# Risk & Control Self-Assessment (RCSA) > RCSA support aligned with COSO and Basel III. Front-line managers document risks and control effectiveness; the skill scores control strength (Automated > Manual, Preventative > Detective) and identifies optimistic bias where residual risk is low despite weak controls or thin descriptions. Tags: Risk Management, Compliance, COSO, Basel III, RCSA, Operational Risk, Internal Control ## Example Prompts - Draft an RCSA for our finance process and validate control strength and residual ratings - Score our RCSA controls and flag any optimistic bias (low residual vs weak controls) - Check our RCSA data file for risks where residual is low but controls are manual/detective-heavy - Prepare RCSA documentation for second-line review using COSO/Basel expectations URL: https://rakenne.app/skills/inherent-residual-audit/index.md Try this skill: https://rakenne.app/a/?skill=inherent-residual-audit ## Overview RCSA support aligned with COSO and Basel III. Front-line managers document risks and control effectiveness; the skill scores control strength (Automated > Manual, Preventative > Detective) and identifies optimistic bias where residual risk is low despite weak controls or thin descriptions. ## Getting Started Add your source materials to the project workspace, then activate the *Risk & Control Self-Assessment (RCSA)* skill. Create or update an RCSA data file (e.g. `rcsa-data.json`) following the schema in the skill’s `references/rcsa_data_schema.md`, then run the tools to score controls and check for optimistic bias. The agent will guide you through the process step by step. ## Example Conversation > **You:** We’re preparing our quarterly RCSA for Finance. I have a first cut of risks and controls in a spreadsheet — can you turn it into the right JSON format and run the validation? > **Agent:** I’ll structure the RCSA data from your spreadsheet. I need each risk with inherent and residual ratings, and for each control the type (automated or manual) and nature (preventative, detective, corrective, or compensating). I’ll create `rcsa-data.json` and then run both tools. > **You:** Go ahead. Residual is mostly “low” for our process risks. > **Agent:** I’ve created the file and run the control strength calculator and optimistic bias check. Findings: > - **R1 (Expense fraud)** — Residual is low but average control strength is 0.60: one control is manual/detective. Consider adding a preventative automated check or documenting why residual can stay low. > - **R3 (Reconciliation errors)** — Residual is low but two controls have very short descriptions (< 30 chars). Second line will expect clearer evidence; I can suggest wording. > > R2 and R4 pass: control strength supports the low residual rating. Should I propose stronger control descriptions for R1 and R3, or adjust residual ratings? ## What the Tools Validate The skill includes two tools that run against the RCSA JSON file: **`control_strength_calculator`** scores controls and summarizes by risk: - **Weights:** type — automated = 1.0, manual = 0.5; nature — preventative = 1.0, detective = 0.7, compensating = 0.6, corrective = 0.5. Per-control strength = (type_weight + nature_weight) / 2. - Reports each control’s type, nature, and strength; per-risk average control strength. - Flags **optimistic bias** when residual is “low” and either: average control strength < 0.5, or no controls documented, or any control has a very short description (< 30 characters). **`rcsa_optimistic_bias_check`** focuses only on bias: - Lists risks where residual risk is “low” but controls are weak (manual/detective-heavy, or average strength below threshold) or descriptions are thin. - No change to the data; use it to target which risks need stronger controls or revised residual ratings before second-line or audit review. RCSA data must be a JSON file with a `risks` array; each risk has `controls` with `type` (automated|manual) and `nature` (preventative|detective|corrective|compensating). See the skill’s `references/rcsa_data_schema.md` for the full schema. ## Output Excerpt After running the tools, the control strength report looks like this (excerpt): ``` ====================================================================== RCSA — Control Strength Report (weighted: Automated > Manual, Preventative > Detective) Organization: Finance Division Assessment date: 2025-02-01 Risks analysed: 3 ====================================================================== --- R1: Fraud in expense reporting --- Inherent: high Residual: low Controls: 2 C1 automated/preventative strength=1.00 C2 manual/detective strength=0.60 (thin description) Average control strength: 0.80 [OPTIMISTIC BIAS] 1 control(s) have very short or empty descriptions — residual low may be over-optimistic --- R2: Reconciliation errors --- Inherent: medium Residual: low Controls: 2 C1 automated/detective strength=0.85 C2 manual/preventative strength=0.75 Average control strength: 0.80 ====================================================================== RESULT: 1 risk(s) show possible optimistic bias — residual low vs weak controls or thin descriptions ====================================================================== ``` Use the report to strengthen control design or descriptions, or to revise residual ratings so they align with COSO and Basel III expectations. --- Back to [Skill Library](https://rakenne.app/skills/index.md)