Navigating the complexity: Unveiling the evolution, principles and methods of RCSA optimization
- December 11, 2023
The cost of managing compliance has grown exponentially for organizations. Recent research indicates that in 2020, global compliance costs increased by $33 billion from the previous year, for a total of $213.9 billion. Of this total, 89% was attributed to U.S. and European companies. Compliance costs have been on the rise since the inception of risk management as a practice. To remain competitive during a tumultuous economic and geopolitical climate and regulatory environment, companies need to find ways to drive costs down. A good place to start is by optimizing your Risk Control Self-Assessment (RCSA) program. This post will discuss the evolution of risk disciplines, the three principles of risk mitigation and three methods that can help you improve your risk mitigation processes.
The evolution of risk and compliance
Regulations and the increased cost of compliance have led to the development of different risk disciplines over the past 40+ years, each requiring unique attention and investment. Formalized regulatory environments in the corporate world started taking shape around the 1970s, as companies were exposed to price fluctuations in the market from interest rates, market changes and prices of materials. Heading into the 80s, firms started to consider risk portfolios, leading to the creation of market and credit risk management. As that unfolded within the U.S., regulation of risk was later introduced internationally in the 1990s. Corporations began recognizing more risk disciplines — liquidity risk and later operational risk were introduced.
The 2001 Enron scandal and the resulting Sarbanes-Oxley Act brought a major shakeup to risk management in the financial services industry. Regulation of the industry increased dramatically as regulators focused on the three major processes in financial reporting requirements, which they considered essential to providing a strengthened system and preventing future similar events. Strengthening financial reporting risk management and internal audit emerged as critical elements of this strengthened system.
Following the development of Basel I (1988), increasingly complex and regulated environments led to the development of Basel II (2004), which established a more comprehensive risk management framework that included operational risk as a standalone risk category. While operational risk had been recognized since the late 1990s, Basel II brought it into the spotlight. Basel II required firms to develop standardized measures for evaluating operational risk and to establish risk profiles. Quantifying these measures required scenario analysis, key risk indicators and historical loss data. Risk Control Self-Assessment (RCSA) was developed as a tool to identify inherent risk, develop controls to remediate or mitigate those risks and quantify necessary measures. RCSA has become increasingly important as a tool for developing risk measures and profiles. Regulators and organizations recognized the value RCSA could provide in identifying and mitigating process risks.
As banking regulations continued to come into focus, especially in light of the 2008 financial crisis and the release of Basel III in 2010, an enterprise-wide and formalized approach to compliance risk was introduced to manage regulatory risks. Compliance risk requires a significant amount of effort to identify the extensive regulations within financial services and the controls in place to ensure compliance.
Following the issuance of the last Basel guidelines, technological advancements, globalization and geopolitical changes have given rise to additional risk disciplines, such as cyber-risk, AI, financial crime and reputational risk. These various types of risk have started to cause audit fatigue as different risk functions have documented processes, identified their own risks and developed their own controls over the same business processes as other functions. This not only duplicated work, but also led to redundant controls and inconsistent risk assessments. It's essential that firms take heed of these lessons learned by other organizations and review the same underlying processes for all risks and develop unified controls.
The three principles of risk mitigation
As organizations look to get ahead of increasing costs and heightened regulation coming in 2023 and beyond, they need to unify their underlying processes and approach them with the lens of three legs of risk mitigation: Risk identification, Control identification and Controls transformation and remediation. Firms that develop both a RCSA COE and Controls Transformation COE can find continued success in the three legs of risk mitigation. The inputs used from RCSA COE can be applied in creating an optimal control environment. Continued investment and focus on these centers of excellence are vital, and we see them as a building block that allows the implementation of our three-prong approach, which we'll introduce shortly.
The three methods for RCSA optimization
When building effective RCSA ecosystems that integrate risk identification, control identification, and control transformation and remediation, we use a three-pronged approach that encompasses the Organizations and Operating Model, Process and Frameworks, and Data and Technology. Trust is central to our approach — a great RCSA program with no belief in its outputs is as useful as a poor program.
A path forward for your RCSA program
RCSA will continue to grow and become increasingly crucial within organizations. How far along are you on the maturity curve? Does your firm want to implement marginal improvements over time or to leapfrog to full control assurance and keep your firm compliant and out of the headlines?
To strengthen your risk organization, you must start at the top. At NTT DATA, we approach this challenge with the Principles and Three Methods, which enable processes that increase the strength of your risk organization. While the upfront costs may not be minimal, the long-term benefits of increased control assurance and cost reduction through technology and automation will lead to a competitive advantage. Stay tuned for part two of our series to learn how we use these principles to optimize your risk organization.
We have vast experience building out RCSA programs at Top U.S. banks and making sure that our clients have confidence in their controls and an accurate risk profile to leverage towards competitive advantage in the market.