A common tendency many of us share, both a personal and professional level, is that we as humans look outwardly to see or “assess” what can either help or hinder us from achieving our goals.
When it comes to assessing risks in an organization, most commentary you will encounter will follow this tendency – risks from the outside are the only ones that matter.
But what about looking inside?
Isn’t that just as important?
Because as motivational speaker Wayne Dyer explains:
“You cannot always control what goes on outside. But you can always control what goes on inside.”
And I am in 100% agreement.
Although Wayne is speaking on an individual basis, his words also ring true when it comes to a company’s risks. We can’t control external sources of risk; we can only mitigate or accept their effects on our strategic goals. On the other hand, a company does have the ability to control internal sources of risks, especially as it relates to processes.
That is why, at least in my opinion, those mitigations are commonly referred to as “controls” – which can be defined as something put in place to control a situation.
The limited coverage of controls on our blog (see here and here) is not meant to infer they are not important.
Boards are increasingly expected to take an active risk oversight role, management is expected to be responsible for proactively managing risk, while agencies like S&P, A.M. Best, and others look closely at a company’s risk controls before assigning a credit rating.
By controls, what we’re really looking at is the day-to-day execution of business, or put slightly differently, business objectives. I have previously written about linking risks to strategic objectives, so let me clarify – what we are talking about here stems from the company mission. What are the objectives of the business as it is being run on a day-to-day business? After all, strategy focuses on change and therefore cannot have any controls around it. But the day-to-day business can (and should) have established processes and controls.
Also, controls can be clearly documented and tested for both design and effectiveness.
A Risk and Control Self-Assessment (RCSA) is meant to help business units and company leaders understand how well any controls around business processes are working.
As Tim Leech explains in this white paper, an RCSA is:
“A process that allows work groups to identify or refine the business and quality objectives that they should be fulfilling, while assessing the adequacy of plans and controls that are in place to meet those objectives.”
Typically, an RCSA is driven by processes that are executed within a particular department or functional area. Some companies will have an actual visual process flow like the sample below.
Within each of these processes are risks to achieving the particular objective the process supports.
Conducting an RCSA on each of these processes means asking and answering 3 questions:
- What are the risks to this process?
- What are the controls?
- How effective are the controls?
These answers will then enable the business to answer the most important question, which is:
- What is the current state of the risk?
For example, if a process must be executed within a certain time frame, what happens if required approvers are unavailable or any data from another department or third-party hasn’t arrived yet? What if any systems go down similar to the hack that shuttered a cloud-based software that car dealerships rely on?
This RCSA process is then repeated across different business functions/departments. Information that is aggregated from this effort is meant to escalate the higher risks – hopefully, only those that exceed the stated tolerance levels – and to see trends.
Once the business functions/departments complete their self-assessment, ERM comes in to review the findings and possibly ask clarifying questions. Any changes to the risk assessment will need to be agreed upon and performed by the business.
Then, Internal Audit will be able to go in, ‘challenge’ the business function’s findings, and add their perspective. Depending on the level of coordination between Audit and ERM, Audit’s findings could be integrated into the final assessment methodology.
But as is the case with any recommendations from ERM, any changes to risk scores will need to be initiated by the business.
You may be thinking that an RCSA sounds like something Internal Audit would do. Does this mean the internal audit function is obsolete and unnecessary?
The short answer is no…
While an RCSA has its benefits and has become more common in the last 30+ years, note that ‘self-assessment’ can translate into bias.
As we discuss in the above referenced article on ways ERM and Internal Audit can collaborate, just because a business thinks its controls are effective doesn’t necessarily mean they really are.
Internal Audit can provide an extra level of assurance that both regulators and ratings agencies are looking for.
But as the following graphic illustrates, an RCSA will take a more surface-level or “birds-eye” view of the entire area. Audit on the other hand will take deep dives in a few spots to obtain a different perspective.
Sometimes, Audit will simply confirm the RCSA findings, but not always. There are times when the business will think a control is highly effective and Internal Audit says, “Not so fast.”
In times past, the assessment of controls was handled by Internal Audit or an external consultant. Why did this responsibility change?
In the late 1980s the Treadway Commission became the COSO standard.
As Tim Leech explains in a widely-circulated paper he authored in 1990, there were several drawbacks to what was called the historical or traditional approach. Some of these drawbacks were around cost, but other drawbacks included: 1. discouraged disclosure of risks being accepted, 2. focused on insignificant issues, and 3. created a perception that the responsibility for controls falls on auditors.
Among other benefits, an RCSA:
- Demonstrates that the business functions (including the leader) understand both the risks and controls associated with a process that they own
- Provides comprehensive coverage of all relevant business objectives and areas of the company.
- Enhances accountability and communication.
- Identifies inter-department dependencies.
- Makes employees more engaged and risk-aware.
In an update to his original paper, which I highly recommend checking out, Tim Leech explains:
“The transfer of primary responsibility for control assessment and reporting from auditors and consultants to management and staff is essential if the escalating expectations of stakeholders are to be met, and, if organizations are to survive and prosper in today’s business environment.”
With increased expectations (and even legislative mandates for some industries) that management be held responsible for proper risk management and the Board take an active risk oversight role makes the RCSA approach all the more necessary.
While Audit can come in for targeted, more in-depth reviews to verify control effectiveness and RCSA results, and ERM can provide guidance on how to conduct an assessment, the main drive of effort of understanding control effectiveness needs to come from the business.
One lynchpin to the success of an RCSA rests on documentation. If the business and the organization have poor practices around documenting controls, an RCSA isn’t going to work.
However, if a company can overcome this hurdle, there are a lot of good, beneficial insights and awareness that can come out of an RCSA.
For some, there’s no choice, but considering the importance of controls for the purposes of credit ratings and the litigious nature of today’s society, an RCSA ultimately needs to be a part of every company’s risk management practices.
Does your company conduct an RCSA? What kind of ah-ha moments do you see?
We want to hear your perspective! Please feel free to either leave a comment below or join the conversation on LinkedIn.
If your company is struggling to conduct an RCSA, please reach out to discuss your situation and potential options for improving it.