Over the past year, operational risk in the banking sector has become an increasingly visible and urgent concern. In 2024, the US Office of the Comptroller of the Currency (OCC) privately found that over half of large US banks exhibited weaknesses in their operational risk and control frameworks.1 These gaps can lead to material consequences, from Consent Orders that halt bank operations to mounting fraud losses and legal risks.
In this environment, the Risk and Control Self-Assessment (RCSA) is evolving from a compliance activity into a foundational element of operational resilience. Institutions are being challenged not only to document their internal controls but to demonstrate the efficacy, completeness and real-world performance of those controls under regulatory scrutiny.
A mature RCSA program serves multiple purposes. It supports regulatory compliance (e.g. Basel III/IV, SOX), provides transparency into operational risk exposure, and enables early identification of control weaknesses. But achieving this in practice is a complex undertaking.
Effective RCSA programs require more than just policy alignment. They demand cross-functional collaboration, control standardization, continuous performance testing and adaptability to shifting regulatory expectations.
The challenge is especially pronounced at scale, where financial institutions must manage thousands of control procedures across diverse business units, each with its own maturity level and operational complexity.
The RCSA process involves several interrelated components:
- Control design. Controls should be clearly defined, risk-aligned and implementable by front-line personnel. Capco’s use of the DRACO framework (Data source, Response taken, Action, Cadence and Ownership) illustrates a structured approach to ensure completeness in control design.
- Control documentation. Standardized and well-documented procedures support consistency and audit readiness. This includes defining key versus non-key controls, identifying control gaps and maintaining centralized inventories of procedure artifacts including control templates, revision history and approval documentation.
- Control testing and validation. Performance testing confirms whether controls are executed as designed and effectively mitigate risk. This includes scenario testing, user acceptance testing (UAT) and evidence capture that meets regulatory standards.
- Control automation. Optimizing the execution of manual, semi-automated and automated controls will reduce the burden on risk and operational team members. The best candidates for automation can be evaluated using the following criteria:
- Is there a defined process?
- Is the process repeatable?
- What is the complexity of the decision rules?
- How are exceptions managed?
- Does the data come from an approved/validated source?
These components of the RCSA process operate within a broader governance framework, supported by executive sponsorship, policy alignment and risk-adjusted testing frequency.
Capco’s recent RCSA delivery programs across Tier 1 banks highlight four trends shaping the evolution of internal control environments:
1. The importance of cross-functional coordination
In one program supporting a top tier consumer lending bank, over 900 control procedures were created to achieve a tight regulatory deadline. Weekly status meetings, walkthrough sessions with risk teams and regular coordination with business SMEs proved essential in meeting Consent Order requirements and raising test/audit pass rates from 35% to 95%.
2. The role of standardized templates and accelerators
Documentation accelerators, such as control templates and quality control checklists, can significantly reduce procedural inconsistencies. In several engagements, standardized formats helped teams scale up quickly, ensuring that controls met both internal testing requirements and regulator expectations.
3. The benefit of iterative feedback and refinement
Feedback loops across procedure walkthroughs, control testing results and regulatory observations informed continuous improvement. In a credit bureau control program, performance testing identified data validation gaps that led to updates in business requirements documents and the creation of new quality assurance controls.
4. The challenge of balancing scale and specificity
Large-scale programs may involve hundreds or thousands of controls, but effectiveness often hinges on local knowledge. Successful programs established dedicated workstreams by line of business, combining centralized oversight with business-aligned procedure consultants to maintain both scale and relevance.
Behind every successful RCSA program is a well-structured governance model. Executive committees provide strategic direction, prioritize control delivery and allocate resources. Risk and compliance teams align on testing cadence and methodology. And front-line business units are engaged in documenting and validating controls, ensuring ownership and sustainability.
Control policy consistency is also critical. Institutions that maintain centralized control taxonomies and repositories benefit from clearer accountability and more efficient refresh cycles. Internal audit teams, in turn, can focus on validation rather than discovery, to accelerate both testing and remediation processes.
A well-executed RCSA program does more than meet regulatory expectations. It strengthens the institution’s operational foundation and offers a framework for:
- Making risk visible and actionable across business lines
- Aligning control efforts with business objectives and compliance mandates
- Establishing a culture of proactive risk management, rather than reactive remediation.
However, the path toward maturity is neither linear nor one-size-fits-all. As control requirements evolve in response to emerging risks (e.g. cyber, AI-driven operations, third-party dependencies), institutions must continue investing in tools, methodologies and internal capabilities that support sustainable RCSA execution.
Operational resilience has become a strategic imperative for banks as they navigate increasingly complex risk environments. A robust RCSA program anchored in strong governance, consistent documentation and rigorous control validation can serve as both a regulatory shield and an operational advantage.
Institutions that embed these practices into their control culture will not only be better prepared for audits and potentially avoid Consent Orders, but also better equipped to anticipate and mitigate risk in a rapidly changing financial landscape.