A Risk and Controls Self Assessment (RCSA) remains one of the most practical tools in operational risk management because it forces organisations to answer a simple set of questions: what could go wrong, what controls do we have, how effective are they, and what are we going to do next? The value of the exercise, however, depends on whether it drives decisions or simply populates a register. [1]

What RCSA should achieve

A strong RCSA process gives management a structured view of risks across processes, systems, people, third parties and external events. It should surface risk themes, expose weak controls, clarify ownership and create actions that are tracked to completion. If it does not change prioritisation, reporting or investment decisions, it is too shallow.

A practical RCSA workflow

Define scope and objectives

Start with a clear unit of assessment. That might be a business service, process, product line or department. The scope should match the question you need answered, whether that is resilience risk, compliance exposure or end-to-end operational control.

Identify risks and controls

Use workshops, interviews or structured questionnaires to identify risks first, then map the controls that mitigate them. Keep the language plain. A useful test is whether a business owner can understand the statement quickly enough to challenge it.

Assess inherent risk, control effectiveness and residual risk

Separate the risk before controls from the risk after controls. That distinction prevents teams from understating exposure by jumping straight to “we have a control for that”. It also makes it easier to see where strong controls are carrying weak processes.

Create action plans with ownership

Where residual risk exceeds appetite, there should be a named action, owner and target date. The best RCSA outputs are not long narrative summaries. They are prioritised decisions with accountability attached. [2]

‍How to stop RCSA becoming a tick-box exercise

Three habits make the difference. First, challenge scoring consistency across the business. Second, connect RCSA outputs to control testing, incidents and KRIs. Third, refresh assessments when triggers occur, not just on the annual calendar. New products, control failures, audit findings and regulatory changes should all prompt review. [3]

Conclusion

RCSA is the point where operational risk becomes visible in operational language. When the process is practical, owned by the first line and supported by meaningful second-line challenge, it does far more than satisfy a regulatory expectation. It gives management a better basis for action.