Skip to main content
Image coming soon

The Corporate Risk Manager's RCSA-to-Board Operating Manual

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Corporate Risk Manager's RCSA-to-Board Operating Manual

Run a defensible RCSA cycle at a US retail brokerage and turn the workbook output into a board-ready operational risk profile the second line will sign.

The RCSA workbook comes back from the line-of-business owner with inflated inherent ratings, copy-pasted control descriptions, and residual ratings that don't reconcile to the operational risk events database. Translating that into a board-ready operational risk profile that the Chief Risk Officer's office, internal audit, and the OCC examiner team will all accept is the week that defines whether the corporate risk manager seat is doing its job.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A corporate risk manager inside a US retail brokerage with a national bank subsidiary sits at the joint of four reporting cadences. The branch-network and advisor-services LOBs run the RCSA workshops on a rolling annual scope. The second line owns the challenge function and the heat map calibration. Internal audit runs an annual review of the RCSA process itself, looking for evidence that ratings were challenged, not just collected. The OCC examiner team supervises the bank subsidiary under heightened standards and asks how the RCSA output feeds the bank-level operational risk profile and the ICAAP. The Federal Reserve, SEC, and FINRA each consume a different slice of the same underlying data. The job is to run one workbook cycle that survives all four reviews, and to do it without the LOB owners going quiet on the next cycle because the challenge process felt punitive. The artefact that decides whether the cycle worked is the audit committee one-pager. It reconciles the workshop output, the second-line challenge, the loss-event data, the KRI movement, and the issues backlog into one heat map that the board can read in three minutes. Most cycles never produce that artefact cleanly, so the corporate risk manager spends the two weeks before the audit committee meeting rebuilding it from the workbook tabs.

What you walk away with

  • Run a full RCSA cycle that produces a board-ready operational risk profile without the two-week rebuild before the audit committee meeting.
  • Write a workshop facilitation pack that LOB owners walk into prepared, with the inherent risk question pre-framed against actual loss events.
  • Run a second-line challenge process that the LOB owners come back to next cycle, not the one that makes them go quiet.
  • Reconcile the workbook output against the operational risk events database, the KRI library, and the issues backlog into one heat map that survives audit committee question.
  • Produce a one-page operational risk profile the audit committee can read in three minutes and the OCC examiner team can read for evidence of effective challenge.

