INTRODUCTION

An initial step in ERM is to identify, assess, and prioritize an organization's key risks. The risk control self-assessment (RCSA) is a common tool that is well established in regulatory guidance and industry frameworks. Companies across all industry sectors use RCSAs for identifying, mapping, and controlling risks that threaten strategic and other objectives.¹ Companies that integrate RCSA into the daily activities of their business units will also find it easier to adhere to the growing body of stakeholder expectations and regulatory requirements.

By its very nature, RCSA implementation will vary depending upon a company's specific needs. There is, however, a common process and methodology that all RCSAs follow. We'll begin this chapter with a short overview of risk assessment and the benefits it offers. Next, we'll examine how companies can implement RCSA process and methodology such as identifying risks, evaluating existing controls, and developing risk mitigation strategies. We'll look at the short- and long-term post-RCSA processes to get the most out of the results and increase future efficiency with an emphasis on common pitfalls and practical solutions. We'll conclude the chapter by examining how to incorporate risk assessment into the business process through strategic planning and review.

RISK ASSESSMENT: AN OVERVIEW

The objective of risk assessment (or RCSA) is to identify, evaluate, and prioritize an organization's ...