Friday Jun 12, 2026
Friday Jun 12, 2026
Friday, 12 June 2026 00:10 - - {{hitsCtrl.values.hits}}
In an environment shaped by rapid digitalisation, heightened fraud risk, and increasingly intrusive regulatory scrutiny, Sri Lankan financial institutions are under growing pressure to demonstrate that risks are not merely documented, but genuinely understood and managed.
Against this backdrop, the Risk and Control Self-Assessment (RCSA) often viewed as a routine compliance exercise, remains as one of the most powerful tools available to boards and senior management when designed and applied with discipline. Aligned with Basel principles and global best practice, RCSA can evolve from a regulatory obligation into a strategic pillar of operational resilience.
The transformation of banking through digital channels, outsourcing arrangements and higher transaction volumes have fundamentally altered the operational risk landscape. Risks today are faster moving, interconnected and more difficult to detect through traditional controls alone. Experience from major global and regional loss events shows a consistent pattern: institutions rarely fail because risks were unknown, but because they were underestimated, poorly challenged, or over reliant on controls that existed on paper. A robust RCSA provides management with a structured mechanism to surface emerging vulnerabilities early and assess whether controls remain effective in practice.
RCSA: Beyond the checklist
At its core, RCSA is a structured self-assessment through which business units identify key operational risks, evaluate control effectiveness, and determine residual risk exposure. Its credibility depends on clear business ownership. International standards, including Basel guidance adopted by local supervisors, are explicit that risk identification and assessment must sit with the first line of defence.
The role of the risk management function is not to complete RCSAs on behalf of the business, but to facilitate the process, challenge assumptions, and calibrate assessments. Where RCSA becomes a risk team driven exercise, its value to senior management diminishes rapidly.
Equally important is clarity between inherent risk and residual risk, and between preventive and detective controls. Many institutions underestimate inherent risk simply because controls exist, creating false comfort. RCSA, when applied honestly, forces management to confront whether controls genuinely operate under stress, and whether the balance between prevention and detection is appropriate for the institution’s risk profile. When done well, RCSA supports better decision-making, informs capital and stress-testing discussions, and enables focused control prioritisation.
Why regulators and boards care
RCSA is firmly embedded in international supervisory frameworks. Under the Basel Committee’s principles for sound operational risk management, RCSA underpins risk identification, risk appetite monitoring and scenario analysis. Its outputs feed directly into capital adequacy assessments, operational risk stress testing and loss data analysis. Weak or overly optimistic RCSA outcomes therefore, undermine not only risk management, but the credibility of broader governance processes reviewed by supervisors.
Professional bodies such as GARP and PRMIA reinforce this perspective, positioning RCSA as a forward looking qualitative tool that complements historical loss data. The COSO Internal Control Framework further links RCSA to control activities and monitoring, reinforcing its role as a bridge between risk identification and effective internal control. For boards, the quality of RCSA has increasingly become a proxy for overall risk management maturity.
Common failures and hard lessons
Despite widespread adoption, recurring weaknesses continue to undermine RCSA effectiveness. These include treating RCSA as an annual compliance exercise, reusing risk registers without reflecting changes in business models, inflating control effectiveness ratings, and failing to link RCSA outcomes to incidents, near misses and corrective actions. Supervisory experience globally shows that weak RCSA frameworks are often a precursor to material operational losses.
Making RCSA a management tool
The true test of RCSA lies in the actions it drives. High quality RCSAs translate into clear action plans, meaningful Key Risk Indicators, focused scenario analysis and concise board-level reporting. Each material risk must have clear ownership, timelines and follow-up. If RCSA does not influence behaviour or resource allocation, it has failed.
Culture and digital reality
Ultimately, RCSA effectiveness depends on risk culture. Honest self-assessment, openness to challenge and the confidence to escalate control weaknesses are essential. These behaviours, supported by clear accountability across the three lines of defence, determine whether RCSA is merely completed or genuinely useful. As banking becomes increasingly digital, RCSA frameworks must also evolve, moving away from static risk registers towards dynamic, event driven assessments that reflect real time changes in risk exposure.
Conclusion
RCSA was never intended to be a scoring exercise. At its best, it is a disciplined management process that helps institutions understand vulnerabilities, prioritise controls and protect customers, shareholders and the financial system. Banks that take RCSA seriously detect issues earlier, reduce losses and build regulatory confidence. For boards and senior management, the challenge is no longer whether RCSA is performed, but whether it is used as a strategic tool for resilience in an increasingly complex operating environment.
(The author is an operational risk professional at Hatton National Bank PLC, with over 20 years of experience in branch banking operations and more than six years of handson experience in operational risk management. He is currently attached to the Risk Management Department and specialises in thirdparty risk management, new product development risk assessment, process risk analysis, and the application of operational risk tools. He holds a Master of Business Studies from the University of Kelaniya, is an Associate of the Institute of Bankers of Sri Lanka (AIB Sri Lanka), Investment Advisor Certificate from CSE and has completed diplomas in Bank Integrated Risk Management and Portfolio and Investment Management at the IBSL)
