Accenture Risk Management

Deriving Value from a Risk and

Control Self-Assessment Program

Risk and Control Self-Assessment (RCSA)

is a framework that can be used by a firm
to analyze its operational risk profile. Since
operational risks are inherently embedded
into each function or process, a RCSA
program can be useful in providing an
enterprise view of the firms operational risk
profile and when there is comprehensive
participation by each business unit
throughout the organizational structure.

The RCSA is the vehicle of choice

for many financial institutions for
meeting operational risk assessments
as required by Basel II and many
local regulatory bodies1. In those
institutions, the annual RCSA exercise
is typically undertaken to comply with
regulatory requirements calling for a
firm-wide, self analysis of operational
risks. In its most general format, a
RCSA requires the documentation
of risks, identifying the levels of risk
(derived from an estimate of frequency
and impact), and controls associated
with each process conducted by
the organization. To simplify the
output and better organize the
assessment approach, the exercise is
generally conducted at the business
unit level. For regulatory purposes,
each business unit assessment is
typically collected and presented
as a comprehensive repository
of assessed operational risks.

There is a spectrum of how

organizations can approach their
RCSA program. Some treat it as a
check the box activity and invest
minimally in both time and resources
just enough to satisfy regulatory
obligations. On the other hand,
some view the RCSA as a valueadded risk management tool and
invest accordingly. Investments in
technology, reporting capabilities
and personnel are necessary to meet
even basic regulatory requirements;
however, unless the RCSA is
appropriately structured, minimal
investment may beget minimal value.

Basel requirements call for regular, independent evaluations of a banks policies, processes
and systems related to operational risk as part of the assessment of the framework.

Characteristics of Value-Added
RCSA Programs
There is no single correct
way to complete a RCSA,
and the approach will
vary depending on the
culture, structure and
goals of an organization,
but there are commonly
observed best practices
that organizations deriving
value from the process are
implementing and that are
helping shape the profile
of the next generation of
RCSAs. While these are
based on experiences at
leading edge banks they
are applicable to anyone
conducting RCSAs.

1. Effective RCSA
Programs do not Exist
in a Vacuum
The RCSA program should act as
the crossroads for all initiatives
under the firms operational risk
program. Risk metrics such as key
risk indicators (KRIs), internal loss
events and external events should
contribute to the risk identification
process ensuring the organization
has considered all readily available
data and keeps assessment owners
honest. Many organizations are
also adopting standard language
or taxonomies to help define the
organizations processes, risks and
controls, to increase data transparency
and allow for aggregation of data
across assessments. As an additional
benefit, an organization that defines
these standard libraries is often able
to map RCSA data to other programs
such as loss event data and audit
items, among others. This allows
opportunities for additional analysis on
the data and can enable management
to take a broader view on risk and
issue management across the firm.

2. A Complete View of
Risks and Controls
Completeness is important to
performing more value-added
analysis later in the RCSA program.
For example, gap analysis for the
control environment is complete
only if all key risks and controls have
been identified. The RCSA program
should account for all information
revealed through internal audits,
Matters Requiring Attention (MRA),

Matters Requiring Immediate

Attention (MRIA), Federal Reserve
Observations, and other risks that
have been highlighted in regulatory
and audit findings. The use of
internal and external loss data can
also help promote completeness
in the identification of relevant
risks. Ideally, each business unit
conducts an assessment that is
mutually exclusive, is collectively
exhaustive when identifying its
processes, risks and controls, and
provides an all-encompassing analysis
of the functions performed.
Once the universe of controls and
mitigation measures has been
identified, the business unit can
partner with the various control
functions to conduct the control
testing phase of the RCSA. Control
testing is critical to a mutual
understanding of expectations and
actions across business units and
between the front and back office.
With the full suite of controls
rated and tested, the organization
may start investigating possible
synergies between various controls
and technology, such as a manual
control that is ripe for automation.
A strong RCSA program will provide
information to senior management and
the heads of business units, so that
specific issues within their respective
areas can be addressed and corrective
measures, based on criticality, can be
implemented to achieve improvements
in the control environment in the
most efficient and cost-effective
manner. Given the complexity of
financial organizations, a complete
RCSA program can be an optimal tool
for encouraging such a dialogue.

3. Clear Methodology
for Trend Analysis
A properly implemented RCSA
program should recognize patterns
indicating undue concentration of
risk or potential control failures.
Time series analysis can establish risk
impact trends and highlight whether
controls in place actually reduce
residual risk impact. Trending analysis
can also be conducted around control
environments and/or suites of controls.
By aggregating the suite of controls
related to a particular risk, the
effectiveness of the controls can be
assessed as a group and improvements
can be made to the overall suite
rather than to individual controls.

4. Method of Identifying
Non-Financial Risks
Generally losses that relate to dollars
and cents are forefront in the minds of
business unit managers; however, the
impact to reputation or of regulatory
violations may, at times, far exceed
the true dollar loss. A strong RCSA
program will have a methodology for
identifying and quantifying the risk
impact of these non-financial events,
and will guide assessors to consider
the current political and regulatory
environment as well as other topical
considerations in the marketplace.

5. Think Outside the Box

Risk and Control Self-Assessment
can provide organizations with a
new opportunity to identify and plan
for unexpected or emerging risks.
These may include new operational
risks resulting from shifts in the
regulatory or operational environment
that have been outside the scope
of previous RCSAs or audits.

