Risk and Control Self-Assessment
The objectives of risk and control self-assessment are clear. It is management that best understands the nature of their control environment, so it should be management that regularly assesses this as part of their normal controls.
All risk and control self-assessment (RCSA) achieves is to codify this into a consistent format to enable successful reporting to management.
Of course, this does change the role of internal audit and internal control and we shall consider that later.
RCSA starts with the risk register which, as previously discussed, is the articulation of the complete control environment for the firm. Each risk has a clear and concise definition that is understandable by the people that are required to monitor and comply with it. The next challenge is to assess the level of risk that which exists within the business.
This is achieved through asking each of the business units for their inherent risk, which is the level of risk that exists within the business unit in the absence of controls. It should be an assessment of the losses that are likely to occur if the controls were removed, not a figure suggesting that everything will go wrong. In the absence of any controls, not all transactions will be incorrect, it is just that errors that are normally made will neither be identified nor corrected.
There is a problem here. Inherent risk is an estimate, and as such, may well be incorrect. Indeed, the absence of real data almost ensures that it will be unreliable. However, the best people to assess the level of risk must be those closest to the control and issue and that is the local management.
These risks are then matched to the controls that are currently mitigating the risk. Clearly, the impact of the controls is to reduce the likelihood of losses to an acceptable level, which needs to be below the unitary risk appetite. The difference between the inherent risk and the residual risk, that is the risk that remains with your control environment, is the value of your control environment and should be compared to the cost of the control environment.
The residual risk can be compared to actual losses that have occurred to see that they are sensible and of course, inherent risk must be greater than residual risk.
There are a lot of challenges here. Management do not think in terms of risk and have very little understanding of inherent risk. If I ask you, “What level of internal fraud do you expect within your department in the next year?” how would you answer? You might answer that you do not expect any at all. However, is that realistic? Would there be any chance of a fraud, and how would you know? If you knew, you would have stopped it anyway.
Because of this, the initial RCSA analysis is typically based on a facilitated workshop conducted by the risk department. They attempt to tease from the management information which can be used to populate the analysis. Even when I do manage to get a value from you for potential level of fraud in a year, I then tend to ask you for the likelihood, yet how would you know that and would the probability relate to the risk event, such as internal fraud? This is never easy and rarely accurate. Of course, if the controls do massively reduce inherent risk to residual risk, then the controls had better be effective. That means you do require a control indicator to tell you that the controls are operating.
The point of RCSA is not just about what might be perceived as unreliable modelling; rather, it is to get the management to actively consider whether the controls that they are operating are effective and efficient. If they can improve on the effectiveness of your control environment, then this will directly improve upon your bottom line. The actions taken to improve your systems and controls are generally referred to as treatments and their impact needs to be tracked.
So far, I have considered what might be termed as operational risks; however, all risks should be considered, not just those that arise because of the processes you conduct. Consequently credit risk, market risks, liquidity risks, reputational risk and strategic risks should be included, whether they are created by you or imposed upon you.
If, for example, you are involved with an industry that has encountered a high level of government interest, then they could take actions that seriously curtail your business. One example of this might be fizzy drink manufacturers where there is increasing concern at the level of sugar in the drinks. The risk is that government might undermine your activities through either taxation or regulation. The risk mitigating options would include developing lower sugar drinks and also lobbying government. Of course, nothing is without risk and a level of risk still remains.
In terms of credit risk mitigation, this will include obtaining the financial records and ratings related to the firm you are supplying and trying to identify their likelihood of defaulting, that is to say, failing to pay you the sums you are due. To also ensure that you are paid, you have clear contractual arrangements with your customers, setting out clearly their responsibilities. All of this needs to be included within the RCSA.
I mentioned that the roles of internal audit and internal control are now changed. Considering internal control first, part of the second line of defense, they have the responsibility of ensuring that the appropriate level of monitoring is conducted over the first line of defense, including management and supervision.
