Running risk and control assessment - whether you call it RCSA or fold it into operational risk routines - is less about the template and more about sequence and discipline. When the steps are clear, the first line knows what "done" looks like, and second line can review quality instead of reconstructing meaning from inconsistent spreadsheets.
Below is a practical flow for risk and control assessment / RCSA that works in mid-market regulated firms. Adapt the granularity to your size - but keep the logic: risks first, controls mapped with intent, assessments backed by evidence, gaps owned, and actions tracked to closure.
Step 1: Define the Risks (Scope and Materiality)
Start with scope: which processes, products, entities, or systems are in boundary for this cycle? Then identify inherent risks - what could go wrong before considering controls - using a consistent taxonomy (categories, causes, impacts).
Avoid the trap of listing hundreds of micro-risks. Prefer a smaller set of material risks that leaders recognise, with clear owners. If everything is high priority, nothing is.
- Align to risk appetite statements where they exist - so scoring maps to how the organisation actually tolerates loss or failure.
- Record likelihood and impact using agreed scales and worked examples - not gut feel hidden in a single cell.
Step 2: Map Controls to Risks (Deliberately)
For each material risk, map the key controls that meaningfully reduce likelihood or impact. Classify them (preventive, detective, corrective) so everyone understands the role each plays. If a control does not change the risk story, question whether it belongs in the core map.
Good mapping answers: if this control failed tomorrow, would risk materially increase? If the answer is no, it is probably secondary documentation - not a key control.
Step 3: Assess Design and Operating Effectiveness
Design asks whether the control is capable of mitigating the risk on paper: right intent, right owner, right frequency, right system or procedure. Operating effectiveness asks whether it works in practice - supported by evidence such as samples, logs, tickets, attestations, or test results.
Be explicit about what evidence is sufficient for each control type. Without that, "effective" becomes a matter of optimism.
Separate "policy exists" from "control runs"
Teams often mark controls effective because a policy was approved last year. A stronger test is whether the control operated across the assessment period, covered the right population, and produced retrievable evidence. That distinction is where risk and control assessment quality lives - RCSA or otherwise.
Step 4: Identify Gaps and Residual Risk
Where design or operating effectiveness falls short, record the gap in plain language: what is missing, what could happen, and how severe the exposure is. Then update the residual risk view so leadership sees the consequence of weak controls, not only the list of issues. Teams differ on how they want to land that position: some prefer a straight judgement-based call (for example, placing the risk directly on the matrix after discussion); others want a structured, formulaic suggestion driven by how controls are typed and scored.
Initia Risk supports both approaches. You can set residual risk from the matrix when expert judgement should lead. Alternatively, the platform can suggest residual risk formulaically from the control environment: taking account of each control's type (whether it primarily mitigates likelihood or impact), its importance to the risk, and its assessed effectiveness - so the suggested position reflects the control logic, not only a manual override.
This step should feed prioritisation: not every gap needs the same response. Concentrate remediation on combinations of high materiality and weak assurance.
Step 5: Track Actions, Retest, and Close the Loop
A risk and control assessment cycle without closure is an expensive interview. Every gap needs an owner, a target date, and a verification plan (retest or evidence of remediation). Second line should monitor ageing, repeats, and themes - the same control failing two cycles in a row is a process problem, not a one-off.
Where possible, align triggers to business change: new products, outsourcing, system migrations, and reorganisations should prompt targeted refresh - not wait for the annual calendar.
Bringing It Together
Effective risk and control assessment (including formal RCSA) is a loop: define risks, map real controls, assess with evidence, quantify residual exposure where helpful, and drive actions to closure. When that loop lives in a single, usable system - rather than scattered workbooks - the programme scales without collapsing into admin.
The assessment loop
1Define risks
Scope, materiality, inherent risk
2Map real controls
Key controls linked to each risk
3Assess with evidence
Design and operating effectiveness
4Quantify residual exposure
Gaps, residual risk, prioritisation
5Drive actions to closure
Owners, dates, retest and verification
Loop, not a line. Incidents, business change, and retesting feed back into earlier steps - the cycle continues.
That is the problem Initia Risk focuses on: making risk and control assessment operational for first-line owners while giving risk teams structured reporting and audit trails by default.
If you are still deciding whether to run your RCSA in spreadsheets or a platform, read Excel vs GRC tools for RCSA: when to make the switch. For the underlying methodology, see what an RCSA is and why most programmes fail.
When you are ready to evaluate a tool to support the cycle, our buyer guides on how to choose a GRC tool in 2026 and the best GRC software for mid-market companies walk through what to look for without enterprise bloat.