Risk and Control Self Assessment

An RMIA Virtual Course in partnership with The Protecht Group.


This workshop is aimed at risk practitioners and business managers who have, or are looking to implement, a robust and comprehensive Risk & Control Self Assessment (RCSA) process within their organisation. The workshop covers all aspects of the RCSA process from design and implementation through to carrying out assessments, reporting results and creating follow up actions. The RCSA process is considered both as a stand-alone process and as part of an integrated Enterprise Risk Management framework.

The course applies the AS/NZS ISO 31000 and 31010 standards.

Course Overview

1.  An overall Framework for Managing Enterprise Risk

  • Revisiting risks and controls —what are we assessing?
  • The risk Bow Tie. Causes, Events and Impacts.
    • A risk framework and where RCSA fits
    • Inherent, Residual, Expected and Targeted Risk
  • Treatment methods and control effectiveness
  • Understanding likelihood and impact drivers

2.  Defining Risk & Control Self Assessment (RCSA)

  • Objectives of RCSA
  • What is RCSA?
  • The importance of linking RCSA to strategy and objectives
  • The various approaches to RCSA

3.  The steps in an RCSA process

  • Identifying business and process objectives
  • Identifying critical processes
  • Identifying risks
  • Identifying controls
  • Assessing risks: Inherent and residual
  • Assessing the effectiveness of controls
  • Creating escalations, follow ups and action plans

4.  RCSA inputs

  • Determining what we will assess
  • Identifying risks
  • Risk descriptions-what are the rules?
  • Identifying treatment methods
  • Types of Control
  • Likelihood and impact scales
  • Setting likelihood scales: What measure?
  • Setting impact scales: How many types of impact?

5.  RCSA processes

  • Linking risks to objectives and critical processes
  • Linking risks to causes and impacts
  • Linking risks to controls
  • Assessing the size of risk
  • Is inherent risk useful and can it be determined?
  • Cumulative and aggregated control effectiveness
  • Determining treatment/control improvements
  • RCSA Case study: Carrying out an RCSA

6.  Setting up an RCSA for completion

  • Deciding on participants
  • Background information
  • Carrying out an initial assessment
  • Carrying out periodic assessment updates
  • Towards continuous assessment

7.  RCSA Reporting

  • Types of report and information
  • Information to report
  • Including RCSA in an aggregated dashboard report
  • Interpreting reports

8.  Using RCSA

  • Escalations and notifications
  • As a risk monitoring and management tool
  • As a benchmarking tool
  • As a driver of behaviour

9.  RCSA as part of a Risk Framework

  • Linking RCSA to KRIs, Compliance, Incident Management, Issues and Action Tracking
  • Obtaining business engagement

10.  The future of RCSA

  • Where to next?
  • Maximising the value from the RCSA process
  • The main pitfalls and how to overcome them

Learning Objectives

  • An in-depth understanding of the objectives and outcomes of a robust RCSA process
  • An understanding of how the RCSA process integrates into an enterprise risk management framework and how the results of RCSA can be used in scenario analysis, key risk indicators, incident management and compliance
  • The ability to design an effective and efficient RCSA process
  • The ability to set relevant risk scoring scales to reflect risk appetite and tolerance
  • The ability to produce meaningful reports as output from the RCSA process
  • How to use the RCSA in risk and general management
  • How to use RCSA results to develop risk treatment improvements
  • An appreciation of the system requirements and system pitfalls for an effective RCSA process
  • The skills to be able to carry out effective and engaging RCSA workshops
  • An understanding of the pitfalls to a successful RCSA process and how to overcome them
  • An understanding of relevant external guidance and requirements including ISO 31000 and ISO 31010

Format of the Course

This course is delivered in an entirely online COVID-Safe format. The course is a total of six (6) hours delivered in four 90-minute sessions via GoToTraining Platform.

TRAINERDavid Tattam from The Protecht Group

Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. David is the founder and current Director Research and Training for the Protecht Group, an Australian firm specialising in risk management software, consulting, advisory and training to a wide range of clients both locally and overseas. His career includes many years working with PwC, as well as two international banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB). David’s passion is risk training, having developed numerous risk courses and trained many thousands over the past 2 decades. Protecht celebrated its 21st year in 2020.

INVESTMENT: $770.00 incl.GST for Members

$924.00 incl. GST for Non-Members

CPD: 12 points

For Group Bookings please email events@rmia.org.au or call 0430 157 508.

To register for this event go to Upcoming Events for current courses available.