Risk & Control Self Assessment

by Marquis Codjia - Updated September 26, 2017
A control self-assessment helps a corporation ensure that operating procedures are functional and adequate.

A risk and control self-assessment (RCSA) is a business practice that helps a corporation's top management identify and appraise significant risks inherent in the company's activities. An RCSA program also instructs departmental managers and segment-level employees on how to ensure that internal controls, policies and procedures are functional and adequate.

Purposes

An RCSA program covers two business functions—risk self-assessment and control self-assessment. Risk self-assessment is a practice that enables departmental heads to analyze various business risks and rank them as "high," "medium" or "low" based on potential losses. A control self-assessment program helps senior managers ensure that internal controls, procedures and mechanisms are adequate, functional and conform to top leadership's recommendations, industry practices, professional standards and regulatory guidelines. (A control is an instruction that management puts into place to avoid losses.)

Types

An RCSA initiative focuses on four types of risk: operational, technology, financial and compliance. Operational risk originates from human error or fraud (for example, an employee stealing cash). Technology risk is a consequence of communication systems breakdowns, such as hardware malfunction. Financial risk may be credit-related (when a business partner is unable to reimburse a loan) or market risk (when security prices change unfavorably). Compliance risk relates to adverse regulatory actions when a corporation does not abide by laws.

Video of the Day

Brought to you by Techwalla
Brought to you by Techwalla

Features

An RCSA schedule may cover some or all four types of business risks, depending on operating needs, company size, staff skills and regulatory requirements. Assume a South Dakota-based global bank wants to identify, value and manage financial risks that are implicit in its securities exchanges' activities. The bank may prepare an RCSA regarding financial risk processes and rate its market risk controls as "medium." A New York-based sports apparel retailer may review risks inherent in its operations and rank operational risk in some areas as "low."

Benefits

A risk and control self-assessment framework is critical in a corporation's internal mechanisms because it prevents or reduces potential losses that may arise in business activities. Occasionally, these losses may be substantial, such as an employee stealing millions of dollars or a bank receiving large regulatory fines for noncompliance. For example, if a New York-based bank does not perform an RCSA in its trading desks' activities and a regulator, such as the Financial Industry Regulatory Authority (FINRA), discovers irregularities, FINRA may fine the bank and its traders.

Expert Insight

An RCSA initiative often may cover difficult topics or areas in which a corporation's staff does not have expertise. In these cases, a corporation's top leadership may hire a consultant to help the firm evaluate risks appropriately. For instance, an oil and gas company may hire a certified public accountant (CPA) to review its market risk policies and provide recommendations.

About the Author

Marquis Codjia is a New York-based freelance writer, investor and banker. He has authored articles since 2000, covering topics such as politics, technology and business. A certified public accountant and certified financial manager, Codjia received a Master of Business Administration from Rutgers University, majoring in investment analysis and financial management.

Photo Credits

  • remote control image by Brett Bouwer from Fotolia.com
Cite this Article A tool to create a citation to reference this article Cite this Article