Risk & Control Self-Assessments (RCSAs) are critical to monitor and assess the risks and associated controls pertaining to various business lines. In our engagements, we have facilitated multitude of workshop based RCSAs, bringing together domain experts to assess risks and controls through mathematical tools, improvising the processes inherent in various businesses. In our engagements, we have facilitated top-down as well as bottom-up approach for RCSAs, assessing risks based on information collated through process walkthroughs, historical loss data and external environment. Our RCSA approach involves assessing the inherent risk within any process, gauging the efficacy of controls for operational effectiveness, design and degree of automation to arrive at the residual risk levels.
As a starting point for the RCSA exercise, we develop Risk and Control Library, to define various processes, sub-processes, operational risk events and control types across all business lines.
- Places risk in the context of business strategy and risk appetite
- Establishes processes of risk assessment and measurement
- Establishes processes and sub-processes within the Basel II defined business lines
- Defines the various risk events across all Basel II defined risk types
- Links the results to performance measures and shareholder value
The key elements in self-assessment include:
- Finalising rating methodology and scales: Impact and Likelihood
- Defining and identifying the types of risks and the various risk events therein
- Defining and identifying specific controls
- Assessing and rating the controls
- Assessing residual risk
- Monitoring of risk events within each business line
- Operational risk reporting and documentation