Now we have the management assessing the level of risk, they will also be looking to the role of internal control in mitigating risks within the business. This begins to look like the first line of defense having oversight over the second line of defense, which would clearly not be sensible. Accordingly, we would suggest that the role played by internal control in mitigating risk should be assessed by internal control as part of the workshop.
The workshop and its facilitation are therefore crucial. The risk professional that works on the initial workshop needs to have a detailed and thorough understanding of the nature of the activity that is being reviewed. This all goes wrong if they do not have that knowledge and therefore, are unable to extract the information from either management or internal control that they require.
These workshops need to be structured, organized and fully documented. The workshop facilitator needs to be booth a listener and a developer of ideas, but it is not their RCSA; it must be owned by management. In future, it will be management that will be undertaking this assessment without reference to the facilitator, who will then move typically into a reviewer mode.
As mentioned, the role of internal audit also changes. Clearly, internal audit as the third line of defense cannot have responsibility for RCSA any more than they can take responsibility for any other area of activity. Internal audit is allowed to provide their input to a process and the RCSA facilitator will undoubtedly find their internal audit reports of interest in considering and assessing the information provided to them by both management and internal control. Of course, internal audit undertakes a program of work as agreed by the audit committee to which they report as a subcommittee of the Board. Nothing in RCSA makes any change to this as a process. The frequency of the assignment is not changed nor should the frequency of the audit be changed.
As an auditor, internal audit will always seek to audit through the control processes operated by management. That ensures that the audit findings resonate with management and are perceived through the structures that are in place. The consequence of this is that the RCSA will be audited as part of the audit that is undertaken. Indeed, this part of the audit will take place during the planning stage of the audit since it will provide the internal auditors with knowledge that will assist them in their audit planning. It will set out the controls that are of greatest importance and the issues that management are already aware of and where they are taking action.
Internal audit should provide management and internal control with the credit for identifying issues and addressing them. This should be clearly stated in the internal audit report since nothing annoys management more than internal audit taking credit for something that they, quite frankly, did not do. Of course, external audit are even worse in this regard when preparing their often poorly thought through and ill-conceived management letters, many of which, by their nature, could be labelled as dangerous. External audit are rarely trained to fully identify and consider changes to control processes and their impact on profitability, raising only matters that have come to their attention in the course of their work. However, without having the time or resources to fully analyze these matters in the manner that internal audit would, it is perhaps unsurprising that so many of these reports fail to achieve their objectives.
So, internal audit should audit the RCSA as part of their routine audit work on every audit they conduct. They will seek to assess whether the most relevant risks were assessed and whether management have appropriately identified the relevant control and monitoring applied. They will review the inherent risk and probability to ensure that there is an audit trail that supports the calculation and that the policies and procedures are adequate. However, they are unlikely to report on the judgments of management due to the level of uncertainty that exists. Unless the inherent risk or probability are manifestly stupid, this is unlikely to turn up in the audit report.
They will also consider the residual risk and control indicators, ensuring that the residual risk has been appropriately compared to the internal loss database, which includes fully costed losses. Such losses need to include all of the indirect costs relating to the event that has occurred, including management time since that has been spent as a consequence of the event occurring.
There is another problem with RCSA, which we do need reflect on. To be effective, it needs to have the involvement of the senior management of the business unit since they will possess the level of knowledge that is required. The first time the exercise is conducted, this is normally the case. Since, ideally, RCSA is part of management’s approach to controlling a business area, they should remain fully engaged with the process, yet this rarely occurs. This is one of the areas within risk management where familiarity breeds contempt and increasingly more junior people become involved as RCSA increasingly is seen as a chore, rather than being of benefit to management. Senior management must seek to ensure that business unit remains fully engaged throughout the process and this may require regularly facilitating appropriate workshops to ensure this is achieved.
The Board also need to play their role. They are the sponsors of the entire process and the reporting from the RCSA will assist them in gaining the level of confidence that they require to establish that they are maintaining an adequate control environment. Accordingly, they should be tracking the performance of the RCSA and asking such questions as they consider appropriate to ensure that this important process is working effectively.