In our first blog in this series, Getting Started With Client Remediation (Part 1 of 3), we discussed how to get a client remediation program started, what levels of an organization should be involved in the client remediation program, and how ultimately positive outcomes, such as lower risks, improved technology, and risk monitoring, may result from a successful client remediation program. In the second blog, Client Remediation – Running the Program (Part 2 of 3), we looked at ways of shortening the length of client remediation programs. In this blog, we’ll review how financial institutions can avoid having to create and run a client remediation program in the first place by implementing Risk Control Self-Assessment (“RCSA”) techniques.

Steps of an RCSA Program

Risk professionals generally acknowledge that there are six steps to the RCSA process. These steps are:

Document the Control Environment
Identify the risks
Evaluate the risks
Identify and evaluate the control(s) for each risk identified
Take corrective actions
Monitor RCSA going forward

Many clients begin their RCSA journey with either an internal survey — often of software or other IT-related processes and controls — including exposure to ransom, the usefulness of the existing software, the ability to access data securely while remote, proper access to sensitive data, etc.

Perficient has helped launch, review, and maintain RCSA programs at some of the largest banks in the United States.  In our experience, the control environment and the identification and evaluation of risks are often non-IT risks and are usually documented best via a series of facilitated workshops run by risk management professionals and involving professionals from the front, back, and middle offices.

The result of the workshops can be summarized per process/business line:

What risks are present?
What control(s) do we have to mitigate these risks?
Have the controls been implemented?
If implemented, have the controls been effective?
If not effective or not implemented, decide the response action.

Inherent risks, which are the risks that exist in the process, as well as residual risks, which are the risks that remain after business controls are in place that cannot be avoided, will be assessed and usually rated as “High,” “Medium,” or “Low.” For instance, people are going to die (residual risk), despite health plans (the control) to keep them healthy.

SharePoint, Excel sheets kept on a desktop, and hand-written scrawls on napkins are not the way to maintain a robust control environment. A centralized Risk Management Tool is mandatory in modern banking, and the front/middle/back offices must be able to provide a constant input of new information into the system. All data from the Workshops should be stored in the Risk Management Tool. Usually a rating scale of “Satisfactory,” “Needs Improvement,” or “Unsatisfactory” is used for the overall area or process under consideration.

Once risks have been identified and assessed (steps 2 and 3 above), techniques to manage the risk fall into one or more of these four major categories:

Avoidance (eliminate)
Reduction (mitigate)
Transfer (outsource or insure)
Retention (accept and budget)

Using RCSA On A Go-Forward Basis

RCSA does not end with a series of workshops or even a round of corrective actions done after the workshop(s). Properly done, RCSA is a normal business function with multiple inputs into the Risk Management Tool and periodic tests in the live environment. Heat Maps will be generated and distributed, test designs scripted, and tests will be executed to ensure the controls worked as intended. You don’t just go to the doctor, get weighed, and have your EKG done, and that’s it.  Running quarterly, semi-annual, or annual tests of controls, and reconsidering risks in a constantly changing environment, are the firm’s equivalent to eating better, exercising, and losing weight to ensure you’ll be better at the next doctor’s appointment.

Conclusion

In this series of three blogs, we have spelled out how to initiate a successful client remediation program, how to run a client remediation program efficiently and effectively, and discussed how to implement a successful ongoing RCSA program to avoid the need for a client remediation program in the first place.

Perficient, with more than 7,000 professionals worldwide, has successfully helped clients through all three of these customer remediation stages.  If you would like to more information, please contact us.