SOX risk assessment

Agile Risk Assessment: Reinventing RCSAs

Matthew Perconte, Managing Director Risk and Compliance
Protiviti’s Agile Risk Management Philosophy

Timely and accurate risk identification and assessment are critical to strategic decision-making. A risk and control self-assessment (RCSA) can be a practical tool for providing that information. Many organizations struggle, however, with the level of organizational resources required to complete an RCSA and effectively apply the results in a timely manner.

There are many reasons for this. Leadership often finds it difficult to define roles and carve out the necessary time for this complex and comprehensive process; RCSA workshops are largely unproductive; processes, controls and technology are constantly changing; documentation is often outdated; and after all that, much of the information included in the traditional annual RCSA cycle has gone stale by the time the report is published.

Protiviti has identified several practical changes to this process that can be implemented with minimal cost and disruption over a period of six to 12 months, to make an RCSA program more effective. Those strategies are outlined in a newly published paper on the building blocks of agile risk management. Briefly, they include:

  • Rationalizing and optimizing controls — When there are multiple controls in place to mitigate one risk, determine which control does it best and eliminate the rest, or consider automating the control(s) to eliminate manual labor.
  • Improving coverage and integration of regulatory compliance and technology risk — Risk management and regulatory compliance programs often overlap. Integrating these risks at a meaningful level of detail allows for more effective and efficient management.
  • Simplifying taxonomies — Standardized and consistent identification of processes, risks and controls across lines of defense and stakeholders makes it easier to know what to look for and request information from across the enterprise.
  • Incorporating relevant data points — RCSAs can be enhanced to provide a line of sight into a variety of data useful in determining how business units are performing against their goals and objectives. This data can, in turn, be used in the evaluation of inherent risks.
  • Improving reporting and visualization — RCSA outputs should be designed to help business leaders easily fix problems, reallocate people, identify opportunities and align products for growth.

Beyond these relatively simple changes, organizations should consider embracing new technology — including data analytics tools, predictive capabilities, chatbots, artificial intelligence and automated assistants — to deliver more timely, actionable and forward-looking results. The paper covers these, as well, with specific examples of how to leverage those more advanced, or “next gen” strategies.

RCSAs have been conducted for decades with very little change. Going forward, competitive advantage will be on the side of organizations that are able to use risk and control data, particularly RCSA results, to make risk-informed, faster and smarter decisions. Protiviti’s Agile Risk Management philosophy can help organizations establish and sustain that advantage. Download our white paper here, and let us know your thoughts on it in the comments.

Add comment