RCSAs: Championing “Do It Yourself”
Far from being a tedious or irrelevant process, Risk and Control Self-Assessments…
Far from being a tedious or irrelevant process, Risk and Control Self-Assessments (RCSA) are an excellent way for organisations to identify where their shortfalls may lie, in a controlled, structured manner, without publicly exposing their vulnerabilities. RCSAs are an integral part of the operational risk management framework, and as continued operations are pivotal to maintaining the organisation as a going concern, RCSAs are imperative to the improvement of the understanding, control and oversight of the company in its efforts to identify, assess, control and mitigate the risks which challenge it on a daily basis. Not only are RCSAs capable of pinpointing where risks lie, they also help companies anticipate their needs, thereby allowing them to deploy their resources for maximum effectiveness.
How do they do that? Firstly, implementing RCSA requires a great deal of feedback and consultation, which implies extensive collaboration within the organisation, which in turn means that the days of working in silos are numbered. People are going to have to share information if they want the RCSA to work for them. And they will have to take responsibility for many things which perhaps did not come under their purview before this – which may put them out of their comfort zones, initially. But all this is in furtherance of a common objective: to know how to better manage and utilise resources, and how to align this with overall strategy.
A big advantage of an RCSA is its self-assessment component. Because it is internal, staff are encouraged to assume shared responsibility for the controls that organisations identify as necessary. This leads to a more collaborative management and the development of stronger buy-in by employees who may have hitherto been disengaged from the process because they saw themselves in limited roles. This is one way that RCSAs are pivotal to the development of the organisation’s risk culture, where everyone sees that the challenges which affect the company are challenges which will ultimately affect them, and moves to mitigate these before they get out of hand.
RCSAs are also effective in the way they are structured to make feedback from all levels an imperative. This simultaneously spurs staff to be proactive and vigilant, and may bring to light risks that may not have been apparent. One of the main grouses against RCSAs is that the process is a time- and resource-consuming one but time and resources will be well spent if formerly under-the-radar risks come to light. For instance, medical facilities cannot wait for an emergency to happen, to discover that they do not have enough personal protection equipment. They do not know when such an event will occur, or how severe it will be, but they do know that they have to be prepared for any eventuality.
For RCSAs to be effective, information-gathering should be applied across the organisation, and be an ongoing exercise. This can be in the form of surveys or questionnaires, or a series of workshops where employees can directly give their feedback. When mechanisms for these sessions have been put in place, they need to be supported by comprehensive documentation, so that a big picture or macro view can be constructed of what the organisation’s operational risks really look like, thereby indicating what direction it must take to mitigate them. Companies will find that RCSAs can be quite empowering for both the firm itself and its individual employees as they start feeling invested in the process, and an appropriate risk culture develops.
Again, this prods the firm in the direction of achieving another of the aims of RCSAs: integrating risk management practices into the way work is undertaken by the firm’s employees. As employees start to feel increasingly empowered, they will begin to align the way they work more closely with the company’s strategy and objectives while developing the ability to assess and manage operational risk in their own areas of responsibility as they do so. Organisations which implement RCSAs should note that these workshops and sessions should be structured and conducted according to an organised schedule so that any changes can be identified, and updates can be made to accommodate the dynamic business environment.
The reason for including people from as many relevant departments or business units as possible is that each one of them will have a different idea of what constitutes operational risk according to their own operating realities. As individuals too, they may not be able to avoid bias, so larger numbers of participants may provide more far-reaching and in-depth perspectives. If the culture of the organisation permits, other stakeholder groups can also be included in these sessions so that different perspectives from outside the organisation can be obtained to help in making a more comprehensive assessment. But these inclusions will be at the discretion of the organiser/organisation.
As each department or unit identifies its respective risks, it also begins the thought processes necessary to mitigate those risks. In that sense, RCSAs have the potential of jump-starting the entire risk conversation of an organisation, including laying the foundation of its risk culture, besides identifying the possible source of future risks – in short, pinpointing areas within the firm that are in need of further attention which may have slipped under the radar, and setting timelines for their mitigation. At the end of the session, each department or unit can confidently draw up its Operational Risk Registers and know that when the chips are down, others will realise what is at stake, and provide unstinting support.