Browse Skills

Risk & Control Self-Assessment (RCSA)

    Get Started with This Skill

    Overview

    RCSA support aligned with COSO and Basel III. Front-line managers document risks and control effectiveness; the skill scores control strength (Automated > Manual, Preventative > Detective) and identifies optimistic bias where residual risk is low despite weak controls or thin descriptions.

    Getting Started

    Add your source materials to the project workspace, then activate the Risk & Control Self-Assessment (RCSA) skill. Create or update an RCSA data file (e.g. rcsa-data.json) following the schema in the skill’s references/rcsa_data_schema.md, then run the tools to score controls and check for optimistic bias. The agent will guide you through the process step by step.

    Example Conversation

    You: We’re preparing our quarterly RCSA for Finance. I have a first cut of risks and controls in a spreadsheet — can you turn it into the right JSON format and run the validation?

    Agent: I’ll structure the RCSA data from your spreadsheet. I need each risk with inherent and residual ratings, and for each control the type (automated or manual) and nature (preventative, detective, corrective, or compensating). I’ll create rcsa-data.json and then run both tools.

    You: Go ahead. Residual is mostly “low” for our process risks.

    Agent: I’ve created the file and run the control strength calculator and optimistic bias check. Findings:

    • R1 (Expense fraud) — Residual is low but average control strength is 0.60: one control is manual/detective. Consider adding a preventative automated check or documenting why residual can stay low.
    • R3 (Reconciliation errors) — Residual is low but two controls have very short descriptions (< 30 chars). Second line will expect clearer evidence; I can suggest wording.

    R2 and R4 pass: control strength supports the low residual rating. Should I propose stronger control descriptions for R1 and R3, or adjust residual ratings?

    What the Tools Validate

    The skill includes two tools that run against the RCSA JSON file:

    control_strength_calculator scores controls and summarizes by risk:

    • Weights: type — automated = 1.0, manual = 0.5; nature — preventative = 1.0, detective = 0.7, compensating = 0.6, corrective = 0.5. Per-control strength = (type_weight + nature_weight) / 2.
    • Reports each control’s type, nature, and strength; per-risk average control strength.
    • Flags optimistic bias when residual is “low” and either: average control strength < 0.5, or no controls documented, or any control has a very short description (< 30 characters).

    rcsa_optimistic_bias_check focuses only on bias:

    • Lists risks where residual risk is “low” but controls are weak (manual/detective-heavy, or average strength below threshold) or descriptions are thin.
    • No change to the data; use it to target which risks need stronger controls or revised residual ratings before second-line or audit review.

    RCSA data must be a JSON file with a risks array; each risk has controls with type (automated|manual) and nature (preventative|detective|corrective|compensating). See the skill’s references/rcsa_data_schema.md for the full schema.

    Output Excerpt

    After running the tools, the control strength report looks like this (excerpt):

    ======================================================================
    RCSA — Control Strength Report (weighted: Automated > Manual, Preventative > Detective)
    Organization: Finance Division
    Assessment date: 2025-02-01
    Risks analysed: 3
    ======================================================================
    
    --- R1: Fraud in expense reporting ---
      Inherent: high  Residual: low  Controls: 2
      C1  automated/preventative  strength=1.00
      C2  manual/detective  strength=0.60  (thin description)
      Average control strength: 0.80
      [OPTIMISTIC BIAS] 1 control(s) have very short or empty descriptions — residual low may be over-optimistic
    
    --- R2: Reconciliation errors ---
      Inherent: medium  Residual: low  Controls: 2
      C1  automated/detective  strength=0.85
      C2  manual/preventative  strength=0.75
      Average control strength: 0.80
    
    ======================================================================
    RESULT: 1 risk(s) show possible optimistic bias — residual low vs weak controls or thin descriptions
    ======================================================================
    

    Use the report to strengthen control design or descriptions, or to revise residual ratings so they align with COSO and Basel III expectations.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started