Skip links

enquiry@cognossi.com

Cognosphere Innovations Pte Ltd
Security & Risk Management

Risk and Control Self Assessment (RCSA)

The Cognosphere Innovations Data Risk Intelligence scans aid businesses with the identification of third party vendors for regulatory and compliance purposes. As part of third-party risk management in the privacy context, organizations need to know all of their service providers and what personal data is being shared with them. How can a business use this information?

In addition to the standard usage as part of the GDPR Article 28 process, organizations that complete the Data Risk Intelligence scan can use this data as part of their internal audit process and vendor risk management.

If your organization has not yet established a mature internal controls process, this can be accomplished by usage of an established controls framework such as the Risk and Control Self Assessment (RCSA). There are a number of other risk frameworks that your organization could adopt, but this is a popular one.

Contact Us

What is an RCSA and Where is it Used?

An RCSA framework is used by companies to analyze their operational risk.

The RCSA was developed after a four volume report on internal controls was released by the Committee of Sponsoring Organizations of the Treadway Commission in 1992. The systems would become a standard in evaluating compliance with the Foreign Corrupt Practices Act (FCPA).

The RCSA framework is also often used by financial institutions to meet regulatory requirements for an annual self review of operational risks firm-wide. Notwithstanding its use in the financial industry, it could also be used as a methodology for evaluating third-party vendor risks.

An RCSA has become an accepted means of satisfying corporate governance requirements and acts as a valuable audit tool.

What is the General Approach to an RCSA?

An RCSA typically consists of:

  • Identification of business objectives targets or process goals.
  • Identification of risks that could threaten those objectives.
  • Identify the controls in place to prevent or limit those risks.
  • Identify the roles and processes responsible for performing the controls.
  • Assess the effectiveness of the controls and the mitigated or unmitigated risk remaining after the establishment of those controls.

When an organization conducts an RCSA exercise, it generally is conducted by each business unit. The assessments are then collected and compiled to create a comprehensive understanding of organizational risks within an organization.

What are the Approaches and Techniques to Performing an RCSA?

Organizations can adapt their approach to their individual case as there is no one size fits all approach to conducting and implementing the RCSA. Instead, the best approach may depend on its internal culture, size, complexity of issues and governance. Nevertheless, a few different approaches have been developed:

01

Workshop

Some organizations gather their key stakeholders together to create a dialogue around their objectives, risks and controls. The benefits of this approach are considered to be reduced paperwork requirements, raising overall awareness of risks, and enhancing risk management skills across the staff of an organization. Advanced preparation can define the workshops objectives and provide context to participants on the contributions expected of them.

02

Questionnaires

This approach should be familiar to organizations that have conducted Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs). Standard questionnaires can assist respondents in the identification of risks and controls as well as evaluation of them for the organization. However, it requires the development of the survey, ensuring completion by the relevant stakeholders, and compilation of the results across the stakeholders.

03

Hybrid Combinations

A mix of workshops and questionnaires can be used to avoid burdening participants but maximize the results of the RCSA exercise.

This website uses cookies to improve your web experience.