change at many organizations, additional requirements have led to the establishment and increased importance of first line risk teams who are required to partner with the second line risk oversight organizations to manage risk effectively and meet expectations as set by the Board. This relationship and partnership drive effective risk management. The second line teams must champion this partnership while also maintaining the level of independence required to meet their oversight responsibility and serving as a consulting resource and risk management expert across the company. While the first and second line risk teams ultimately serve and fulfil different mandates, effective partnership and sharing of information must be within the culture and norms of a company to thrive long term.
Where do we go from here? What are the next steps on the transformational journey?
The risk management journey is one with many off-ramps and opportunities to change course. To be effective, flexibility is a must to learn and change course in response to market, regulatory, and other requirements or expectations. As businesses continue digital transformation efforts, forward-looking risk managers must seek ways to better establish and use data to drive risk identification and seek out pockets of new or unidentified risk. eGRC technology tools continue to develop their capabilities to assist in this work, but more is needed to work with different disparate data sources – both structured and unstructured. The risk professional who is accountable to build the relationship is more important than ever, but data routines must be further developed and implemented to assist executives and Board with where to focus their human capital. Risk managers must seek routines to use the resources in place to do more in this ever-changing and transforming marketplace. This can only be done through the utilization of data to drive decisions through better risk identification and control automation.
David will be speaking at our upcoming Operational Risk Management USA Congress, taking place on October 12-13 at Etc Venues Lexington.
You may also be interested in…
Have you made your free account?