Optimizing RCSA: An Interview With the Creators of RMA and PwC’s Risk and Control Self-Assessment Survey

For valuable insights into the recent RMA and PwC Risk and Control Self-Assessment Survey, The RMA Journal spoke with the RCSA survey’s architects:  

• PwC Principal Kevin Barry, whose practice includes financial institution risk management, enterprise control practices, and digital and technology capabilities.    
• PwC Partner Alex Pflepsen, who specializes in financial institution risk management and regulatory compliance.  

In the following interview, Barry and Pflepsen discuss the importance of the RCSA process to help financial institutions manage non-financial risk, inform day-to-day decision making, and drive an effective risk culture as well as the role of technology in enabling a consistent approach. You can read an executive summary of the survey here.  

RMA JOURNAL: What are some of the key takeaways from the survey findings? 

BARRY: The survey results reinforce that risk and control self-assessment is a topic of increasing focus in the industry. This is evident from the large number of financial institutions participating in the survey [59], which underscores the evolving nature of many banks’ RCSA initiatives and highlights the challenges they are facing. Banks are also increasingly looking for ways that their RCSA initiatives can drive greater accountability and risk culture within their organizations. 

PFLEPSEN: The survey findings align with what we are seeing firms prioritize in our practice. Financial institutions are actively enhancing their RCSA programs, with a focus on methodology enhancements, execution improvements, and technology adoption. However, the survey also highlights the need for improvement, particularly in areas such as staffing and capability to develop and enhance the skill set of existing personnel in the first line. Financial Institutions also highlighted the need to promote a strong risk culture. 

RMA JOURNAL: In analyzing the survey results, what, if anything, was surprising about the findings? How do these findings align with or challenge existing industry perspectives? 

BARRY: A surprising finding was the disparity within the RCSA programs across similar-sized institutions. For instance, the survey results indicate that there is disparity among similar-sized institutions with regards to the frequency of conducting RCSAs—for example, annually, semi-annually, quarterly, and trigger-based. We saw similar disparities in terms of the number of assessment units—ranging from less than 100 to up to 400—and control inventory counts, which ranged from 1,000 to up to 15,000 among similar asset size financial institutions. 

PFLEPSEN: The variation in approach illustrates how similar-sized institutions have adopted different approaches, and likely have varying levels of maturity in how they execute and ultimately use RCSA to help manage risk. This finding validates anecdotal feedback we have heard in industry roundtables and through regular conversations with our clients. It underscores the fact that each institution's approach to RCSA is influenced by a variety of factors beyond size, including their specific risk profile, regulatory feedback, and internal capabilities. 

RMA JOURNAL: What are proven strategies you have seen to get buy-in from the first line when implementing and evolving RCSA programs? 

PFLEPSEN: First and foremost, leadership engagement is crucial. When senior management and team leaders actively participate and demonstrate their commitment to the RCSA program, it sends a clear message about the program’s importance, and how outputs should be used to help manage risk. 

BARRY: First-line business teams also tend to be more bought-in when they perceive enhanced value as part of the RCSA process. This can come in the form of different views of risk, risk profiles, and other end-to-end or lifecycle views of risk that may resonate more with first-line business teams.   

RMA JOURNAL: What are some common examples of where RCSA processes can break down or fail? 

PFLEPSEN: One common scenario is that if RCSA data is not properly integrated with other risk data, it can lead to a fragmented view of an institution’s risk profile, causing inconsistent and multiple versions of the “truth” and making it difficult to identify and manage risks across different areas of the institution. 

BARRY: Inconsistency in the RCSA process can occur when there is a lack of standardization across the organization. For example, different business units or teams may interpret and apply RCSA guidelines differently, leading to inconsistent risk assessments. This inconsistency can make it difficult to compare risk profiles across the organization and can undermine the effectiveness of the RCSA process. 

RMA JOURNAL: One survey question addresses the use of RCSA in day-to-day decisions. Can you share examples of decisions that are made day to day and how utilizing RCSA to inform those decisions impacts financial institutions? 

PFLEPSEN: Where financial institutions have successfully implemented RCSA, we see RCSA outputs inform and impact day-to-day management decisions. For example, RCSA helps show the positive impact on a firm’s risk profile from investments such as improving the control environment, replacing an antiquated system, or re-engineering a manual process. 

BARRY: Change management is another key example where RCSA plays an important role.  RCSA outputs can help firms better understand the potential impact of changes to their processes, systems, products, and organization before a change is made.  For example, it helps firms understand which risks may be elevated, which controls may need to be strengthened, and mitigating actions management should take to avoid missteps or a breach of risk appetite. 

RMA JOURNAL: The survey’s executive summary touches on how RCSA can help drive integration across non-financial risk programs to promote efficiency and consistency. Can you cite some ideas and examples that illustrate how to successfully integrate RCSA data across other risk programs?   

BARRY: RCSA can be an effective tool to integrate non-financial risk management assessments—especially in the first line of defense. For example, integrating compliance requirements into RCSA provides the first line a comprehensive and consolidated view into its key risks, compliance requirements, and the controls in place to mitigate both.  This can ultimately feed a streamlined risk-based testing and monitoring approach. 

PFLEPSEN: Additionally, integrating RCSA data with business resilience, continuity planning, and disaster recovery programs ensures that operational risks are adequately considered in these critical areas. Firms that align on key design principles can help drive integration including: 

• Common inventories and taxonomies (for example: assessable units, process, risk, controls). 
• Common rating scales and impact categories. 
• A common data model. 
• The ability to adjust the program with sound change management practices. 

RMA JOURNAL: Finally, what role does technology play in enabling greater efficiency of RCSA programs? 

BARRY: Technology can help to streamline the RCSA process, improve the quality of risk assessments, and provide valuable risk insights and analytics. For example, GRC platforms can help to automate and streamline the RCSA process, reducing the time and effort required to conduct risk assessments. They can also help to standardize the RCSA process across the organization, improving consistency and comparability of risk assessments. 

GRC tools can also play a role in enhancing the user experience of RCSA. For example, technological enhancements can improve system connectivity, build workflows, and enable easier reporting. 

PFLEPSEN: Emerging technologies such as machine learning and artificial intelligence are now also being considered to make RCSA programs more efficient. For example, machine learning algorithms can be used to analyze large volumes of RCSA data to identify patterns and trends that may not be apparent through manual analysis. These patterns and trends can help identify correlations between different risk factors, predict potential risk events based on historical data, and prioritize risks based on their potential impact and likelihood. 

In addition, artificial intelligence can automate the collection and analysis of RCSA data, and even generate risk assessment reports. AI can also be used to automate the monitoring of controls, alerting relevant personnel when a control fails or when a risk exposure exceeds a certain threshold. 

Alex Pflepsen is a partner in PwC’s Enterprise and Operational Risk Management practice. He can be reached at Alex.M.Pflepsen@pwc.com

Kevin Barry is a principal in PwC’s Enterprise and Operational Risk Management practice. He can be reached at Kevin.B.Barry@pwc.com.