A risk and control self-assessment, or RCSA, is a structured process in which the people who run a business process identify the operational risks they face, rate each risk before and after controls, and agree action plans. It converts scattered, informal risk knowledge into a defensible, repeatable assessment that feeds the risk register.
What an RCSA is and why operational risk teams use it
Operational risk teams use the RCSA because operational risk is hard to measure from loss data alone. Many of the most damaging events, such as a failed payment run or a control gap in onboarding, are rare, so waiting for losses to accumulate is not an option. Unlike credit or market risk, operational risk has no single exposure figure to model, which makes the structured judgement of an RCSA one of the few practical ways to size it. The RCSA captures forward looking judgement from the front line about what could go wrong and how well current controls hold. Banks adopted it widely under the Basel operational risk framework, and the practice has spread into insurance, healthcare, and technology firms that want a consistent view of process level exposure.
The RCSA process step by step
Most programmes follow the same sequence, whether they call it five steps or seven. The aim is to move cleanly from scope to action, leaving a documented trail at each stage.
- Define scope and objectives: agree which business units, processes, or products the cycle covers and confirm the risk taxonomy
- Identify risks: list the operational risks that could stop each process from meeting its objective
- Assess inherent risk: rate likelihood and impact assuming no controls are working
- Evaluate controls: document the controls in place and judge how well they are designed and operating
- Determine residual risk: re-score likelihood and impact with controls credited, then compare the result to risk appetite
- Agree action plans: assign owners and dates wherever residual risk sits above tolerance
- Monitor and review: track actions, refresh scores on a set cycle, and feed results into reporting
Each step should leave a documented artifact, a risk register entry, a control description, the scoring rationale, and the action plan, so the assessment survives audit scrutiny. The split between inherent and residual scoring is the analytical heart of the exercise, and it works only when both numbers are defined clearly; our guide on inherent versus residual risk explains that distinction in depth.
Workshops versus questionnaires
There are two main ways to gather RCSA input. A facilitated workshop brings process owners, control operators, and a risk coordinator into one room to debate risks and scores in real time, which surfaces disagreement and builds shared ownership. A structured questionnaire sends the same questions to many respondents and scales well across a large estate, but it can become a tick box exercise if the questions are long and the purpose is unclear. Most mature programmes combine the two: questionnaires for broad coverage, workshops for complex or cross functional processes, and one on one interviews for sensitive areas.
Scoring scales and how RCSA feeds the register and KRIs
RCSA scoring usually relies on ordinal scales, for example a five point likelihood scale from rare to almost certain and a five point impact scale from insignificant to severe, multiplied or mapped to a heat map. Control effectiveness is rated on its own scale, often from ineffective to fully effective. Residual scores then flow into the risk register as the single source of truth, while breaches of tolerance and the trend in residual risk feed key risk indicators, or KRIs, that management watches between assessment cycles. Many firms also aggregate residual scores upward, rolling process level results into a divisional and then enterprise heat map, so the board sees concentration of risk rather than a flat list of individual entries.
According to the ORX 2024 banking loss report, 82 global bank members reported gross operational risk losses of EUR 13.8 billion, well below the five year average of EUR 23.8 billion, a reminder that the operational exposures an RCSA tracks remain material even in a good year.
How often to run an RCSA and how it connects to other tools
Most firms run a full RCSA annually, with lighter quarterly refreshes for high risk processes or whenever a material change occurs, such as a new product, a system migration, or a reorganisation. The cadence matters: too frequent and the first line treats it as a chore, too rare and the scores go stale between cycles. The assessment also does not stand alone. It works best inside a wider operational risk framework, where it is triangulated against internal loss data that records events already suffered, external loss data from bodies such as ORX that shows what has gone wrong at peer firms, and scenario analysis that stress tests rare but severe tail events.
When the RCSA says a control is effective but loss data keeps showing the same incident, that contradiction is a signal worth investigating, and regulators increasingly expect that linkage to be evidenced rather than merely asserted. Connecting these views stops the RCSA from drifting into wishful thinking and keeps residual scores honest. Technology now shapes how the work is done: many teams have moved off spreadsheets onto GRC platforms that pre populate the taxonomy, route questionnaires automatically, and flag where residual scores breach appetite. The gain is consistency and a clean audit trail; the risk is that automation can entrench a tired template, so the underlying scales still need periodic challenge from the second line.
Who owns the RCSA: first line versus second line
Ownership follows the three lines of defence model. The first line, meaning business and function heads, owns the risks and performs the assessment for their own processes. The second line, operational risk management, sets the RCSA methodology, defines the scales, and challenges results that look optimistic. The third line, internal audit, independently validates that both the RCSA process and the controls it assesses are designed and operating effectively. Confusing these roles, for example letting the second line quietly complete the assessment for a disengaged first line, is one of the fastest ways to undermine credibility.
Common RCSA failures and how to avoid them
- Inconsistent definitions: one team scores a control effective while another would call it weak, because likelihood, impact, and control terms are not defined consistently
- Box ticking culture: participants score risks low to avoid follow up work and claim controls operate well without evidence
- First line disengagement: long questionnaires, unclear ownership, and duplicate data entry make the RCSA feel like compliance theatre
- Weak follow through: action plans go nowhere and the same risks reappear at the next cycle with no progress
- No continuous monitoring: the assessment is completed once and never refreshed, so controls drift without anyone noticing
A strong RCSA is not a spreadsheet exercise; it is an honest conversation about what could go wrong, anchored by clear scales and followed by real action. Teams that get it right treat inherent and residual scoring with discipline, hold the first line accountable, and connect every output to the register and to KRIs. For the scoring mechanics that sit underneath, read our companion guide on inherent versus residual risk, and to put the wider programme together, our walkthrough of operational risk management is a practical next step.