The 12 modules

Module 1. Scoping the cycle: taxonomy alignment to Basel categories and the bank subsidiary inventory
Open the cycle by reconciling the firm's internal operational risk taxonomy against the seven Basel event-type categories that the bank subsidiary reports under and against the FINRA and SEC inventory the broker-dealer side reports under. Resolve the categories where the firm's taxonomy is finer than Basel (process execution split into trade settlement and account opening) and where it is coarser (vendor risk rolled into external fraud). Output is the scoping memo that the LOB risk officers sign before workshops open.
Module 2. Workshop facilitation pack: pre-reading the LOB owner walks in already prepared for
Build the facilitation pack the advisor-services or branch-network LOB owner reads before the workshop. Loss-event extracts for their LOB over the last cycle. KRI movement charts that map to their processes. The issues backlog filtered to their LOB. The inherent risk question framed against actual events, not against an abstract scale. Output is a fifteen-page pack that turns the workshop from a calibration argument into a working session.
Module 3. Running the workshop: inherent risk rating without inflation
Facilitate the inherent rating conversation so the LOB owner does not default to high on every risk to look thorough or to low to avoid attention. Anchor each rating against a named historical loss event or a named near-miss. Document the rating rationale alongside the number so the second-line challenge has something to engage with. Output is a rated risk register with rationale that the second line can challenge meaningfully.
Module 4. Control description discipline: writing controls the operational risk events database can be tested against
Rewrite the control descriptions the LOB owner copy-pasted from last cycle into testable statements. Each control names the owner role, the frequency, the system of record, and the artefact a tester would pull. Reconcile against the SOX control catalogue where there is overlap and against the FINRA supervisory procedures inventory. Output is a control library that internal audit can test without a translation step.
Module 5. Residual risk rating: tying the workbook to actual loss-event data
Calibrate the residual rating against the loss-event database extract for the same LOB, the same Basel category, and the same control set. Where the LOB owner rated low residual but the loss-event data shows three repeat events in the cycle, mark the gap for second-line challenge. Output is a residual rating worksheet with loss-event tie-backs that the audit committee paper can cite.
Module 6. The second-line challenge: a process the LOB risk officer comes back to next cycle
Run the challenge meeting so the LOB risk officer reads it as a collaborative reconciliation, not a punitive markdown. Pre-share the gaps the challenge will surface so there are no ambushes. Frame each challenge as a question, not a downgrade. Document the challenge outcome in a memo the LOB owner co-signs. Output is a challenge memo that becomes evidence for the internal audit process review.
Module 7. KRI tie-back: reconciling the workbook ratings against actual KRI movement
Pull the KRI library for the LOB and tie each material risk in the workbook to one or more leading indicators. Where the workbook rated residual moderate but the KRI is trending into the red zone, mark for board attention. Where the workbook rated high but the KRI is stable in the green, document the conservatism rationale. Output is a KRI reconciliation worksheet attached to the workbook.
Module 8. Issues backlog integration: closing the loop between RCSA gaps and remediation tracking
Reconcile every workbook control marked partially effective or ineffective against the issues backlog in the GRC tool. Open new issues for gaps that surfaced this cycle, close issues that the cycle confirms remediated, escalate issues that the cycle confirms have grown. Output is an issues reconciliation that the audit committee paper cites and that the operational risk committee minutes reference.
Module 9. Heat map calibration: a board-readable view that survives the audit committee question
Build the firm-level heat map from the LOB workbooks, the second-line challenge memos, the KRI reconciliation, the loss-event data, and the issues backlog. Calibrate so the heat map is not just an arithmetic average of LOB ratings, because the audit committee will ask why a bank-subsidiary high-residual cyber risk is shown next to a custody process risk at the same intensity. Output is a heat map with calibration notes.
Module 10. The board paper: one-page operational risk profile the audit committee reads in three minutes
Write the audit committee one-pager. The heat map, the top five risks with rationale, the material movement since last cycle, the issues backlog count by severity, the next-cycle scope. Each claim cites a workbook tab, a challenge memo, a KRI movement, or a loss-event reference. Output is a one-pager the CRO can take to the audit committee and the OCC examiner team can read as evidence of effective challenge.
Module 11. OCC examiner readiness: the supervisory question set the cycle has to answer
Walk through the operational risk supervisory question set the OCC examiner team brings to the bank subsidiary. Evidence of effective challenge. Reconciliation of RCSA output to ICAAP inputs. Treatment of cross-LOB and shared-service risks. Coverage of vendor and third-party risk. Each question is mapped to a workbook tab, a memo, or a worksheet the course has already built. Output is an examiner binder.
Module 12. The cycle close memo and the calendar reset
Write the cycle close memo to the CRO and the audit committee chair, naming what the cycle confirmed, what changed since last cycle, what the next cycle will scope differently, and what the methodology refresh looks like. Reset the calendar for the next annual cycle so workshops, challenge meetings, KRI refreshes, and board papers are on the LOB owners' calendars. Output is a close memo and a twelve-month cycle calendar.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The Monday workshop with the branch-network LOB owner is on the calendar. Module 2 builds the facilitation pack. Module 3 runs the inherent rating conversation. Module 4 rewrites the control descriptions.
The second-line challenge meeting with advisor-services is two weeks out. Module 5 calibrates the residual ratings against loss-event data. Module 6 runs the challenge as a reconciliation.
The KRI library refresh is overdue. Module 7 reconciles the workbook against KRI movement. Module 8 closes the loop with the issues backlog.
The audit committee meeting is four weeks out and the OCC examiner team is in next quarter. Module 9 calibrates the heat map. Module 10 writes the one-pager. Module 11 builds the examiner binder. Module 12 closes the cycle.

What you get with this course

  • 12 written modules anchored on a US retail brokerage and national bank subsidiary RCSA cycle.
  • Downloadable templates for the scoping memo, the workshop facilitation pack, the rated risk register, the control library, the residual rating worksheet, the challenge memo, the KRI reconciliation worksheet, the issues reconciliation, the heat map with calibration notes, the audit committee one-pager, the examiner binder, and the cycle close memo.
  • Worked examples from a representative LOB mix covering advisor services, branch network, custody and clearing, asset management, and a bank subsidiary.
  • A hand-built implementation playbook fitted to the buyer's LOB mix, regulator profile, GRC tool, and audit committee cadence.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Week one: scoping memo and facilitation pack templates fitted to your LOB mix.

