Back in November last year I introduced the idea of using Trustero AI GRC to assist in the Risk and Controls Self Assessment (RCSA) process. It has been six months since and we introduced quite a few new features and capabilities. The Continuous Control Monitoring (CCM) is more robust and can tackle much more complex tests and evidences; the multi-agent system has expanded nicely and we can handle new tasks and be much more analytical; reporting has improved significantly. Therefore, I think it is time to update the approach, considering those improvements and new capabilities.
Automate RCSA with Trustero AI?
While Basel IV does not explicitly define Risk and Controls Self Assessment (RCSA) it implicitly expects such a core component of an effective operational risk management framework (ORMF). The desired outcome - strong identification, assessment, monitoring, and control of operational risk - make the RCSA the industry-standard mechanism banks use to meet those expectations.
The actual RCSA process varies in details but, in general, it follows a familiar flow - identify, assess, respond, and monitor the risks (if we borrow from the COSO ERM framework). What is invariable is how resource intensive the process is. There are many tools that catalog the library of artifacts and facilitate the workflow but the common theme is one - there is a lot of work to be done!
There is a common Pareto paradox in risk management - 80% of the work derives 20% of the value. Most of the time is spent on chasing evidence and testing controls instead of analyzing the risks and designing risk management strategies.
What if you can leverage a multi-agent AI system that is contextualized with your data to boost your RCSA process and, maybe, even make it enjoyable?
Step
Traditional challenges
Leveraging Trustero
Identification
- Massive effort to re-acquire data that already exists in the environment
- Catch up on all the changes that happened since the last time we ran the process
- Heavy involvement of expensive resources
- Resource constraints force us to limit the scope (key risks/controls, rationalizations, etc.)
- Organizing the context is a challenge
- Trustero continuously collects and refreshes the artifacts (policies, controls, evidence, processes, etc.). It has all the necessary context, all the time.
- So long as the sources are available, Trustero internally organizes the data, creating an abstraction layer from the environment complexity
Assessment
- Heavy, time-consuming involvement of expensive, revenue generating resources
- Resource constraints force us to limit the scope (key risks/controls, rationalizations, sampling, etc.)
- Tribal knowledge and inconsistency
- The AI agents continuously evaluate the design and operational effectiveness. The results are contextualized against the risks. Trustero evaluates the entire context, not just samples or limited scope - realtime, full operational risk awareness.
- The methodology is codified in the system so the approach is consistent, accurate, defensible, and preserved
Response
- Designing proper response could be a long and very involved process
- It often focuses on what to do rather than this is the expected outcome
- Since the AI agents are contextualized with the company information, they can assist in analyzing the issue and designing a proper response - finding information, performing “What If” analysis, etc.
- The system can also assist with verifying the resolution by continuously testing the controls (Focus on outcome, not process)
Monitoring
- Highly complex and dynamic environment may significantly narrow the scope (failure to spot growing hidden risk)
- Balance between scope and resource availability
- The system is continuously collecting relevant data from the environment and evaluating it. In addition to pure Continuous Control Monitoring (CCM), custom-built playbooks could analyze data and perform actions. Resource constraints are effectively removed; therefore, the scope could be expanded.
How does Trustero AI assist the RCSA process?
Identification
Since the system is contextualized with data about the current state, we can use “gap assessment” and “threat analysis” types of playbooks to analyze the risk horizon. For example, if the business is entering a new market we can ask the agents to review the market specific regulations against our current state. Once identified, the gaps could be further analyzed in the next step.
Analysis
Because of the CCM and links between controls and risks, we have an up-to-date, full picture of the current operational risk register - we know which risks are above the target residual level and why. Additionally, we have a history of control and risk performance.
For the current risks we can also utilize the chat interface to analyze the performance since the last RCSA - look for patterns, key weaknesses, correlations, etc. Once this part of the research is formalized it could be codified in playbook(s) which will speed up the analysis even further.
Additionally, we can interact with the agents to look for issues or optimization opportunities. For example, identify conflicting policies or overlapping controls. Also, we can upload process narratives and analyze them against the control library.
For the newly identified risks we can go deeper. In the previous example - entering a new market - we can further analyze the details around the gaps: do we have that capability, what are the necessary resources, timelines, etc. Aligning with our risk scoring mechanism will yield the inherent score for our new risks. Additionally, we can leverage the agents to analyze those new risks against our appetite, tolerance, etc.
Response
In this step the power of the system to perform “What If?” type of analysis comes into play. Initially, the agents provide recommendations on how to close gaps. Since the experts will likely have a more extensive context they can review those recommendations and discuss refinements with the system. For example, the system may recommend a certain policy change that, although driven by a common industry approach, may not be in alignment with the company culture. The expert will provide further context and work with the agents to come up with a sensible policy language. After that, an agent will perform an analysis to identify which controls must be added/modified, suggest the correct language, evidence (it may already exist in the evidence library), and test procedure.
Conversely, an expert can interact with the system to analyze proposed changes and evaluate their downstream effect. For example, they can upload a policy draft and work with the agents to see how that would align with other policies or existing controls.
The CCM capability of Trustero can be used to verify remediation activities. The management focuses on the MAP, while the system confirms resolution. That also allows for some flexibility of the approach (with approval from the stakeholders) because the system focuses on the outcome (risk is reduced/gap is closed) rather than the way the outcome is achieved.
Monitoring
Current resource constraints inevitably lead to monitoring scope reduction or time delays. For example, we monitor only our key controls but even then we see how they performed last quarter.
CCM allows us to monitor all controls, all the time, and even move away from sampling - we can always test the entire population. That way we have a realtime picture of all controls performance and, consequently, whether our residual risk is at the target level. In fact, Trustero has a report that shows exactly that on the risk heat map.
Benefits Trustero AI Brings to the RCSA process
Quantitative
- We can shorten the RCSA process and reduce the resources involved
- We have a more “complete” and up-to-date picture of the risks and controls
- We reduce the cost of the risk management activities while increasing their efficiency and effectiveness
Qualitative
- We improve our ability to react to environmental (internal or external) changes
- We can turn an annual or quarterly process into a continuous, agile RCSA
- We can improve employee satisfaction/retention. Our experts will be deployed to high value-add activities rather than repetitive, monotonous tasks
Essentially, by using a multi-agent AI system like Trustero we can fundamentally transform the RCSA process to meet the demands of a modern business