kind: “concept”
RCSA (Risk and Control Self-Assessment) is a foundational operational risk tool used to identify, assess, and monitor key risks and the effectiveness of associated controls. At its core, RCSA links business processes, inherent risks, control design, and residual risk outcomes. It is widely used across financial institutions to support risk governance, internal control validation, and regulatory engagement. Key limitations include subjectivity, periodic execution, and weak forward-looking capability when treated as a compliance exercise rather than a risk management process.