# Opener

Tips for Understanding the Role of RCSA in Risk Management

Published by Lisa Young

Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).

In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a 4-volume report titled Internal Control—Integrated Framework. This report presented a common definition of internal control, providing a framework against which internal control systems could be assessed and improved. Around the same time, the Turnbull Report was published and set out internal control best practices for UK-listed companies. After a few years of focus on internal control systems and corresponding internal controls, the management of risk was added to both the COSO and Turnbull reports. This was the genesis of risk and control self-assessment (RCSA) as we now know it.

Fundamentals of Risk Control Self Assessment

Risk control self assessment is a process for identifying, examining, and evaluating operational risks – that may hamper fulfillment of business objectives – and the controls established to alleviate those risks. It’s common practice to delegate the responsibility of identifying and assessing risks and their controls to domain-specific stakeholders. For instance, the Head of Finance identifies and studies the finance-related activities to determine whether they may lead to operational risks that will endanger the organization’s likelihood of meeting its established objectives. Subsequently, they will examine the efficacy of the controls in mitigating the risks. In case it is found that the controls are not as effective or have flaws, they will need to design and implement new control processes.

Similarly, various other departments like assets management, retail banking, supply chain management, distribution, customer service, and information technology, to name just a few will conduct their respective risk control self assessments. The head of each function or department is responsible for ensuring successful execution of the control procedures.

Understanding the role of RCSA in risk management is the first step to ensuring its efficacy. To that end, it’s important to ensure that employees understand the significance of meeting organizational objectives. In the same vein, it helps to increase the awareness of the risk and control assessment policies and procedures throughout your organization. Furthermore, all business functions must ideally work in collaboration to continually test their process controls and improve upon them to reduce operational risks and ensure long-term sustainability.

The Future of Risk Control Self-Assessment in Question

An RCSA is one tool for surveying or interviewing the business and frontline personnel to understand their view of the risk factors that might impede their progress toward objectives. For the areas of concern identified as a potential risk, a set of corresponding controls that would assist in mitigating the risk or reducing its impact is determined. When an RCSA is used as the only source for risk identification, the organization’s capability to perform risk management is not fully developed, and important risk may go unnoticed. Here are some tips for thinking about how your organization identifies risk that may lead you to a more complete picture of the risk that your organization faces:

8 Tips to Add Value to Your Risk Management Process

  • Do I begin with business goals and objectives and then identify IT-related risk to those business objectives? Many RCSAs are focused on known risk rather than new areas of concern or factors that have not materialized as realized risk yet.
  • Is my organization engaged in actively building skills in risk management? Do we have a common language for risk terms? Risk and controls are complementary, but they are not the same.
  • Do senior leaders in my organization seek out risk management insights to improve performance (not just manage the risk of noncompliance)?
  • Is robust and realistic scenario analysis a primary technique in my risk identification approach? If you are not using the COBIT 5 risk scenarios, consider looking at them and trying to incorporate them into your risk identification process.
  • Do business cases for all strategic initiatives (and major projects) include a detailed and specific description of risk in design, implementation and operations, along with steps to proactively manage them?
  • When conducting an RCSA, has the interviewee or survey participant been asked about their concerns (that might not be part of the RCSA)?
  • Do I align strategic goals and objectives to a set of control objectives rather than prescribe a set of controls to use? Having a set of control objectives provides the ability to actively manage risk by changing the process or procedures, avoiding the activity that contributes to risk, or detecting a risky activity sooner. Controls are not the only way to manage risk.
  • Do I actively refine control objectives and the associated controls to make them simpler to save time and cost in design, implementation, use and monitoring?

Risk management is an ongoing organizational capability that can be improved over time. The goal is to keep the business operating with minimum impact from a realized risk or incident. Risk and control self-assessments are but one tool in the risk management tool kit. Make sure your RCSAs are robust enough to add value to the risk management process.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

Summary

Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).

The RCSA can help mitigate risk, but it is just one tool for identifying and addressing risk. If your organization is relying solely on RCSA, it might oversee or even neglect crucial risks that may have been undetected. Therefore, try to maximize the efficacy of your organization’s risk control self assessment measures to expand and enhance its risk management capability.

Contact Axio today to learn more about how your organization can better manage cyber risk.