Chpt 5 Flashcards
What is RCSA?
Risk and Control Self-Assessment - a process for identifying, assessing and managing risks and controls.
What are the benefits of RCSA?
Cultural change, strategy alignment, consensus, accountability, anticipating threats, efficiency.
What is the role of RCSA?
Proactively identify and manage operational risks before they impact objectives.
Name 3 RCSA approaches.
Workshops, Questionnaires, Hybrid.
What are 2 advantages of RCSA workshops?
Interaction, guidance, buy-in.
What are 2 disadvantages of questionnaires?
Misinterpretation, bias.
Define likelihood.
Possibility of a risk event occurring.
Define impact.
Consequences if an operational risk occurs.
What is assessed for likelihood and impact?
Inherent risk and residual risk.
Name 4 types of controls.
Preventative, detective, corrective, directive.
What determines if a control is effective?
Design and operation.
Who is the risk owner?
Accountable for managing risk identification, assessments etc.
Who is the control owner?
Designs, operates and monitors controls.
Name 4 risk response actions.
Accept, reduce, transfer, avoid.
What are 2 uses of risk reporting?
Guide decisions, raise awareness.
What does a heat map show?
Visual summary of risk exposures.
Name 3 triggers for ad hoc RCSA.
Change in appetite, restructure, new regulation.
What validates likelihood and impact assessments?
Risk indicators and loss events.
What are 3 reporting contents?
Assessments, actions, changes.
What maintains RCSA as BAU activity?
Governance committee oversight.
What skills make an effective RCSA facilitator?
Risk knowledge, challenge consensus, unbiased.
What evidences control effectiveness?
Testing and attestation.
What causes re-assessment of risks?
Changes in likelihood, impacts or controls.
What improves reporting?
Interpretation not just data.
What is a risk register?
Database recording RCSA outputs.
What confirms RCSA adds value?
Implemented efficiency improvements.
