Skip to Main Content

The Potential of RCSAs: Key Findings From RMA’s Industry Survey

12/18/2024

In strengthening the ability of organizations to identify process gaps and weaknesses, risk and control self-assessments (RCSAs) have become critical to managing operational risk across an enterprise. Since coming into wide use, the effectiveness of RCSAs has been improved thanks to advances in technology, methodology, and organizational buy-in. Still, opportunities for improvement are evident. In particular, financial institutions are reassessing aspects of their RCSA programs to add greater business value, improve RCSA methodology, and choose an execution approach that works most effectively. A survey conducted in August and September 2024 by RMA, in collaboration with PwC, details the current state of RCSA in the financial services industry, from how they are typically developed, to how they are used, to how they can be improved. Some highlights of the survey follow.   

How RCSAs Are Developed 

RMA’s benchmarking survey of 61 financial institutions ranging in size from under $10 billion to over $250 billion details how time spent developing an RCSA, what prompts a new RCSA, and how information is gathered in an RCSA’s creation can differ by bank. For example, a typical timeframe to execute an RCSA is two to three months, the survey found, with 40% of respondents specifying that time range. On the margins, 10% of respondents complete their RCSAs in less than a month, while 5% update RCSAs continuously on a dynamic basis.  

Once an RCSA is in place, three-quarters of respondents will deploy it for a set period of time, usually every six months to every two years, before developing a new one. Some respondents said they begin updating RCSAs when triggered by a rising risk level, not based on the age of their current RCSA. Events that are most likely to trigger a new RCSA are changes to a product or service, changes to regulatory requirements, control rating downgrades, and internal loss/near-miss events, the survey found.  

To craft an updated RCSA, most respondents (61%) gather information from their teams through a mix of facilitated workshops and individual offline work, while 21% rely exclusively on offline work and the remainder only use facilitated workshops. A report prepared by PwC for survey respondents, who received the full survey results, said the popularity of a workshop setting “highlights the importance of in-person discussions to enforce more high-quality RCSA outputs and accurate results.”  

How RCSAs Are Used  

The survey showed that financial institutions commonly use RCSA outputs to inform day-to-day business decisions as well as strategy. Nearly half of respondents (48%) said they use RCSAs to link control gaps to issues and action plans, while a third said they use the outputs to prioritize control testing based on level of risk and to guide annual risk profile decisions.  

Other uses include: 

  • Informing top and emerging risk materiality.  
  • Linking regulations to relevant processes, risks, and controls. 
  • Providing compliance controls to regulators.  
  • Planning future audits. 
  • Informing strategic plans and investments. 

The survey found that institutions under $100 billion in assets tend to focus on leveraging RCSAs to improve risk management capabilities, including the effectiveness of their control environment. Institutions at $100 billion and above in assets focus on strengthening RCSA programs to meet heightened regulatory expectations. The overwhelming majority of respondents (83%) said they use an organizational or business hierarchy to divide RCSA work into assessment units, while other financial institutions assess based on product line.  

How RCSAs Can Be Improved  

Among opportunities for improvement, the survey found that small- to mid-sized financial institutions only use RCSA outputs minimally to inform strategic plans and investments. And industry-wide, there could be better use of RCSA outputs to inform future audit areas or provide assurance to regulators regarding compliance-related controls. Survey respondents also identified resource constraints, immature skillsets, lack of buy-in from leadership and the first line, and regulatory pressures as among the obstacles to optimizing RCSA’s full value. 

To help members address these challenges, RMA offers opportunities to meet in person twice a year—once in the fall and once in the spring—to share insights and discuss RCSA practices in detail. For more information about these events, visit the RMA calendar of events or the forums and roundtables page. 

Survey takers noted several actions they are taking to strengthen their RCSA efforts. The majority said that, over the previous 12 months, they had improved their methodologies in several areas, including taxonomy and library enhancements (75%), enhancement in risk and control identification guidance (72%), and engaging review and challenge specialists (56%). 

Institutions are also boosting RCSA capabilities with technology and the hiring and training of staff. However, uptake of modern technology including AI has been gradual: It increased over the previous survey, but only from 8% to 20%, and over half (56%) of respondents said technology implementation was a significant challenge. Respondents said technology was helping them perform quality assurance for review and challenge, while others noted its use in reporting and trend analysis. Regarding talent, the survey found that institutions are focusing on training, upskilling, and dedicating additional skilled resources to review and challenge activities. 

Another common goal is integrating RCSA with other risk. Only 21% respondents said they have a “sustainable and integrated” RCSA program in place. Respondents believe further integration with other risk programs can yield expanded insights and more consistent interaction across first and second lines of defense. 

The Path to RCSA Maturity  

While RMA’s latest RCSA survey makes clear that process challenges remain across the industry, it also indicates that institutions of all sizes continue to refine and grow their RCSA processes: As with the year-earlier survey, the vast majority of respondents indicated they had made RCSA program enhancements over the previous 12 months. The argument for continued improvement is especially bolstered by the promise of technology. According to the aforementioned PwC survey report, “the possibilities are endless to reinvent how technology is used to add value to RCSA.”