Skip to main content
Image coming soon

The Retail Brokerage Risk Manager RCSA Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Retail Brokerage Risk Manager RCSA Playbook

Turn the quarterly risk-control self-assessment into a defensible artefact your CRO signs without rework.

Three rows in this quarter's RCSA always come back from the CRO with the same question: why does compliance call it green while operational risk calls it amber on the same supervisor, the same product, the same vendor.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

The risk-control self-assessment lands on the Risk Manager's desk as a stitched-together pack written in three voices. The FINRA Rule 3110 supervisor-coverage row is drafted by compliance and reads as a procedural attestation. The Reg BI care-obligation row is drafted by internal audit and reads as a finding with an action plan. The vendor-risk row on a custody-adjacent fintech is drafted by procurement and reads as a contract clause. Each row stands up on its own. None of them reconcile when the CRO reads the pack as a single risk story. The residual-risk ratings do not match across the three voices. The supervisor named in the FINRA row is the same supervisor who signed the Reg BI care-obligation determination, and the pack shows two different ratings for that person's coverage. The vendor named in the procurement row is the custodian for the same advisor whose Reg BI care obligation is being questioned, and the pack shows green-green-amber across rows that should reconcile. The Risk Manager spends the week before sign-off rewriting the pack into one voice, defending the residual ratings to second-line challenge, and re-mapping the controls so that the CRO can sign a single risk story rather than three disconnected attestations. The course is the rewrite of that pack from the risk manager's seat.

What you walk away with

  • Write a single-voice RCSA pack the CRO signs the first time without rework.
  • Defend residual-risk ratings under second-line challenge with a documented logic.
  • Reconcile FINRA Rule 3110 supervisor-coverage rows with Reg BI care-obligation rows on the same supervisor.
  • Run vendor and fintech risk attestations without trusting the SOC report on its face.
  • Ship an exam-ready supervisory file when FINRA or the SEC requests it within the 30-day window.

The 12 modules

Module 1. The single-voice RCSA pack
Why the quarterly RCSA arrives in three voices and how the risk manager rewrites it into one. Walks through the gap between first-line attestation language, compliance procedural language, and audit-finding language, and the residual-rating logic that reconciles them. Ends with the row template the risk manager uses for every entry regardless of which line of defence drafted the source.
Module 2. FINRA Rule 3110 supervisor coverage rows
How to write the supervisor-coverage row when the branch already attested the finding was remediated but the evidence file is thin. Covers the named-principal coverage matrix, the OSJ-to-non-OSJ delegation evidence, the heightened-supervision sub-row, and the residual-rating defence when the supervisor in question is also named elsewhere in the pack. Templates: the coverage row, the heightened-supervision attachment, the audit trail memo.
Module 3. Reg BI care-obligation rows on complex products
The care-obligation rating logic for complex products like structured notes, alternatives, and option strategies. Maps the four Reg BI obligations to RCSA rows, separates the disclosure obligation from the care obligation in rating terms, and gives the residual-risk language that survives a second-line challenge that reads the same row as the customer harm story rather than the procedural story. Includes the care-obligation determination template.
Module 4. Vendor and fintech risk attestation
The vendor-risk row for custody-adjacent fintechs where the SOC 2 report alone is not enough. Covers the attestation-request letter that asks for the controls the SOC report does not test, the residual-rating logic that does not require trusting the report on its face, and the contract-clause cross-reference that procurement needs in the pack. Templates: the attestation request, the residual-rating defence note, the contract-clause cross-reference table.
Module 5. Trade-surveillance break narrative
How to write the surveillance-break row when the alert ratio is the headline finding. Covers the alert-disposition narrative, the false-positive rate defence, the parameter-tuning audit trail, and the residual-rating logic that does not collapse under a FINRA exam team's follow-up. Templates: the break narrative, the disposition log, the tuning audit trail, the exam-ready response file.
Module 6. AI-tool risk inside the advisor stack
The new RCSA row category: generative AI tools inside the advisor-tech stack, including meeting-note summarisers, client-comms drafting tools, and portfolio-construction assistants. Covers the model-risk row template, the customer-facing AI disclosure determination, the SEC Marketing Rule overlap when AI drafts client-facing content, and the residual-rating logic for tools the firm did not build itself. Templates: the AI row, the disclosure determination memo, the model-inventory entry.
Module 7. Reconciling residual ratings across rows
The single hardest part of the rewrite: when the same supervisor, product, or vendor appears in three rows with three different ratings, the residual-rating reconciliation logic the risk manager uses to settle on one rating. Covers the cross-row matrix, the inherited-rating rule, the higher-of-two convention, and the documented exceptions the CRO signs off on. Template: the cross-row reconciliation matrix.
Module 8. Second-line challenge prep
How to prepare the pack for the second-line challenger before it goes to the CRO. Covers the pre-read package, the challenge-response file, the residual-rating defence summary, and the seven questions the challenger always asks. Templates: the pre-read cover memo, the residual-rating defence summary, the seven-question response file.
Module 9. Exam-ready supervisory file
The 30-day supervisory file when FINRA or the SEC asks for it. Covers the file index, the principal-coverage attestation, the surveillance-break disposition log, the Reg BI determination set, and the vendor-attestation cross-reference. The file is built from the RCSA pack so the exam team sees one consistent story. Templates: the file index, the cover letter, the attestation set, the cross-reference table.
Module 10. Branch and OSJ risk rollup
How to roll branch-level RCSA rows up into the firm-level pack without losing the named-supervisor accountability. Covers the OSJ-to-firm aggregation logic, the heightened-supervision rollup, the branch-audit cross-reference, and the residual-rating logic at the firm level. Templates: the OSJ rollup matrix, the branch-audit cross-reference table.
Module 11. Custody and bank-affiliate cross-risk
The cross-risk rows when the firm runs broker-dealer, RIA custody, and a bank affiliate under one parent. Covers the cross-affiliate vendor row, the customer-funds segregation row, the Reg SCI overlap on trading systems shared with custody, and the residual-rating logic when the same control sits in two affiliates' RCSA packs. Templates: the cross-affiliate row, the segregation attestation, the Reg SCI overlap memo.
Module 12. The CRO sign-off package
Assembling the final pack the CRO signs. Covers the cover memo, the residual-rating heatmap, the cross-row reconciliation summary, the exception log, and the carryover-from-last-quarter audit trail. The CRO reads one story rather than three. Templates: the cover memo, the heatmap layout, the reconciliation summary, the exception log, the carryover audit trail.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The quarterly RCSA pack lands on your desk in three voices and needs to be rewritten into one before the CRO signs.
A FINRA 3110 supervisor-coverage row and a Reg BI care-obligation row on the same supervisor show different residual ratings and need reconciling.
A custody-adjacent fintech vendor row needs a residual rating that does not require trusting the SOC report on its face.
FINRA or the SEC asks for the supervisory file in 30 days and the file has to be assembled from the RCSA pack without rework.

