There is a lot of variability between financial services institutions in terms of how they approach, design, distribute, disseminate, and roll up Risk Control Self Assessment. Some design RCSA by process; others by risk; still others by risk event or risk driver. RCSA might be accomplished by interview, by workshop, or by questionnaire. Some Lines of Business choose to focus on controls in place for each RCSA; others on risks or on both. Some categorize RCSA by Basel Levels I and II Categories, while some have their own custom classification system.
This variability has meant that to date there is no tool that adequately supports RCSA because of the level of configuration required. Today’s tools either pigeon hole users into a solution that forces them to change their business approach, or do not provide enough resolution to support features such as forms distribution and collection, or are expensively built internal custom solutions that only work within a specific business. People resort to Excel, which has flexibility, but is deficient in terms of historical tracking, data management, archive, and dissemination to a large audience.
Enter BPS and its building block approach to software.
BPS allows users to create blueprints, or plans, for each RCSA, and these blueprints are created from component pieces placed according to users’ needs. A blueprint gets classified, according to taxonomies set up and customized by the user. It could be classified, for example, by business process, by region, and/or by line of business. A blueprint is assigned one or many risks and related controls. This can be done in both a control centric and a risk centric way. A blueprint is assigned questions, chosen individually or in sets from a library set up and maintained by the user, and these questions combined form a questionnaire that can be emailed or distributed to as many users as required. Users can track issues related to RCSA through the Issue Tracking component of the Platform. Finally, an RCSA can be made actionable, by cross-referencing it to a BPS action plan, one of the core objects in the system.
RCSA results can be collected and aggregated across the organization. Using two other platform components, the rules and reporting engines, users can create a custom rollup of RCSA results and calculations. From these they can derive scores that will be helpful towards, among other things, a firm’s AMA calculation.
RCSA can be a very effective tool for integrating various regulatory requirements into one process. Examples include SOX, CSOX, AML and Know Your Client, Canadian Deposit Insurance Corp, and more. Many organizations also believe that conducting RCSAs should enable a reduction in internal audit effort and resources. As part of their work, the audit team reviews RCSA results as part of their work to test for control effectiveness. RCSA is another valuable data point informing their efforts. Internal Audit may also assess the quality of the RCSA effort.
RCSA is gaining traction as a key tool for not only AMA measurement, but for SOX compliance, Internal Audit, compliance with other regulation, and general best practices. RCSA is a unifying element of an integrated risk strategy, and will help firms align their compliance, operational risk, and internal audit strategies.
This variability has meant that to date there is no tool that adequately supports RCSA because of the level of configuration required. Today’s tools either pigeon hole users into a solution that forces them to change their business approach, or do not provide enough resolution to support features such as forms distribution and collection, or are expensively built internal custom solutions that only work within a specific business. People resort to Excel, which has flexibility, but is deficient in terms of historical tracking, data management, archive, and dissemination to a large audience.
Enter BPS and its building block approach to software.
BPS allows users to create blueprints, or plans, for each RCSA, and these blueprints are created from component pieces placed according to users’ needs. A blueprint gets classified, according to taxonomies set up and customized by the user. It could be classified, for example, by business process, by region, and/or by line of business. A blueprint is assigned one or many risks and related controls. This can be done in both a control centric and a risk centric way. A blueprint is assigned questions, chosen individually or in sets from a library set up and maintained by the user, and these questions combined form a questionnaire that can be emailed or distributed to as many users as required. Users can track issues related to RCSA through the Issue Tracking component of the Platform. Finally, an RCSA can be made actionable, by cross-referencing it to a BPS action plan, one of the core objects in the system.
RCSA results can be collected and aggregated across the organization. Using two other platform components, the rules and reporting engines, users can create a custom rollup of RCSA results and calculations. From these they can derive scores that will be helpful towards, among other things, a firm’s AMA calculation.
RCSA can be a very effective tool for integrating various regulatory requirements into one process. Examples include SOX, CSOX, AML and Know Your Client, Canadian Deposit Insurance Corp, and more. Many organizations also believe that conducting RCSAs should enable a reduction in internal audit effort and resources. As part of their work, the audit team reviews RCSA results as part of their work to test for control effectiveness. RCSA is another valuable data point informing their efforts. Internal Audit may also assess the quality of the RCSA effort.
RCSA is gaining traction as a key tool for not only AMA measurement, but for SOX compliance, Internal Audit, compliance with other regulation, and general best practices. RCSA is a unifying element of an integrated risk strategy, and will help firms align their compliance, operational risk, and internal audit strategies.
