Ali Abbas
Confessions of a Compliance Executive
The recipe for successful Risk Control Self-Assessment (RCSA): is there a secret sauce?
Compliance expert and former Head of Compliance, Sylvia Yarbough, shares secrets and insights from the heart of the compliance team.
If you have a compliance confession, or are worried about emerging regulation, visit our Compliance Confession Booth.
Over the last year, there seems to have been some great deficit in staff that are able to conduct control testing at various organizations. As an independent consultant with my profile on LinkedIn, I have received my fair share of job solicitations from firms looking for individuals with this type of experience. All of the job descriptions pretty much look the same: organizations looking for people with 5+ years of experience in developing risk controls, testing and/or conducting assessment.
These offers got me thinking… was the “Great Resignation” primarily driven by risk professionals? Are there that many organizations needing to develop this portion of their risk program… given that this really is the bread and butter of risk?
Some of these organizations were well established financial institutions. So, what was generating all of these job openings? I started questioning some of the recruiters. I also reached out to some of my peers still well entrenched in their organizations, fighting the good fight – managing risk. It turns out that there are three types of needs at play. There are:
- The financial institutions who have grown to sufficient size, therefore need to beef up their compliance programs;
- The FinTechs that are instituting aspects of a compliance program to be able to pass regulatory scrutiny; and
- The tried-and-true financial institutions who find the need to constantly reinvent, dig deeper, or revamp their risk controls testing and self-assessment programs.
I am going to focus on the third type for this article, because I believe there are lessons that I have learned over the course of my career that can be applied to all three. In my time in the financial service industry, I have found that there are five main ingredients in a Risk Control Self Assessment (RCSA):
- Understanding the business process
- Identifying the highest risk
- Establishing the controls
- Testing the controls
- Assessing Risk
YEP, for those of you with the experience the ingredients in the RCSA “Secret Sauce” haven’t changed over the years. So why is there a constant need to hire and train new staff – and worse – constantly relook and reinvent?
Understanding the business process
Any risk team worth their grain of salt will take the time to identify the major processes in their organization. In my experience, focusing on the products and processes (e.g., loan origination, loan transaction processing, loan servicing) provide a broader horizontal view versus the department verticals, which offer a limited view that must be later pieced together and can result in redundancy in creating controls.
Within each product process, following the activities and getting them documented in a process workflow document (yes, I said it — a process workflow document) is worth all the effort it takes to complete. I have typically done this work as a project with business partners. Sometimes, this means I have been lucky enough to find that the work has been done already as part of a system design or other business initiative. In any case, it’s important that you understand the process flow; whether the risk team initiates the documentation or you leverage an existing process flow document that may need some additional flushing out for risk use.
This seems pretty straight forward, so what goes wrong? It’s simple, like all ingredients in any recipe, there is a shelf life. This document, once developed, cannot sit on the shelf and get stale. It needs to be a living, breathing document, updated when business processes change, and reviewed periodically for validation to support the next ingredients –identifying key risk and updating your controls.
It can be a daunting effort. Often, I found myself in the same position even with the knowledge of the importance of these process workflows. With the challenge of insufficient resources and competing priorities, they get so stale, your (or your successor) will find yourself starting over again. On occasion, I have had the luck to work with business partners who also saw the value in these documents for other purposes and by mutually sharing them, Risk was able to sometimes see the work they maintained.
Identifying the key risks within the process
The next ingredient in this secret sauce is identifying the key risk within a process. What do I mean by key risk? Well, in the case of Compliance Risk, you are looking for processes that support the high-risk regulatory requirements. By first focusing on the high-risk regulatory requirements, the risk team was able to narrow in their focus to get to the next ingredient, establishing controls. This is not to say that we didn’t build this work out further to include the medium and eventually some of the low-risk regulatory requirements. However, by starting with the highest risk regulatory requirements, we established a good foundation and then expanded on it.
Developing controls
Developing controls for areas in the process that align to the key regulatory requirements has often been difficult. Risk teams should always do this work with their business partners.
