What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto

Wednesday, March 9, 2011

Best Practice RCSA Framework

For a long time, the activity of Control Self-Assessment has been a recognized industry wide approach that is used by both operational risk and audit departments to assess whether a specific business function is operating its controls effectively. The program is supposed to identify whether any control breaches have occurred during a reporting period and how congruent each control is within the network of controls.

In this blog we are going to highlight the key points for making a Risk Control Self-Assessment program a success and a presentation has been included here which outlines a best practice Risk Control Self-Assessment (RCSA) method.

Most organisations accept that the guard dog between a driver or hazard for operational risk and its associated unwanted outcome, is the control network. It follows of course that most organisations put activities in place for assessing these controls.
Five key factors that should feature in any Risk Control Self Assessment Program would include:

[1]  The RCSA process needs to follow formalised discrete phases which evolve the entire program across the organisation. The first phase involves setting ground rules and building the control questionnaires, these control questionnaires are then linked to the enterprise taxonomical structure of the business. RCSA programs generally fail if this activity is not engaged in a transparent and comprehensive manner.
[2]  The RCSA control capture activity also needs to typecast controls and assign controls to specific risk categories. This will allow for benchmarking to occur at a later date once control effectiveness data is captured. Control typecasting also allows RCSA programs to be integrated with other operational risk framework elements such as loss event data.
[3]  RCSA data points need to be stored in a repository of some kind so that reports can be easily generated overtime.
[4] Self-Assessment Questions need to be taxonomy compatible, have accuracy ratings and be workable in a standardised manner across the enterprise.
[5] The RCSA program itself must be sensitive to human or behavioural disorders including; Darley’s Law, Myopia, Herd Mentality and Subjectivity.
Darley's law translates to the way people perceive rewards and punishments. In one example and in the context of RCSA, I remember clearly when a department marked all of its controls as failing in the first month of assessment, only to claim these controls were corrected in subsequent months.  The game played by management here was to use this fictitious control improvement angle as a reason to justify bonuses for the entire department.
Myopia is all to do with framing.  If a control assessment question is negative, it will have a different response from people with highly conservative fear factors than risk takers. Posing the same question in a positive manner may result in a different assessment response for the same condition but nothing has changed.
Organisations are full of “the glass is half empty kind of people” at one end of the scale and optimists at the other end. These differing groups of people will respond to negatively and positively framed questions in alternate ways.

Herd Mentality is the most annoying issue with RCSA programs. Staff in departments tend to collude with each other when completing their RCSA questionnaires and it isn't uncommon to hear teams ask each other “what did you put as an answer for question x”. They do this in an effort to fit in with the perceived norm and a benchmark that they believe the organisation expects. This herd mentality of course creates erroneous responses and counteracting the behaviour is specifically difficult.

The presentation attached to this posting discusses these unique elements of RCSA and the hurdles as well. It shows how Discriminant Analysis can be used to create failure ratios and how weighting controls may improve the accuracy of a control self-assessment program.
Presentation can be view here View Presentation


  1. Valuable information and excellent design you got here!

    Web Design

  2. Can't seem to get the presentation to open up

  3. This has been tested on several browsers and appears to be working.

    If you need to contact us please fill out the form at this location


    And we will address your requirements in due course.

  4. hi! can't download the presentation. kindly send thru email. thank you and more power

  5. I would be more than happy to provide the presentation however I can't send it through to you because no email address was provided.

  6. Marti, mate. Stumbled across your blog by accident. Good to see you are still very active in the risk community. I've returned to the UK and are currently working on a RCSA program at JPMorgan Chase. All the best Richard de K