What you get with this course

  • Twelve written modules covering the RCSA pack rewrite from the risk manager's seat.
  • Downloadable RCSA row templates for FINRA 3110, Reg BI, vendor-risk, surveillance-break, and AI-tool rows.
  • The cross-row residual-rating reconciliation matrix.
  • The second-line challenge pre-read and response file.
  • The 30-day exam-ready supervisory file index and cover-letter template.
  • The hand-built implementation playbook tailored to your firm's RCSA cadence and pack structure.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours: course access provisioned in the Art of Service learning environment and the hand-built implementation playbook delivered alongside it.

Week one: rewrite this quarter's RCSA pack into a single voice using the row templates.

Week two: reconcile residual ratings across cross-referenced rows and prepare the second-line challenge pre-read.

Week three: deliver the CRO sign-off package and assemble the exam-ready supervisory file shell.

Before and after

Before

You spend the week before sign-off rewriting a pack that arrived in three voices, defending residual ratings the CRO has already questioned in prior quarters, and stitching the FINRA, Reg BI, and vendor rows into something that reads as one risk story.

After

The pack arrives in one voice the first time. Residual ratings reconcile across rows. The CRO signs without sending it back. The supervisory file is already assembled when the exam request lands.

What happens if you do not address this

The next quarter's pack repeats the same problem. The CRO sends it back. The supervisory file gets assembled in the 30 days after the exam request rather than already being on the shelf. A FINRA exam team or SEC examiner reads three disconnected ratings on the same supervisor and the firm is defending a residual-rating inconsistency rather than a control failure.

Who it is for

A Risk Manager inside a US retail brokerage or wealth-custody platform who owns the operational-risk RCSA, sits between first-line business heads, compliance, and internal audit, reports into a CRO or Head of Operational Risk, and has to defend residual-risk ratings to a second-line challenger and an exam team. Typical scope: branch supervision under FINRA Rule 3110, Reg BI customer-facing risk on complex products, vendor and fintech risk for custody-adjacent providers, trade-surveillance exception management, and increasingly AI-tool risk inside the advisor-tech stack.

Who this is NOT for. Not for chief risk officers who never write a row of the RCSA themselves. Not for compliance officers whose remit is rule interpretation rather than risk rating. Not for first-line business heads who attest to controls but do not own the residual rating. Not for risk managers at insurers, asset managers, or non-broker fintechs whose regulatory anchor is different. The course assumes the reader is the person physically holding the pen on the RCSA pack and accountable for the residual ratings the CRO signs.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly six to nine hours of reading across the twelve modules, plus the time to apply the row templates to your live RCSA pack. Most risk managers complete the first pass inside one working week.

Why $199 is the right number

Free FINRA and SEC guidance documents describe the rules but not the residual-rating logic that reconciles them across rows. Big-four advisory firms run RCSA refresh engagements at six-figure fees and leave the firm with a methodology document rather than the row-level templates the risk manager uses every quarter. This course delivers the row templates, the reconciliation matrix, and the playbook tailored to the risk manager's seat for 199 USD.

FAQ

Does this assume a particular GRC platform?
No. The row templates are platform-neutral and have been used by risk managers on Archer, ServiceNow IRM, MetricStream, and spreadsheet-based RCSAs. The implementation playbook is tailored to your platform on delivery.
Is this only for broker-dealers, or does it work for the RIA custody side?
It works for both, and module eleven specifically covers the cross-affiliate rollup when broker-dealer, RIA custody, and a bank affiliate sit under one parent.
How current is the Reg BI and FINRA 3110 content?
Current to the most recent FINRA exam priority letter and SEC Reg BI staff guidance. The implementation playbook is rebuilt for every buyer so it reflects the current cycle rather than a cached version.
What is the implementation playbook exactly?
A hand-built document tailored to your firm's RCSA cadence, named systems, supervisory structure, and the named regulators in scope. It is not a generic deliverable. It is rewritten for each buyer in the 24 hours after purchase.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.