What's the difference between scenario analysis and RCSA in operational risk management?
I keep confusing scenario analysis with Risk and Control Self-Assessment (RCSA) for FRM I. Both seem to involve identifying operational risks using expert judgment. When do you use each, and how do they feed into the overall operational risk framework?
Scenario analysis and RCSA are both qualitative/expert-judgment tools in the operational risk toolkit, but they serve different purposes, involve different participants, and produce different outputs.
Risk and Control Self-Assessment (RCSA):
RCSA is a structured process where business line managers and staff identify, assess, and document the operational risks inherent in their own processes.
Key Characteristics:
- Who: Business unit managers and their teams (first line of defense)
- Focus: Current risk profile — what risks exist TODAY in our processes?
- Output: Risk register with severity/likelihood ratings, control effectiveness assessments, action plans for gaps
- Frequency: Typically annual with quarterly updates
- Approach: Bottom-up identification — the people closest to the processes identify what can go wrong
RCSA Process:
- Identify key processes and activities in the business unit
- Identify risks associated with each process
- Assess inherent risk (before controls) on a severity/likelihood matrix
- Document existing controls and rate their effectiveness
- Calculate residual risk (after controls)
- Develop action plans for unacceptable residual risks
Scenario Analysis:
Scenario analysis is a structured process for developing estimates of potential low-frequency, high-severity loss events that the firm may not have experienced internally.
Key Characteristics:
- Who: Senior risk managers, subject matter experts, sometimes external advisors
- Focus: Extreme but plausible future events — what COULD happen?
- Output: Estimated loss distributions for tail scenarios (e.g., '1-in-100-year rogue trading event: $500M-$2B loss')
- Frequency: Annual or when significant changes occur
- Approach: Top-down imagination — experts construct hypothetical disaster scenarios
| Feature | RCSA | Scenario Analysis |
|---|---|---|
| Focus | Current risk profile | Extreme future events |
| Participants | Business line staff | Senior risk experts |
| Risk type | All severities | Primarily tail events |
| Output | Risk register + controls | Loss estimates for capital |
| Uses | Risk identification, control improvement | Capital modeling, stress testing |
| Approach | Bottom-up | Top-down |
How They Complement Each Other:
RCSA identifies the day-to-day risks and control weaknesses. Scenario analysis imagines the catastrophic events that haven't happened yet. Together, they provide both the body (RCSA → frequent losses) and the tail (scenarios → rare catastrophes) of the operational risk profile.
Exam Tip: FRM I tests whether you understand that RCSA is about current risks and controls (first line ownership) while scenario analysis is about extreme future events (second line facilitation). Don't confuse the two in exam vignettes.
Study operational risk assessment tools in our FRM question bank.
Master Part I with our FRM Course
64 lessons · 120+ hours· Expert instruction
Related Questions
Why is DV01 so much smaller than dollar duration if both are supposed to measure rate risk?
When should I stop using modified duration and switch to effective duration?
How should I think about the relationship between Macaulay duration and modified duration instead of memorizing two separate definitions?
Why do hedge calculations often use dollar duration or DV01 instead of just modified duration?
When should I prefer historical simulation VaR over delta-normal VaR?
Join the Discussion
Ask questions and get expert answers.