Leverage AI Agents in Risk and Control Self Assessment (RCSA)

Introduction

Risk and Control Self-Assessment (RCSA) originated around 40 years ago in Gulf Canada, a division of the Gulf Corporation, which was under a consent decree and had to accurately report its oil and gas reserves. The head of internal audit was not satisfied with the methods to evaluate the internal controls and developed a framework for the operational staff to evaluate the controls' performance themselves. Over the years, the adoption grew, and most standardization bodies - COBIT, COSO, NIST, etc. - recognized the value of the approach and developed methodologies to support it. Even the Basel Committee on Banking Supervision States mentions RCSA is one of the core risk management principles.

‍

What is RCSA?

Risk and Control Self Assessment is a process for identifying and assessing the risks facing an organization and the effectiveness of the controls that manage those risks. It is a key element of the overall risk management program that focuses on risk mitigation. Traditionally, the process includes:

• Risk Identification. Discovery (and confirmation of existing) risks. For operational ris,k we could use the critical process catalog, along with the business objectives. This will involve first making sure that we have an up-to-date critical process catalog, mapped to risks and business objectives
• Risk Assessment and Analysis. This could be qualitative or quantitative, with the goal of establishing an optimal risk/reward balance within the risk appetite of the organization. It is important to capture both inherent and residual (after control implementation) risks. This process may also result in updates to the policies, in case of changing risk appetite, the environment, etc.
• Control Updates. Once we have the risk register updated, we will have to match the controls to make sure they will be able to maintain the residual risk to the desired level. This is also a good opportunity to review our Common Control Framework (CCF) for any optimisation potential.
• Control Assessment. For any changes in the risk register or controls, we have to make sure that we update our test procedures and evidence collection process. Furthermore, we need to examine both the design and operational effectiveness of the updated CCF. Please note that this is not a full-blown audit. The goal is to have a relatively high level of confidence that the risk policies and controls system operates as designed. Nevertheless, this could be a very resource-intensive exercise, and many organizations use questionnaires and surveys in lieu of testing the evidence.
• Issues Identification/Correction. This is the standard cataloging, assessment, and disposition of any deviations that we discovered. It is important to treat this phase with respect. It is common for auditors and examiners to request the status of the corrective actions.

‍

Benefits of the RCSA

In terms of effective risk management RCSA has proven itself through the years. While it originated in the natural resources industry, it spread to other risk-aware industries. In fact, it is a core process in the financial services industry and has an equivalent in the FedRAMP/DoD space. For sure, many organizations have informally organized bits and pieces, with various scopes, driven by necessity. However, RCSA is a very formal and structured process - hence, its effectiveness. In fact, many organizations attempt to run it more often (sometimes with rotating scopes), and even continuously. 

There lies the major challenge with RCSA - while its risk reduction is very effective, the process itself is very inefficient. Granted, there are tools that simplify the workflows and tasks but it still involves a lot of people and takes some time. 

Additionally, since it is performed by management (mostly first line, with support from second line) it involves highly valuable resources. Image, pulling your top developers or operational people several times per year, for multiple days, to perform risk and control assessments. You will not be a popular person!

Lastly, because it is resource and time-intensive, the freshness of the assessment may be questionable, especially in a fast-paced environment. Imagine how many things could change in the quarter which you perform the RCSA.

‍

Using AI for RCSA

If something is tedious and resource/time-consuming we usually look for automation. There are a lot of tools that provide assistance in the RCSA process, but the vast majority of them are focused on making the workflow and tasks easier for the humans to perform. With agentic AI we could actually outsource some of the tasks to the AI, while supervising it and verifying the output. Depending on the implementation, this could drastically reduce the time and resources necessary to perform the task. 

• Below I will provide a few examples where technology already exists. In all cases, the prerequisites are:
• Contextualization. The AI must be contextualized with your environment, not some generic content. Risk drivers, risks, policies, standards, SOPs, controls, evidence, etc. must be specific to the organization and properly indexed by the AI. Please note, this is contextualization, not training. That way, your sensitive data does not leave your environment, and it is not used for LLM training.
• Subject Matter Expertise (SME). The AI system must be “tuned” for the subject at hand. It should internally “understand” what a policy is, what a control is, and how they are related. You need a GRC analyst, not a generalist.

Here are a few examples of how one could use AI assistance in performing RCSA:

• Control Assessment. This is probably the most involved and at the same time most developed capability of an AI assistant. 
  
  • Your updated CCF is used to contextualize the AI assistant
  • The evidence (manually or automatically collected) is mapped to the control by the AI assistant, which is multi-modal (understands various formats) and could quickly perform semantic matching to controls
  • The control test procedure could be obtained from Internal Audit (they already use it anyway). It is important to note that, given the AI automation, the test could be expanded to the entire population, not limited to statistical sampling

AI agents read the test procedure and semantically map the evidence to the control. It is important that the system provides reasoning for pass/fail, along with reference to the evidence and documentation it used to reach that conclusion. This will allow the human to exercise its supervisory role.

• Policy Design Assessment. We must make sure that the current policy set aligns with the updated risk register.
  
  • The AI assistant is already contextualized with your policy set
  • The updated risk register, along with the risk decisions, is used as the “target state”

The AI assistant will distill the requirements from the “target state” (NB: this could also be used for gap assessments, outside of RCSA - it is the same concept), create questions, and spin up another AI agent to answer those questions, using the context of the policy set. Reasoning for pass/fail, along with references and, potentially, recommendations, are provided in the form of a report for verification by the human and action planning.

• Tracking Corrective Actions. This is another resource-intensive and mundane process - chasing resolutions. Thankfully, this is also an area where we could employ AI.
  
  • Since the AI agent already performed the control assessment, after human review, it could generate the necessary tickets for remediation
  • The control assessment agent selectively runs on tickets that claim resolution to verify the outcome and close the ticket.

An enhancement is instructing the AI agent to escalate the ticket based on certain criteria. Since the agent is already contextualized with the org chart, this is a relatively trivial task for the AI (and hated by many humans).

These are just a few examples of using the capabilities of a multi-agent AI to help with the RCSA process. Given the contextualization and SME features of such a system, I am sure you can come up with many others. 

‍

Summary

Utilizing AI brings benefits in three dimensions:

• Effectiveness. Psychologically, humans become tired of monotonous tasks and tend to make mistakes. Traditionally, we usually address that by increasing the resources - adding another human to check on the first one. Using AI agent will provide consistency
• Efficiency. In some cases, this could be dramatic. Anecdotally, a full-blown policy design assessment, which usually takes hundreds, if not thousands of hours, could be performed for a couple of hours.
• Freshness. Since we could be much more efficient, we could shorten the time between the start and the finish of the RCSA. Which means that we will have a much more current risk picture. In a more advanced setup, we could implement continuous control monitoring and agile risk management - but this is a topic of another blogpost.  

The bottom line is that we could use AI not only to help us streamline/perform our tasks more easily but also to do the work for us. That is the real game-changer.

‍