Furthermore, organizations may

be able to use RCSA as a means
of executing a firm-wide review
of headline risks that plague other
firms: e.g., rogue trading, operational
issues surrounding a hot IPO, or
other major operational failures. The
review of new products, processes,
activities and systems can be
helpful to business unit managers in
verifying the risks an organization is
taking on and whether they remain,
or are in line with the firms risk
appetite as required by Basel II.

An RCSA program can offer

significant value to an organization,
but more so to firms willing to take
the steps necessary to go beyond
basic regulatory requirements and
create an effective tool for risk
identification and management. Firms
willing to devote the required time
and resources to create an effective
RCSA program may find that the
return on their investment in terms
of risk identification, avoidance and
mitigation is very high indeed.

6. Use RCSA Data

to Support Strategic
Budgeting
Risk and Control Self-Assessment
can also be used to paint a clear
picture of why expenditures and
resources are being deployed to
targeted problem areas within the
company. By generating quantifiable
data on technology and control
budget expenditures, the RCSA
program can help in the development
of corrective action plans to further
substantiate the need for added
resources or capital investments and
to help rectify areas experiencing
control deficiencies. Additionally, a
comparison can be made between the
critical risks identified through the
RCSA against a departments budget
to make it more likely that funds
are available to address key issues.
Despite many challenges, firms are
more able to optimize their RCSA
implementation program and add
real value to the organization.
The partnership between risk
management and business units
is essential in understanding the
value of the time and effort spent
on the RCSA program. This value is
especially evident as business units
and enterprise functions partner to
identify and mitigate operational
risks throughout the organization.

Common Challenges and Potential Solutions to Effective

RCSA Implementation

Challenges

Potential Solutions

Operational environment does not change

dramatically diminishing marginal utility of
assessment after first year

Encourage fresh perspective by inviting new team members to

participate in the assessment.
Look for improvement in control environment.
Consider emerging risk and current topics

RCSA does not identify tail events

Conduct workshops to focus on emerging, thematic risks.

Leverage scenario analysis to identify unexpected events.

The assessment is not taken seriously

Focus on developing a risk culture that embraces the process.

Require business units to assume accountability by formally
accepting or presenting detailed plans to mitigate high/critical
risk events.

Resource constraints in completing the

assessment

Prioritize the RCSA as an important tool in risk identification

and regulatory reporting. Risk culture should be supported by
the C-suite, and staffing and budgeting plans should reflect the
needs of the RCSA program.

Issues with quantifying/assessing certain

elements of the assessment

Incorporate non-financial loss impact values in the RCSA.

Difficulties in conducting trend analysis

Standardize the terminology used in the identification and

assessment of the risks and controls (i.e., define standard risk
and control libraries or taxonomies).
Recognize the RCSA as a long-term investment and have a
method for normalizing data if business conditions change.

Managers review and rate similar risks

differently

Recognize the subjective nature of the RCSA but promote

consistency through standardized terminology and the overall
assessment process.

Business units lack data for RCSA

Incorporate all available information into the assessment.

Leverage internal and external loss data and compare risk and
controls to internal metrics (key performance indicators/key risk
indicators).

Issues with aggregation, especially of nonfinancial risks

Utilize standardized taxonomies to identify risks and controls

and a standard rating scale to assess impact, likelihood, and
effectiveness measures.
Map risks and controls to budget items to allow for the
aggregation of strategic budgeting.

About the Authors

Chris Thompson
Chris is an executive director, Risk
Management, Banking and Capital
Markets North America, New York.
Specializing in complex, large-scale
finance and risk programs, he works
with some of the worlds leading retail,
commercial and investment banks.
Chris brings his nearly 20 years of
broad-based experience in financial
architecture, risk management,
performance management and trading
to organizations determined to become
high-performance businesses.
Meera Kakad Gondha
Meera is a senior manager, Risk
Management. Based in Charlotte,
N.C., and with 10 years of industry
and consulting experience with a
focus on operational risk, Meera
works with banking and capital
markets clients to help them
define, implement, and monitor
their Operational Risk programs.

About Accenture
Management Consulting
Accenture is a leading provider of
management consulting services
worldwide. Drawing on the extensive
experience of its 16,000 management
consultants globally, Accenture
Management Consulting works with
companies and governments to achieve
high performance by combining broad
and deep industry knowledge with
functional capabilities to provide
services in Strategy, Analytics, Customer
Relationship Management, Finance &
Enterprise Performance, Operations, Risk
Management, Sustainability, and Talent
and Organization.

About Accenture
Accenture is a global management
consulting, technology services and
outsourcing company, with more than
249,000 people serving clients in
more than 120 countries. Combining
unparalleled experience, comprehensive
capabilities across all industries and
business functions, and extensive
research on the worlds most successful
companies, Accenture collaborates
with clients to help them become
high-performance businesses and
governments. The company generated
net revenues of US$25.5 billion for
the fiscal year ended Aug. 31, 2011. Its
home page is www.accenture.com.

About Accenture Risk

Management
Accenture Risk Management consulting
services works with clients to create
and implement integrated risk
management capabilities designed
to gain higher economic returns,
improve shareholder value and
increase stakeholder confidence.
For more information about
Accenture Risk Management please visit
www.accenture.com/riskmanagement.

Copyright 2012 Accenture

All rights reserved.
Accenture, its logo, and
High Performance Delivered
are trademarks of Accenture.

12-2944