A Guide to Risk Control Self Assessment

What is operational risk?

Operational risk is the risk that a business is negatively affected due to insufficient policies, systems or practices, or as a result of external events. As such, operational risk events may include events such as system failures, human error or fraud, as well as pandemics, natural disasters and terrorist attacks.

The impact of an operational risk event can be significant, ranging from financial loss and business disruption to reputational damage. Businesses will have a range of controls in place to protect the organization from different types of operational risk. However, it is important to ensure that any controls are working effectively – otherwise they may fail to protect the organization, and could even lead to a false sense of security.

What is Risk Control Self Assessment? And what are the benefits?

The RCSA operational risk assessment process is used to identify and evaluate operational risks, and gauge the effectiveness of the organization’s controls in managing those risks. As such, it provides multiple benefits for organizations, from improving the effectiveness of controls to increasing business efficiency. That said, an RCSA is not a standalone activity, but should be integrated into the company’s operational risk management framework.

As well as helping to assess operational risks and identify weaknesses in controls, RCSA can play an important function by raising awareness of operational risk within the organization and improving the company’s risk culture. It can also support governance and compliance, as well as reinforcing the efforts of internal and external auditors.

There are different ways of carrying out RCSAs. One is to conduct RCSAs for specific events, such as a cyberattack or power outage. Another approach is to focus on specific organizational processes and identify potential risks within those processes. Once an RCSA has been carried out, it should then be reviewed on a regular basis, such as annual. RCSAs may also be updated in response to changes in the risk environment in between reviews.

An RCSA can be used by senior management for the purpose of top-down risk assessment. It can also be carried out on a bottom-up basis. Organizations may carry out both top-down and bottom-up RCSAs in order to identify strategic-level risks as well as local operational risks.

Special Report: Treasurer’s Blueprint for Transformation

Understanding the RCSA process

Broadly speaking, risk and control self assessments involve the following actions:

1. Identify risks. Determining which risks should be covered by an RCSA.
2. Assess risks. Assessing the likelihood that an adverse event could take place, and the possible impact of that event.
3. Assess speed of risk. How quickly could a situation escalate from bad to critical?
4. Identify and assess controls. For all of the risks identified, the company should identify the controls that are in place to manage those risks, and assess the effectiveness of those controls to identify any improvements that may be needed.
5. Develop an action plan. When control weaknesses or deficiencies are identified, companies need to create a suitable action plan to resolve the issues.
6. Monitor progress. The actions taken as a result of the plan should be monitored to ensure any weaknesses that have identified are being addressed.

These steps are explored in more detail below.

1. Identify risks

At the beginning of the RCSA, operational risk assessments should include identifying risks and grouping them into manageable categories. This is sometimes achieved by holding a workshop with key stakeholders, which may be facilitated by a relevant expert. In other cases, firms may use a survey or questionnaire to gather the necessary information – either instead of a workshop, or alongside it. External auditors may also be involved in the process.

2. Assess risks

The RCSA should assess both the probability of a particular risk event, and the likely impact of that event – such as the maximum expected financial loss. In the context of treasury, assessing risks could mean looking at the possible impact of scenarios such as:

• Changes in accounts receivable – could the scenario result in longer Days Payable Outstanding (DPO)?
• Impact for suppliers – how might the company’s suppliers be affected? Is there a risk that the company could struggle to obtain important goods or raw materials as a result of product shortages or the failure of key suppliers?
• FX volatility – could global market changes result in higher than usual FX volatility? If so, what would this mean for the company’s cash inflows, cash outflows and financial statements?
• Cyber risk – how might the company be affected in the event of a cyberattack?

Key to the RCSA operational risk process is the need to assess the likelihood that specific risk events might occur. This will vary from company to company, and some industries can be affected more severely than others by the same adverse events. For example, the impact of the COVID-19 pandemic on aviation and hospitality firms was wholly different to the impact felt by retail companies.

3. Assess speed of risk

As part of an RCSA process, companies should understand how quickly a particular situation could unfold. For example, during times of crisis such as a pandemic, what would be the impact of customers taking longer to pay – and how quickly could this become problematic?

To answer these questions, treasurers should consider the different ways that a particular situation might unfold. With a greater understanding of different scenarios, treasurers will be better placed to understand the actions available to them, and assess which might be the least costly.

4. Identify and assess controls

Part of the RCSA process is to carry out a control risk assessment by assessing whether existing controls are sufficient to protect the business from loss.

The next step should therefore be to identify the controls already in place to mitigate the risks that have been identified by the RCSA. As well as identifying any gaps that need to be addressed, control assessments should also involve checking whether the existing controls are working as expected. This may involve carrying out a subjective assessment of controls, and/or testing and monitoring the effectiveness of controls.

Special Report: Treasurer’s Blueprint for Transformation

For corporate treasurers, a few options are available when it comes to managing risks. These can be categorized as follows:

• Avoid the risk
• Transfer the risk, for example by taking out insurance
• Mitigate the risk through proper planning

5. Develop an action plan

As part of the RCSA framework, it’s important to have a corrective action plan in place identifying any weaknesses in the existing controls and setting out how this will be addressed. Actions should be allocated to specific users. Weaknesses could include:

• Absence of control for a particular risk
• Control currently in place is insufficient to mitigate the relevant risk
• Controls are found to be ineffective
• Controls in place are found to be obsolete or excessive

Actions captured in the action plan should be specific, achievable and quantifiable. Expected timelines should also be recorded to ensure that weaknesses are addressed in a timely manner.

6. Monitor progress

Once an RCSA has been conducted, the results of the process should be monitored to ensure that corrective actions have been carried out. The effectiveness of the RCSA should also be reviewed over time.

Avoiding the pitfalls

In practice, RCSAs are not always as effective as they should be. For one thing, RCSAs can be out of date – the control risk assessment process needs to provide an up-to-date view of the risks faced by the organization if it is to be effective. Other challenges can include the time and resources involved in the RCSA process, as well as a lack of clarity over the effectiveness of the controls being assessed.

Another concern is the risk of subjective bias – an issue that can be addressed by including multiple people in the RCSA process. Different RCSAs should also be compared to ensure the approach taken is consistent across the organization.

Being prepared for a crisis

When it comes to planning for a crisis, an important consideration for treasury is understanding of the sources of cash available. For example, would the company have enough cash available across its existing credit lines in the event of a particular crisis? If not, this could prompt treasurers to negotiate additional credit lines with their banks to ensure that sufficient liquidity will be available if the need arises. Other courses of action might include reducing spending or selling investments to free up liquidity.

Equally treasurers should have an understanding of how the company can unwind from a crisis situation. Where RCSAs are concerned, there should be a process in place to ensure that if a crisis does occur, any lessons learned are recorded, with plans updated accordingly for any future crisis.

Harness real-time technology

In a fast-evolving situation, speed of execution is crucial. The company needs to stay on top of any changes and act rapidly to address the risks. As such, real-time technology has an important part to play in strengthening the company’s risk management capabilities.

With the right technology in place, companies can enhance their ability to apply the right measures as quickly as possible. Real-time technology can also give companies the tools they need to spot any instances of fraud at the earliest opportunity.

Visual tools can play an important part in protecting the company from the risk of an adverse event. Dynamic graphs and charts can present an opportunity to spot any changes in the company’s debits and credits, making it easier to carry out trend analysis.