Getting Beyond RCSA: Why Operational Risk Needs a New, Improved Process
Risk Control Self-Assessments are, by definition, limited. Dynamic data-driven assessments are a better way.
Friday, April 14, 2023
By Paul Ford
Risk Control Self-Assessments (RCSAs) have long been used by banks to oversee their operational and non-financial risks.
However, the clue is in the name – it’s a self-assessment. It looks at the controls that a firm uses to manage or mitigate risks and the efficacy of the controls. Most are marked effective or ineffective based on the judgment of the people inside a firm.
This leads to several shortcomings. Where is the mark-to-market for risks, for controls? How do you know that you have the risks identified and the right controls in place?
Acin’s Paul Ford: Leverage data for a more holistic view.
Today, this industry read-across only happens when people move firms or external consultants give an equally (and expensive) human judgment and opinion.
Regulators are rightly skeptical of the completeness and efficacy of the RCSA process given these limitations. Essentially, firms mark their own homework.
RCDA: A Better Way
What if you could mark both risks and controls to the market and to your peer group? For both the identification of the risks and controls and the quality of their designs and associated meta data (e.g. prevent/detect, manual/automated, frequency).
And what if you could mark the efficacy of the controls based on quantitative measurement instead of human judgment?
That’s where the Risk Control Dynamic Assessment (RCDA) comes in – a model that better leverages your data to provide a more holistic view of the risk landscape.
Here’s what needs to be in place to make it work:
Data standards. You need to define how you describe a risk and a control. The “bow tie” risk visualization method can help manage the relationship between risk threats, risk event and risk consequences.
Meta data. There are many ancillary components: Is it preventative, detective, manual, automated, what’s the loss history, who operates it, who owns it, how long does it take to operate and test?
Mapping. Risks must have at least one control but may have many. Each control may mitigate one risk or many. One business or function may have the same or different risks and controls to another business.
Measurement. What’s the key performance indicator (KPI) for the control – where is the standard list to draw from? Is there one or more KPI for each control?
Once this model is in place, technology and AI can produce insights like never before.
Data-Driven Assessment and Peer Comparison
With clean data, and access to a tool like Acin, you can track the risk associated with your controls with detailed analytics. This makes it easy to manage your risk dynamically and compare trends in your data over time.
As Acin is an AI-led network of peers, you can also compare your data to the market and your peer group and, thanks to the increased visibility, remediate risk to previously unforeseen data points. This shared knowledge also helps protect the industry at large.
Seeing how other banks manage their controls also allows firms to review and, potentially, upgrade their control designs.
Are you missing controls? Are your controls overly complex? Do you have controls to deal with emerging risk? Through this unique peer network view, firms can see how they match up to other financial institutions and optimize their processes, minimizing the risk of being an “odd one out” with regulators.
Acin’s data updates in real time, so firms always have the information they need when they need it.
Ongoing Horizon Scanning
Risk leaders can keep tabs on the latest industry developments with horizon scanning. This feature gives firms sight of industry developments through alerts and scenarios.
Regulatory alerts include regulation changes and enforcement actions (including fines), while news alerts show market news and top risks from notable sources. Risk scenarios summarize the threat to the risk event, the consequences to the event, and highlight the controls that firms may need and how they compare to peers. These are then linked to your risks and controls in order to assess readiness for a particular scenario or regulation.
With their finger on the pulse, risk practitioners can stay one step ahead and be proactive in protecting their firm.
Operational Risk’s Future
Risk leaders are painfully aware of the problems with the RCSA process. In Risk.net’s Risk Control 2022 report, operational risk control professionals said that resource, cost and subjectivity were the main drawbacks of the RCSA model. Over 40% of respondents said an RCSA took place once a year or every two years – far from ideal in an ever-changing risk world.
RCDA is the self-assessment model that can tackle modern challenges. It rethinks how to combine process, policy, people and data to better manage op risk. Instead of a human assessment and judgment, it relies on a data-driven approach, with humans analyzing that data to help them make better decisions. Financial institutions can then manage their op risk on a dynamic, timely basis and take advantage of peer insights.
By having the clarity of a quantitative approach, regular alerts to threats and visibility of what the industry is doing, firms can rejuvenate their self-assessment process, be confident in their data and be able to report more effectively – all common issues with the current RCSA process.
RCDA brings improved risk mitigation, reduced costs, and better credibility with regulators. Is your firm ready for the future?
Paul Ford is CEO of Acin, which works with banks and asset managers to address operational risk issues through the use of data and technology. The organization helps some of the largest investment banks convert reams of control documentation into quantitative, calibrated, actionable data, enabling confidential peer comparisons of operational risk controls across both front and back office.