RCSA: Why Self-Assessment Shouldn’t Lead Your Risk Program

Risk and Control Self-Assessment (RCSA) is a useful input, but it should never be the foundation of a risk program. When business owners assess their own risks and controls without independent, expert-led challenge, the result is an optimistic register that documents comfort rather than reality. Strong risk identification is a discipline that must be built in-house and led by trained professionals, with RCSA as one input, never the whole method.

Over more than three decades in enterprise risk management (including 26 years leading the function inside a global industrial group, and today as Chief Risk Officer of a diversified holding company), I have facilitated more risk workshops than I can count. Across industrial ventures, real estate, agriculture, and financial investments, one pattern has held without exception.

The quality of a risk assessment is determined far less by the template, and far more by who is in the room asking the difficult questions. Which brings me to Risk and Control Self-Assessment.

What Is Risk and Control Self-Assessment (RCSA)?

Risk and Control Self-Assessment (RCSA) is a process in which business and process owners identify their own risks, rate the effectiveness of their own controls, and propose their own mitigations. They then pass the results to the risk function for monitoring and reporting.

RCSA is popular for understandable reasons. It scales across a large organization, it is inexpensive to run, and it feels participative. Used well, and kept in its place, it has real value.

The problem begins when organizations make RCSA the foundation of their risk program. That is precisely where it fails them.

The Problem: When RCSA Becomes the Foundation

A risk register that everyone agreed with is not the same as a risk register that is true. Yet many organizations build their entire risk program on self-assessment, then treat the resulting register as an accurate picture of their exposure.

It rarely is. The method has four structural weaknesses that no template, software platform, or facilitator's enthusiasm can overcome.

Why RCSA Falls Short as the Lead Method

Here is where self-assessment quietly breaks down.

1. Risk Identification Is a Discipline, Not a Side Task

RCSA assumes business owners can assess risk accurately because they understand their operations. They do understand their operations, but operating expertise and risk expertise are not the same thing.

Probing assumptions, surfacing interdependencies, separating a symptom from a root cause, and judging whether a control actually works are skills built over years. Without an experienced facilitator in the room, risks are routinely missed, understated, or misclassified. The cause is rarely negligence; it is the simple absence of the specialist lens.

2. Self-Assessment Carries a Built-In Bias

When people rate their own risks and their own controls, the rating is rarely neutral. As Kaplan and Mikes argued in Managing Risks: A New Framework (Harvard Business Review, 2012), people consistently overestimate their ability to influence outcomes, are overconfident about their forecasts, and define the range of possible outcomes too narrowly.

These are not character flaws; they are universal cognitive biases. RCSA, by design, asks the people most subject to those biases to be the sole assessors of their own exposure. The predictable result is an optimistic register that documents comfort rather than reality.

3. Without Independent Challenge, the Obvious Gets Ignored

Michele Wucker, who coined the term, describes a "gray rhino" as a high-impact, highly probable threat that is visible and yet neglected, not because no one could see it, but because no one was willing to confront it.

Self-assessment is structurally poor at catching gray rhinos. The risks that are politically inconvenient, embarrassing, or simply uncomfortable to write down are the ones most likely to be diluted or quietly left off the page when no independent voice is present to insist they stay on it. Constructive challenge is the single most valuable thing a mature risk function brings, and it is the one thing a self-assessment form cannot supply.

4. Strategic and Emerging Risks Fall Outside Its Line of Sight

RCSA looks downward and inward, at known operational risks within a single function. It is not built to see across the enterprise, to connect a supply concentration in one business to a geopolitical shift, a regulatory change, or a technological disruption affecting another.

The risks most capable of threatening an organization's strategy are exactly the ones a function-level self-assessment is structurally unable to surface.

What the Risk Management Standards Actually Say About RCSA

A fair objection, and one I have been challenged on directly, is that RCSA aligns with the COSO ERM framework and the IIA's standards, which call for risk to be identified and assessed at all levels of the organization. That is true, and I do not contest it.

But none of those frameworks say self-assessment should replace expert-led identification and independent challenge. COSO, ISO 31000:2018, and the Three Lines Model all point the other way: risk management should be integrated, structured, and comprehensive, and the second line of defense exists precisely to provide the independent challenge that the first line, assessing itself, cannot.

RCSA is fully consistent with the standards as an input within an independently facilitated process. It is not consistent with them as a substitute for one.

RCSA Alone vs. Expert-Led Risk Identification

The Solution: Build Risk Capability, Don't Delegate It

The choice organizations face is not "RCSA or no RCSA." It is whether risk identification is a capability the organization builds and owns, or a task it delegates and hopes is done well.

RCSA alone is delegation. It produces a register; it does not produce insight. The organizations with genuinely resilient risk cultures are the ones that invested in deep in-house expertise and put trained professionals in the room to guide, validate, and challenge.

Here is how to keep RCSA in its rightful place:

• Treat RCSA as one input into an expert-facilitated process, never as the process itself.

• Put a trained risk professional in every assessment to probe assumptions, validate ratings, and challenge comfortable conclusions.

• Subject self-assessment ratings to independent second-line review before they enter the risk register.

• Use RCSA to scale coverage and engage process owners, then test the output against root-cause analysis and cross-enterprise context.

• Reserve strategic and emerging risk identification for enterprise-level, expert-led analysis that self-assessment cannot reach.

The Real Question for Risk Leaders

Risk is too consequential to be reduced to a form. The organizations that treat risk identification as a capability to be built, rather than a task to be delegated, are the ones that see clearly enough to act in time.

It is time we stopped mistaking participation for precision.

Key Takeaways

• RCSA (Risk and Control Self-Assessment) is valuable as an input, but should never lead a risk program.

• Operating expertise is not risk expertise; risk identification is a specialist discipline.

• Self-assessment carries built-in cognitive bias and tends to produce optimistic registers.

• Without independent challenge, high-impact "gray rhino" risks get left off the page.

• COSO, ISO 31000, and the Three Lines Model treat self-assessment as an input, not a substitute for expert-led, independently challenged identification.

• Build in-house risk capability and use RCSA as one input within an expert-facilitated process.