@ISACA Volume 1  11 January 2017

Tips for Understanding the Role of RCSA in Risk Management

Lisa Young, CISA, CISM

Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).

In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a 4-volume report titled Internal Control—Integrated Framework. This report presented a common definition of internal control, providing a framework against which internal control systems could be assessed and improved. Around the same time, the Turnbull Report was published and set out internal control best practices for UK-listed companies. After a few years of focus on internal control systems and corresponding internal controls, the management of risk was added to both the COSO and Turnbull reports. This was the genesis of risk and control self-assessment (RCSA) as we now know it.

An RCSA is one tool for surveying or interviewing the business and frontline personnel to understand their view of the risk factors that might impede their progress toward objectives. For the areas of concern identified as a potential risk, a set of corresponding controls that would assist in mitigating the risk or reducing its impact is determined. When an RCSA is used as the only source for risk identification, the organization’s capability to perform risk management is not fully developed, and important risk may go unnoticed. Here are some tips for thinking about how your organization identifies risk that may lead you to a more complete picture of the risk that your organization faces:

  • Do I begin with business goals and objectives and then identify IT-related risk to those business objectives? Many RCSAs are focused on known risk rather than new areas of concern or factors that have not materialized as realized risk yet.
  • Is my organization engaged in actively building skills in risk management? Do we have a common language for risk terms? Risk and controls are complementary, but they are not the same.
  • Do senior leaders in my organization seek out risk management insights to improve performance (not just manage the risk of noncompliance)?
  • Is robust and realistic scenario analysis a primary technique in my risk identification approach? If you are not using the COBIT 5 risk scenarios, consider looking at them and trying to incorporate them into your risk identification process.
  • Do business cases for all strategic initiatives (and major projects) include a detailed and specific description of risk in design, implementation and operations, along with steps to proactively manage them?
  • When conducting an RCSA, is the interviewee or survey participant asked about their concerns (that might not be part of the RCSA)?
  • Do I align strategic goals and objectives to a set of control objectives rather than prescribe a set of controls to use? Having a set of control objectives provides the ability to actively manage risk by changing the process or procedures, avoiding the activity that contributes to risk, or detecting a risky activity sooner. Controls are not the only way to manage risk.
  • Do I actively refine control objectives and the associated controls to make them simpler to save time and cost in design, implementation, use and monitoring?

Risk management is an ongoing organizational capability that can be improved over time. The goal is to keep the business operating with minimum impact from a realized risk or incident. Risk and control self-assessments are but one tool in the risk management tool kit. Make sure your RCSAs are robust enough to add value to the risk management process.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Register for the May/June Certification Exam Testing


ISACA’s certifications combine the achievement of passing an exam with proven work experience, giving you the credibility you need to move ahead in your career. Certification proves to employers that you have what it takes to add value to their enterprise. In fact, many organizations and governmental agencies around the world recognize or require ISACA’s certifications.

Starting in 2017, the Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) certification exams will be administered via computer-based testing (CBT) during 3 testing windows that will each be 8 weeks in length. CBT will provide new benefits to candidates taking the exams, including greater flexibility in taking the exam and faster exam results.

Registration is now open for the May/June 2017 exam. You can save US $50 by registering by the early registration deadline of 28 February.

The 2017 exams will be available during the following windows:

  • 1 May–30 June
  • 1 August–30 September
  • 1 November–31 December

Learn more about the 2017 exams including registration dates and deadlines, available language offerings, and important exam day information on the Exam Candidate Information Guide page of the ISACA website.