Compliance monitoring cycle

Obligations are risk-rated through the CRA. Residual risk drives where controls, monitoring tests, findings and board reporting focus their effort. The cycle closes when test results feed back into the next reassessment.

  1. Obligations
  2. RCSA5 open
  3. CRA
  4. Controls
  5. Monitoring
  6. Findings8
  7. Governance6

Risk & Control Self-Assessment (RCSA)

AR
First-line view of control effectiveness

Risk & Control Self-Assessment (RCSA)

Business owners (1st line) self-assess the design and operating effectiveness of the controls mapped to their obligations on each cycle. Compliance (2nd line) reviews and accepts or challenges each rating; accepted ratings feed the control-effectiveness input of the Compliance Risk Assessment, so residual risk reflects the firm's own view of how well its controls are working.

Scope of coverage — Residual scores aggregate findings, tests and controls within the firm's in-scope obligation library. See what's in scope.

Cycles open
1
Submitted (latest)
90%
Accepted by 2LoD
40%
Open assessments
5

RCSA cycles · 1

  • 4e6ad0eb-17b5-405d-91d6-320d0c7c41e2
    H1 2026 (Sample)
    Opened 5/8/2026
    Open
    Status
    reviewed
    Assessments
    50
    Submitted
    45/50
    Accepted
    20/50