The Risk and Control Self-Assessment (RCSA) is the process of identifying risks and associated controls. The result of the RCSA is sometimes called the risk register, the heat map, or simply the RCSA. In the remainder of this section, we will refer indifferently to the process or its result by the acronym RCSA.
In the first version of the document “Sound Practices for the Management and Supervision of Operational Risk”1, the Basel Committee has stated that “Risk identification is paramount for the subsequent development of a viable operational risk monitoring and control system.”
The risks facing an organization are not known a priori; they cannot be obtained from the outside. They depend on the objective of the organization, of its environment, and therefore evolve over time. Finally, and most important, risks are only perceptions, and so they depend on the people who have identified them.
Risk identification is always a trade-off between creativity and systematic process. Creative thinking is a good method to identify new vulnerabilities but is subject to various biases that can result in missing some major risks. On the other hand, systematic approaches can rapidly become extremely administrative, boring, and are not exempt from missing new risks, as well.
In the 2011 version of the document2, under Principle 6, “Identification and Assessment”, the Basel Committee provides examples of tools that can be used to identify ...