Risk and Control Assessments

Cathy Hampson, Gus Ortega


Risk-and-control assessments (RCSAs) are an essential component of a robust operational-risk framework. The exercise itself can be a unique opportunity for employees from different areas to get together to discuss risk. Although there are several ways in which to perform an RCSA, the workshop approach remains one of the author ’s favourites, the reasoning being that the interplay and cross-fertilisation of the discussion creates a dialogue and debate impossible in a desktop exercise.

In this chapter, we will explore the background to the use of RCAs; explain what they are and how they are conducted; and differentiate inherent and residual risk levels and the beneficial effect of controls. We will also consider how to quantify the risk levels using a consideration of the impact and likelihood that a risk event will occur.

In order to leverage the human interaction in assessing risk, the information that the participants should receive ahead of an assessment are explained, and which participants are needed. The cycle of risk assessment, remediation and reassessment concludes the chapter.


RCSAs have been utilised in the operational-risk

To continue reading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: