1) What are Risk and Control Self Assessments (RCSAs)? How would you construct an
RCSA program? How would you monitor the progress and success of an RCSA program?
(50 points) (
Tips: Define various terms including risk, inherent and residual risk ratings,
controls, Action plans etc., top down or bottom up and explain why that’s chosen. create
scope and how frequently RCSAs should be performed etc.
Note: Tips are not a comprehensive list of things you need to define. They are just ideas to
2) As you create the program please identify the roles and responsibilities of first and
second line of defense (These would normally be the contents of policy and/or
procedures). (50 Points)
Identification of Risks and Controls (70 points)
1. Chose a public company from any industry. To understand the nature and scale of the business you
could review the company’s description and data on any financial data websites (Yahoo finance,
google finance etc.) and the Annual Report (10-K), which is usually available under the Investor
Relations menu on the company’s website.
for the company. For each of the risks that you identify,
please do the following:
Articulate (describe) the risk in the “cause, potential event and impact” format
Identify controls that would mitigate the risk. If you are not able to identify any controls or
mitigation plans that the organization has implemented, identify (make up) some that you feel
would best mitigate the underlying risk.
Identify the approximate inherent and residual rating for the risk assuming the identified
controls exist. The scale provided in Exhibit B should be used for this step.
Please use the format in exhibit C to submit the assignment with rationales/explanation for
the fields following the table.