A risk and control self-assessment (RCSA) is a business practice that helps a corporation's top management identify and appraise significant risks inherent in the company's activities. An RCSA program also instructs departmental managers and segment-level employees on how to ensure that internal controls, policies and procedures are functional and adequate.
An RCSA program covers two business functions—risk self-assessment and control self-assessment. Risk self-assessment is a practice that enables departmental heads to analyze various business risks and rank them as "high," "medium" or "low" based on potential losses. A control self-assessment program helps senior managers ensure that internal controls, procedures and mechanisms are adequate, functional and conform to top leadership's recommendations, industry practices, professional standards and regulatory guidelines. (A control is an instruction that management puts into place to avoid losses.)
An RCSA initiative focuses on four types of risk: operational, technology, financial and compliance. Operational risk originates from human error or fraud (for example, an employee stealing cash). Technology risk is a consequence of communication systems breakdowns, such as hardware malfunction. Financial risk may be credit-related (when a business partner is unable to reimburse a loan) or market risk (when security prices change unfavorably). Compliance risk relates to adverse regulatory actions when a corporation does not abide by laws.
An RCSA schedule may cover some or all four types of business risks, depending on operating needs, company size, staff skills and regulatory requirements. Assume a South Dakota-based global bank wants to identify, value and manage financial risks that are implicit in its securities exchanges' activities. The bank may prepare an RCSA regarding financial risk processes and rate its market risk controls as "medium." A New York-based sports apparel retailer may review risks inherent in its operations and rank operational risk in some areas as "low."
A risk and control self-assessment framework is critical in a corporation's internal mechanisms because it prevents or reduces potential losses that may arise in business activities. Occasionally, these losses may be substantial, such as an employee stealing millions of dollars or a bank receiving large regulatory fines for noncompliance. For example, if a New York-based bank does not perform an RCSA in its trading desks' activities and a regulator, such as the Financial Industry Regulatory Authority (FINRA), discovers irregularities, FINRA may fine the bank and its traders.
An RCSA initiative often may cover difficult topics or areas in which a corporation's staff does not have expertise. In these cases, a corporation's top leadership may hire a consultant to help the firm evaluate risks appropriately. For instance, an oil and gas company may hire a certified public accountant (CPA) to review its market risk policies and provide recommendations.