HOW TO SCALE RISK AND CONTROL SELF-ASSESSMENT ACROSS INSTITUTIONAL SILOS

As regulators continue to focus on non-financial risks in financial services it is easy to understand why risks, controls and their relationship with operational failures will be heavily scrutinised. For many years, the risk and control self-assessment (RCSA) process was one of the preferred methods for identifying risks, controls and gaps through self-identification while monitoring remediation efforts to reduce risk. One of the goals of enterprise risk management (ERM) is to obtain a 360-degree view of the company’s risk footprint to better manage risks and provide transparency to board members. However, many ERM professionals are still challenged with achieving this goal due to breakdowns that occur when trying to scale the RCSA process across institutional silos.

Some breakdowns are caused when the process gets more cumbersome as the scope grows, information sources begin to increase, comprehension of risks and controls vary, or the needs of the reporting process begin to fragment. More severe instances occur when it becomes harder to correctly link back to the identified risk after control testing, determine if certain areas in the business take longer than others to remediate, and provide evidence that the control and key risk identifiers (KRIs) used are relevant to the risk.

Apr-Jun 2022 Issue

ISACA

Join our free mailing list to read the full article