RCA Remediation

We are currently reviewing our company's RCA process. The aim is to improve the quality of the Risk and Control Assessments (RCAs); however, without an understanding of what has historically been experienced on the ground, practical approaches to resolving the issues could not be made. As such, a review of the current RCA generation processes was performed throughout the whole of our company.  The assessment resulted in a number of issues being identified, which include people, process and technology concerns as summarised in the following themes:

  • Lack of formally approved policies, together with supporting procedures and processes;
  • Processes as documented are outdated and not representative of actions taken on the ground;
  • Lack of integration and standardisation between related processes;
  • Process level and/or strategic risks not identified;
  • Resource shortages impacting process execution;
  • Inaccurate or obsolete supporting toolsets; and
  • Inadequately designed or missing controls.

The RCA process has been reassessed with the intention of realising a number of key benefits and improvements. The ultimate aim of which is to assist the company in its objective of becoming the best risk managed environment. The key benefits as envisioned are : “Keeping to our commitments” - pro-active “hands-on” risk management;“Being in control” - informed risk and control assessments based on continuous monitoring of control execution; Standardised control assessments; and Improved audit readiness

The RCA Reassessment led us to find that the RCA quality is a current burning platform; our approach towards RCA creation requires improvement; and our CSA approach has been decided.

 

Has anyone gone through this process of improving their Risk Control Assessments and could you perhaps give me some guidance?  I would appreciate your inputs.

 

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –

Replies

  • Dear Mike,

    Thank you for your response.  I am managing a project a currently specifically looking at the RCA process and how we can make it easier for business to comply to the RCA process in our company.  Our first step before re-writing the methodology on RCAs was to look at the processes and policies of each BU and if adherence to these, constitutes in extra controls being implemented within business.  Seems like we have a huge task in hand, I'm afraid.

    Mike Haubenstock said:

    We are also considering how to strengthen our RCSA process. We are planning more detailed walkthroughs, independent testing of controls by risk managment to feed control effectiveness ratings as part of the process, assuring that procedures are up to date and being followed, examining more thoroughly the internal history of events to assure that root causes are mitigated, demanding a mitigation plan and issuing a report with overall findings and ratings
  • Dear John,

    I agree with you.  Top Management need to have buy-in for it to filter down into Business or you fight a loosing battle.  Thank you for your input.

    John Bruner said:

    I have spent much of my life attempting to make management understand that "control" is all about "Corporate Attitude." If senior management conveys the importance with authority, it will happen. To often, it is a nice to have but not a must have for top management. The two attitudes convey very different strategic and operational approaches for line management. Without an approach to change of this magnitude, organizational potential the effort, support, and conviction expressed at the top.
  • Thanks for the feedback Nagesh, I will respond as requested.
  • Elmari, you are hitting lot of right notes. Now we need to make your risk assessment perform like an orchestra. I want to highlight some of key starting points.
    You mention, Process Level or Strategic risks are not identified. In order to achieve your objective of managing business risks we have to start from the Strategic or Entity level. Do remember your business objective/mission will be the driving force or conductor of the orchestra. If you want to discuss further please write to nagesh@indigostripes.com we can try to understand some of your challenges.
    Best Regards
    Nagesh
  • All good replies.  In addition I believe one of the keys is matching employees to your risk appetite.  Sometimes we need aggressive risk takers and sometimes we need a much more cautious approach depending on what is at stake and where we are in a product/services life cycle.  This will vary across the business and hence we need to vary our teams to suit.  There is no doubt that risk takers are not keen on detailed controls and detailed controls are not good for business units that you want to move swiftly and take significant but well thought out risk.  If you get the mix wrong you have much more chance of underperformance in all the areas you identified in your review.  Get it right and your staff find the way and the time to make it happen.
  • I am working with a financial services client to build out their RCSA program. We are considering including training and employee development as a risk area that will be evaluated as this can be a contributing factor to many other risks (e.g. process execution). Another option that is under consideration is the creation of a "guideline" that would drive some level of standardization around mitigation plans. This would help improve the communication between the risk owners and the other stakeholders of the RCSA process.
  • We are also considering how to strengthen our RCSA process. We are planning more detailed walkthroughs, independent testing of controls by risk managment to feed control effectiveness ratings as part of the process, assuring that procedures are up to date and being followed, examining more thoroughly the internal history of events to assure that root causes are mitigated, demanding a mitigation plan and issuing a report with overall findings and ratings
  • I have spent much of my life attempting to make management understand that "control" is all about "Corporate Attitude." If senior management conveys the importance with authority, it will happen. To often, it is a nice to have but not a must have for top management. The two attitudes convey very different strategic and operational approaches for line management. Without an approach to change of this magnitude, organizational potential the effort, support, and conviction expressed at the top.
This reply was deleted.

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question.   Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
16 Replies · Reply by GlobalRiskCommunity Mar 21
Views: 1132

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
4 Replies · Reply by Steve Diaz Jul 8, 2023
Views: 244

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 175

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
5 Replies · Reply by Prisha Singh Dec 26, 2023
Views: 381

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 113

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead