We are currently reviewing our company's RCA process. The aim is to improve the quality of the Risk and Control Assessments (RCAs); however, without an understanding of what has historically been experienced on the ground, practical approaches to resolving the issues could not be made. As such, a review of the current RCA generation processes was performed throughout the whole of our company. The assessment resulted in a number of issues being identified, which include people, process and technology concerns as summarised in the following themes:
- Lack of formally approved policies, together with supporting procedures and processes;
- Processes as documented are outdated and not representative of actions taken on the ground;
- Lack of integration and standardisation between related processes;
- Process level and/or strategic risks not identified;
- Resource shortages impacting process execution;
- Inaccurate or obsolete supporting toolsets; and
- Inadequately designed or missing controls.
The RCA process has been reassessed with the intention of realising a number of key benefits and improvements. The ultimate aim of which is to assist the company in its objective of becoming the best risk managed environment. The key benefits as envisioned are : “Keeping to our commitments” - pro-active “hands-on” risk management;“Being in control” - informed risk and control assessments based on continuous monitoring of control execution; Standardised control assessments; and Improved audit readiness
The RCA Reassessment led us to find that the RCA quality is a current burning platform; our approach towards RCA creation requires improvement; and our CSA approach has been decided.
Has anyone gone through this process of improving their Risk Control Assessments and could you perhaps give me some guidance? I would appreciate your inputs.
Thank you for your response. I am managing a project a currently specifically looking at the RCA process and how we can make it easier for business to comply to the RCA process in our company. Our first step before re-writing the methodology on RCAs was to look at the processes and policies of each BU and if adherence to these, constitutes in extra controls being implemented within business. Seems like we have a huge task in hand, I'm afraid.
Mike Haubenstock said:
I agree with you. Top Management need to have buy-in for it to filter down into Business or you fight a loosing battle. Thank you for your input.
John Bruner said:
You mention, Process Level or Strategic risks are not identified. In order to achieve your objective of managing business risks we have to start from the Strategic or Entity level. Do remember your business objective/mission will be the driving force or conductor of the orchestra. If you want to discuss further please write to firstname.lastname@example.org we can try to understand some of your challenges.