STRUCTURE AND OBJECTIVES OF RCSAS

As the name implies, a risk and control self‐assessment exercise is a process by which a business line, an entity or a division known as the risk assessment unit (RAU) evaluates the likelihood and the impact of each significant operational risk it faces.

RCSAs are workshop‐style discussions leading to the self‐assessment of a unit's main inherent risks and the key controls mitigating those risks and how effective they are. This leaves the unit with only residual risks, given the current control environment. Inherent risks are usually understood as the size of risk exposure before the application of any controls. However, this theoretical definition can appear quite unrealistic to line managers, especially those in highly controlled environments such as IT or finance departments. An alternative and possibly more workable definition is a risk that could materialize in case of multiple control failures.

In RCSAs, risks are most often assessed in their two best‐known dimensions: probability of occurrence and impact if occurring. Some organizations add the notion of “velocity,” which is commonly understood as the speed at which the impacts of a risk materialize in an organization. Velocity may also mean the pace at which a risk evolves in the environment and relates to the concept of risk horizon, i.e. the timeframe in which the risk will become significant for the firm. This is particularly relevant for ...