RCSA Application
Risk Control Self-Assessment is a major, and often mandatory, exercise by businesses to test the design of internal controls and controls effectiveness; and to ensure that controls are reducing the inherent risk to the extent that they have been designed for.
RiskCounts provides a comprehensive RCSA Application, that allows organizations to conduct their quarterly risk-control reviews, with the simplicity and workflow execution on a single platform. The RCSA provides an inbuilt issue-tracking and remediation module but can also easily be integrated with other issue and incident management systems that an organization may already be using.
RCSA Dashboard
-
The dashboard views can be customized to client need. A full range of Analytics is available . These include: 1. RCSA process 2. Bottlenecks 3. Key Risk issues -
Control and Residual Risk Ratings, changes, distribution, dispersion -
New Remediation with timeline, status, aging -
Open remediation items from the past with aging, slippages, re-prioritization, rescheduling -
Trend over the last four Quarters in RCSAs conducted -
Provides overall ratings, average outstanding issues for the past RCSA's and issues closed
RCSA Set-Up
-
A full list of Assessors is set up in the system – default is that All Employees are assessors -
List of Business Units and designated Unit Heads is set up -
Risk Management is set up as the third key “role” -
Controls categories are defined; Policies & Risks are tagged to Controls categories -
Key elements in each Control Category are identified as distinct Control Procedures
Role of An Assessor
-
Assessors assess each control category by answering a set of key questions for each Control Section -
Questions focus on Control failures, Test documentation, and Control effectiveness -
Assessors rate Control Effectiveness on a scale. They also draft any Remediation required and submit rating and remediation to Business Unit Head/RCSA coordinator
Ratings Aggregation by RCSA Coordinator
-
Business Unit Head/RCSA Coordinator finalizes the control ratings for each key risk and/or risk policy
-
Coordinators also finalize draft remediation details and submit to Risk Management
Finalization by Risk Management
-
At inception, Risk Management identifies and assesses the Inherent Risks jointly with the First Line of Defense
-
The RCSA follows a questionnaire for the assessors, and based on their responses, the business unit coordinators summarize the risk
-
The Risk Manager finally aggregates the ratings of various business unit coordinators to come up with a final rating/s on the effectiveness of controls
-
Risk Manager determines (an optional algorithm is provided in the system) the Residual risk based on the effectiveness of the controls, as rated by the assessors, consolidates ratings and remediation details and derives Residual Risk ratings -
Obtains all required Analytics on the RCSA process, Ratings, and Remediation -
Finalizes any report or presentation, and escalation and training based on RCSA results
Issue Management & Remediation
-
All Control items rated as “Needs Improvement” automatically ask for Remediation plans: Assessor provides Draft Remediation
-
Business Head approves, consolidates, and submits Final proposed remediation
-
Risk Management finalizes all Remediation, and completes details -
Remediation is managed as a full project-plan with identified ownership, dates, priority
-
Remediation can be actively tracked at all levels -
Enables central recording, prioritization, resource-allocation, tracking, and project-management of issues, and reviews by Risk Management -
Business and Risk Management/Legal/Compliance can be on top of all issues at any given time