We are currently reviewing our company's RCA process. The aim is to improve the quality of the Risk and Control Assessments (RCAs); however, without an understanding of what has historically been experienced on the ground, practical approaches to resolving the issues could not be made. As such, a review of the current RCA generation processes was performed throughout the whole of our company. The assessment resulted in a number of issues being identified, which include people, process and technology concerns as summarised in the following themes:
- Lack of formally approved policies, together with supporting procedures and processes;
- Processes as documented are outdated and not representative of actions taken on the ground;
- Lack of integration and standardisation between related processes;
- Process level and/or strategic risks not identified;
- Resource shortages impacting process execution;
- Inaccurate or obsolete supporting toolsets; and
- Inadequately designed or missing controls.
The RCA process has been reassessed with the intention of realising a number of key benefits and improvements. The ultimate aim of which is to assist the company in its objective of becoming the best risk managed environment. The key benefits as envisioned are : “Keeping to our commitments” - pro-active “hands-on” risk management;“Being in control” - informed risk and control assessments based on continuous monitoring of control execution; Standardised control assessments; and Improved audit readiness
The RCA Reassessment led us to find that the RCA quality is a current burning platform; our approach towards RCA creation requires improvement; and our CSA approach has been decided.
Has anyone gone through this process of improving their Risk Control Assessments and could you perhaps give me some guidance? I would appreciate your inputs.