Weeks two to four: workshop facilitation, inherent and residual rating, control description discipline.

Weeks five to seven: second-line challenge, KRI tie-back, issues reconciliation.

Weeks eight to ten: heat map calibration, audit committee one-pager, OCC examiner binder.

Week eleven to twelve: cycle close memo, twelve-month calendar reset, methodology refresh notes.

Before and after

Before

The RCSA workbook comes back inflated, the second-line challenge feels punitive to the LOB owner, the heat map is an arithmetic average that the audit committee questions, the OCC examiner team asks where the evidence of effective challenge lives, and the corporate risk manager spends the two weeks before audit committee rebuilding the one-pager from workbook tabs.

After

The workshop pack is read in advance, the inherent ratings are anchored on named events, the control descriptions are testable, the residual ratings reconcile to loss-event data, the challenge memo is co-signed, the heat map is calibrated, the audit committee one-pager is read in three minutes, the examiner binder shows the challenge evidence on the first page, and the cycle close memo sets the next twelve months on the LOB owners' calendars.

What happens if you do not address this

The audit committee questions the heat map, internal audit's process review flags the lack of documented challenge, the OCC examiner team writes a matter requiring attention against the bank subsidiary's operational risk governance, the LOB risk officers lose faith in the cycle because the second-line challenge felt like a markdown rather than a reconciliation, and the corporate risk manager seat loses credibility as the translator between the workshop room and the board room.

Who it is for

Built for the corporate risk manager seat inside a US retail brokerage or broker-dealer with a national bank subsidiary. The seat owns the operational risk taxonomy, the RCSA cycle calendar, the workshop facilitation pack, the second-line challenge process, the heat map reconciliation, the KRI library, and the board paper. Reports into the Chief Operational Risk Officer or directly into the CRO depending on the org chart. Works daily with the LOB risk officers in advisor services, branch network, custody and clearing, asset management, and the bank subsidiary. Coordinates with internal audit on the RCSA process review, with compliance on the regulatory inventory, with the model risk team on the loss distribution approach inputs, and with finance on the ICAAP submission. Knows the FINRA rulebook, SEC Reg BI, OCC Heightened Standards, the Federal Reserve SR letters on operational risk, and the Basel operational risk taxonomy.

Who this is NOT for. Not for the credit risk seat (different framework, different regulator focus). Not for the market risk seat (VaR and counterparty exposure are different problems). Not for the enterprise risk officer at a non-financial-services firm. Not for a third-line internal auditor running the RCSA process review, though the course explains what that review will look for. Not for the LOB risk officer running a single workshop, though the course is useful as a reference for that role. Not for someone outside a US-regulated entity, since the course is anchored on US brokerage and bank supervisory expectations.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. About two to three hours per module. Most corporate risk managers run one module per week alongside their live cycle so the templates land on the calendar moment they are needed for.

Why $199 is the right number

Most operational risk certifications teach the Basel taxonomy and the loss distribution approach without ever showing you how to write the audit committee one-pager. Consultancy advisory engagements rebuild the framework from scratch every two years at six-figure cost and leave when the engagement closes. This course teaches the cycle that runs in production, anchors it on the artefacts the audit committee and the OCC examiner team actually read, and leaves the templates with the buyer.

FAQ

Is this anchored on a specific GRC tool?
The templates are tool-agnostic and the implementation playbook is fitted to the buyer's GRC tool, whether that is Archer, ServiceNow IRM, Workiva, OneTrust, or a workbook-and-SharePoint baseline.
Does the course cover the bank subsidiary supervisory expectations as well as the broker-dealer?
Yes. The course is anchored on a firm with both a US broker-dealer and a national bank subsidiary, so the OCC Heightened Standards, the Federal Reserve SR letters, the FINRA supervisory framework, and the SEC Reg BI inventory are all in scope.
Will this work for a firm that runs RCSA in workbooks rather than a GRC tool?
Yes. The workshop facilitation pack, the rated register, the control library, the challenge memo, and the heat map are all designed to work in spreadsheets first and to port to a GRC tool when the buyer is ready.
How tailored is the hand-built implementation playbook?
It is fitted to the buyer's LOB mix, regulator profile, GRC tool, audit committee cadence, and the names of the risk taxonomy categories the buyer uses internally.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!