RCSA – Mirror, Mirror, on the Wall

RCSA is a critical risk management tool, but its effectiveness is often hindered by poor execution. Issues such as unclear scope, excessive bureaucracy, and a focus on form over substance can lead to unproductive and misleading results. To improve RCSA, organizations should prioritize clarity, efficiency, and a focus on identifying and addressing real risks.








A key element of any toolkit in Enterprise/Operational Risk is Risk Control Self-Assessment, or RCSA. And it happens to be the highly suboptimal, much misunderstood, most bureaucratic, and least productive one of them all, in its setup, execution and results.

At its core, RCSA is about looking in the mirror at yourself, your organization, its processes and the balance of risks and controls…. to assess the risks that face the enterprise,the design of the control framework installed across it, and the effectiveness of the controls. In other words, RCSA is about assessing and testing to ensure that your inherent risks have in fact moved to a residual level that you can live with, that is inside your risk-appetite. Doing it unto yourself before the accidents and events of all types that can come and get you. And doing the scrutiny and the analysis, finding your issues, as an objective exercise, before an auditor or a regulator comes and tell you about them.

Ergo,the true test and the value of this look in the mirror is whether you can see anything other than the handsomest and the prettiest. Do you see the stubble, the warts, wrinkles, droopy eyelids, blackheads… at least enough to understand where the nicks and chinks might be, and what if anything you can and should do about them. Can you get beyond narcissism, idolatry, self-adulation, and an overriding temptation to shut your eyes to anything other than what you want to see… and get to a rational, reasoned view of the shortcomings and vulnerabilities in your defenses.

At far too many places that I go to (certainly at far too many of the big banks), RCSA has become an exercise in futility… huge spreadsheets with tiny font, checkers checking checkers check checkers, copious reports that contain no information and that nobody wants to read.

One reason why RCSA is unproductive is that the frame of reference is so unclear…should we start with organizational units, businesses, processes, risks, controls? What standards and benchmarks and tolerances should we be evaluating against? And not least, should we allow the literary and grammatical shortcomings of a vast horde of people drive away any rational meaning and information that we an elicit from the process. Drop-down windows, anyone?With simple responses of Yes, No, and N/A across key risks and controls. Attachments of Test methods and results? And a simple elegant way to roll-up the views at each sub-level up to some meaningful whole? The fog in the mirror shall yet clear