The push that I’ve seen time and time again is the business believes that their written policies and procedure are the controls – – NOT the case. Ideally, within the procedure you may find nuggets that would indicate a control. A good control should be designed to either detect or prevent an error. As we all have learned, taking the time to clearly document the attributes of the control and method, as well as testing it, should all be done upfront. It is through those discussions that you can come to a better understanding of the control’s effectiveness – even before testing is executed.
One of the things I would push for was the development of a Controls Library… though I can’t say I was always successful. I often entered organizations that had, over time, built up a massive inventory of controls. For some, it seemed easier to keep adding, instead of stepping back and re-evaluating the controls they already had.
Having a complete and consistent library of controls allows you to identify the basic details of each control, and its impact on different products and processes within the organization, based on the process flow work. This reduces duplication and redundancy and allows the testing team to focus their energies in the right place.
This is always the ingredient of the secret sauce where the risk professionals find themselves coming unstuck. Unless you’re lucky enough to start from scratch, most of us find ourselves having to navigate the work of our predecessors. This often means wading through volumes of controls that are poorly documented, and finding the same regulatory requirement with multiple controls that really aren’t effective. If you’re lucky enough to be able to build from scratch or get a do-over, remember, it’s not necessary to fully document all controls before testing, but an inventory of key controls tied to the high-risk regulatory requirements, can make testing easier and more effective.
Like all ingredients in a good recipe, less is more.
Testing the controls
The purpose of internal controls testing is to identify whether the controls are properly detecting or preventing risk. Testing doesn’t always identify all of the issues. However, what I have also learned is that establishing a good process for issue management (a topic for a different day) leads to better long-term outcomes. Over time, even the best intentions can lead most organizations into having hundreds or even thousands of documented controls in place. Testing all of those controls would be out of the question.
In my observation, the best approach was always to focus in on controls testing prioritized by the risk rating associated with the regulatory requirements. The higher the rating, the more important the test. Another challenge is to set a cycle of testing based on products and process that pose the highest risk to the organization. Understanding the risk in your product and processes, then having underlying departments carry out the work, helps to level set on frequency of testing.
I often found that the secret to successful tests lies in keeping things simple. Testing is not the end goal; risk partners need to focus on identifying and mitigating risk. Testing is a necessary evil but many organizations get caught up with so much testing, issues finding, remediation, –“wash, rinse and repeat”. You do what you must do to get a reasonable sense of a well-managed risk program, but don’t spoil the sauce by making testing the main ingredient. All of the ingredients must exist in reasonable balance.
Assessing risk
On an annual basis RCSAs will be completed in most organizations. This was often a heavy lift because of – truth be told—poor planning. Many organizations used to try to conduct this process all at once. One of the organization’s I worked for figured out that setting a staggered 12-month cycle still allowed for understanding of the risk and aggregation, without the massive lift requiring businesses partners to stop their day jobs.
RCSA are often more qualitative and not quantitative enough. Business and Risk partners look at the inherent risk and probability of occurrence – then they determine if the controls are satisfactory, leading to a residual risk. A lot of organizations still conduct this process as a group discussion or survey, slugging through every risk and control to land on an overall rating for the product being assessed.
By now, you probably will have picked up on my underlying theme. By keeping the other ingredients to a minimum, high risk regulatory requirements, key controls, and testing where necessary, this part of the process can become less burdensome. Organizations should push to make this portion of the process less qualitative and more quantitative leading to comparable trends and avoiding group think that doesn’t really lead to the understanding of risk in any organization.
In closing, you might have figured out that, while there are many ingredients, there is no secret sauce.
RCSAs ingredients haven’t changed much over the last decade. I do suspect there is pressure on organizations to improve this process – which is why we see constant recruiting for risk professionals with this expertise.
However, for the organization really willing to step back and not believe quantity makes quality, they might find a more streamlined, focused approach will achieve the same objective. Again, less is more. In my observation, balancing all of the ingredients would serve many organizations well. I will also state that leveraging automation to achieve the same end should be the focus. Look out for my next article, where I cover my experiences in using continuous monitoring as an alternative.