Risk and control self-assessment

Home
Insights
Advisory
RAS
Risk and control self-assessment

June 24, 2025

Original content provided by

Every organisation needs a reliable way to identify, evaluate and manage its risks. One of the oldest tools in the toolbox of Operational Risk Management to do so, is a Risk and Control Self-Assessment. While this concept started as a self-assessment exercise, it has matured into a more objective and comprehensive approach that helps you understand and manage your risk landscape effectively.

In this fourth article of our BDO Risk Blueprint series, we will explore the benefits and practicalities of an RCSA to strengthen your organisation's risk management capabilities. Building on the risk framework we discussed earlier, we will show you practical ways to evaluate risks and controls that align with your risk appetite.

Discover our risk blueprint video's

The three essential elements of risk & control assessment

Think of a Risk and Control Self-Assessment as your organisation's health check-up. Just as a medical examination helps identify potential health issues, an RCSA helps you spot and evaluate risks before they impact your business. The RCA process can be broken down into three manageable steps:

Evaluating inherent risk: start by examining your risks in their 'natural state' - before any controls are applied. For most business units, this means looking at raw risks. However, for technically complex departments like IT or Legal, we examine risks under a scenario where multiple key controls might fail simultaneously. This gives us a more realistic picture of potential exposure.
Assessing control effectiveness: next, evaluate how well your controls are working. This goes beyond simply checking if controls exist - you need to verify their effectiveness through testing and validation. Just like testing the locks on your doors, you don’t just want your controls to be there, you want to know they work reliably.
Determining residual risk: finally, assess your residual risk - what remains after your controls are applied. This helps you understand if your current control environment adequately protects your organisation or if additional measures are needed.

What to expect from an RCSA

An RCSA is both an assessment as well as an identification exercise. In short, here is what to expect as output of this process:

Your key risks linked to your organisation's objectives
Your residual risks in stressed conditions, how they relate to each other and where they are in terms of your risk appetite.
An assessment of your controls, how they are performing in terms of effectiveness.
Places of required action plans, when the residual risk assessment exceeds risk appetite and tolerance

Linking your RSCA to your risk appetite & taxonomy

As discussed in our first Risk Blueprint video, consistency across your risk management framework is of crucial importance. In this regard, your RCSA as well as your Probability & Impact matrix (P/I matrix) can be seamlessly integrated into your full framework.

In the visual, you can see how all the elements of your risk management framework come together. From the overarching statement translated into types of risks aligned with your risk taxonomy to the tolerated and calibrated scales matched with your impact taxonomy.

What this illustration shows is that the use of a heatmap in an RCSA process is driven by the rest of your risk management framework.

Risk Appetite, Risk Taxonomy & RCSA

Typical risk likelihood and impact scales

When evaluating your organisation’s risks, you need clear criteria for both likelihood and impact.
Here is a practical framework:

Likelihood Scale – likelihood of the risk to occur within one year

Almost Certain: 50-80% chance
Likely: 30%-50% chance
Possible/Medium: 10-30% chance
Unlikely: 5-10% chance
Rare: Less than 5% chance

Impact Categories
Ratings: Extreme – Major – Moderate – Low

Financial Impact
Service Delivery and Continuity
Customer Experience and Reputation
Regulatory Compliance

Pro tip: Ensure your impact scales align across categories. If an “extreme” financial impact represents 25% of annual operating income, other impact categories should reflect comparable severity levels.

The outline of an RCSA workshop: method & steps

The heart of your RCSA lies in structured workshops that bring together your key stakeholders to identify and evaluate risks.
Here's what makes these workshops so effective:

Risk & control assessment: method and steps

Before the Workshop:

Define clear objectives and scope
Identify the right participants
Gather relevant data and documentation
Prepare assessment tools and templates

During the Workshop:

Focus discussions on risks to business objectives
Document key concerns and control measures
Identify control owners
Reach consensus on risk ratings
Create preliminary heat map positioning

After the Workshop:

Validate control effectiveness through testing
Review documentation and evidence
Compare findings with incident data
Finalise risk assessments
Develop action plans for high-risk areas

Effective risk assessment is not just about identifying problems – it is about creating a systematic way to understand and manage your organisation's risk profile. By performing an RCSA workshop, you are more aware of your risks and can build a more resilient organisation that is better prepared for future challenges.

Ariane ChapelleBDO Risk management

Risk management: the power of heat maps

Heat maps provide a powerful visual tool for prioritising your risk management efforts.
They help you:

Identify high-priority risks that need immediate attention
Allocate resources effectively
Track risk positions over time
Communicate risk levels clearly to stakeholders

RSCA in context

A practical example

in information security, you might see different manifestations of the same risk type:

High-frequency, low-impact events like device loss
Medium-frequency data security incidents
Low-frequency, high-impact cyber attacks