Tips for Understanding the Role of RCSA in Risk Management

by | Mar 26, 2017

Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).

In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a 4-volume report titled Internal Control—Integrated Framework. This report presented a common definition of internal control, providing a framework against which internal control systems could be assessed and improved. Around the same time, the Turnbull Report was published and set out internal control best practices for UK-listed companies. After a few years of focus on internal control systems and corresponding internal controls, the management of risk was added to both the COSO and Turnbull reports. This was the genesis of risk and control self-assessment (RCSA) as we now know it.

An RCSA is one tool for surveying or interviewing the business and frontline personnel to understand their view of the risk factors that might impede their progress toward objectives. For the areas of concern identified as a potential risk, a set of corresponding controls that would assist in mitigating the risk or reducing its impact is determined. When an RCSA is used as the only source for risk identification, the organization’s capability to perform risk management is not fully developed, and important risk may go unnoticed. Here are some tips for thinking about how your organization identifies risk that may lead you to a more complete picture of the risk that your organization faces:

  • Do I begin with business goals and objectives and then identify IT-related risk to those business objectives? Many RCSAs are focused on known risk rather than new areas of concern or factors that have not materialized as realized risk yet.
  • Is my organization engaged in actively building skills in risk management? Do we have a common language for risk terms? Risk and controls are complementary, but they are not the same.
  • Do senior leaders in my organization seek out risk management insights to improve performance (not just manage the risk of noncompliance)?
  • Is robust and realistic scenario analysis a primary technique in my risk identification approach? If you are not using the COBIT 5 risk scenarios, consider looking at them and trying to incorporate them into your risk identification process.
  • Do business cases for all strategic initiatives (and major projects) include a detailed and specific description of risk in design, implementation and operations, along with steps to proactively manage them?
  • When conducting an RCSA, is the interviewee or survey participant asked about their concerns (that might not be part of the RCSA)?
  • Do I align strategic goals and objectives to a set of control objectives rather than prescribe a set of controls to use? Having a set of control objectives provides the ability to actively manage risk by changing the process or procedures, avoiding the activity that contributes to risk, or detecting a risky activity sooner. Controls are not the only way to manage risk.
  • Do I actively refine control objectives and the associated controls to make them simpler to save time and cost in design, implementation, use and monitoring?

Risk management is an ongoing organizational capability that can be improved over time. The goal is to keep the business operating with minimum impact from a realized risk or incident. Risk and control self-assessments are but one tool in the risk management tool kit. Make sure your RCSAs are robust enough to add value to the risk management process.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

Summary

Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).

Contact Axio today to learn more about how your organization can better manage cyber risk.