Name Title Name Title Date

Sector Name Workshop Participants Approval(s):

RCSA Date:

Department Head

Objective: RCSA Components

The objective of the RCSA is to to identify and assess operational risks and to determine the adequacy and effectiveness of the internal controls designed to manage those
risks.

Purpose RCSA Results

RCSA - Risk Register

The purpose of this document is to ensure complete and accurate identification of operational risks, To quantify the risk exposure to operational risk and rate them as High,
Medium and Low; To assess the strengths and weaknesses in the operational risk control environment exhaustively and accurately; and to prioritize management action for
high risk areas.

Consolidated RCSA Action Plan Tracker

 Risk and Control Self Assessment
Unit -
Date of Assessment

Process Details Risk Identification and Assessment Control Identification and Assessment Residual Risk Action Plans
SOP Available
# Function Process Name Sub Process Risk Event Reference # Risk Description Risk Causal Factors Risk Category Root Cause Risk Impact Description Risk Data Sources Ref. Description Risk Likelihood Risk Impact Combined Risk Assessment Risk Owner Control Ref. #. Control Control Description Control Frequency Control Type Control Category Control Classification Control Design Effectiveness Control Operating Effectiveness Combined Control Effectiveness Control Owner Residual Risk Remarks, if any Action Required Action Plan Reference Action Plan Item Target Date
(Yes/ No)

1 Risk_-_1 Action Plan_-_1

2 Risk_-_2 Action Plan_-_2

3 Risk_-_3 Action Plan_-_3

4 Risk_-_4 Action Plan_-_4

5 Risk_-_5 Action Plan_-_5

6 Risk_-_6 Action Plan_-_6

7 Risk_-_7 Action Plan_-_7

8 Risk_-_8 Action Plan_-_8

9 Risk_-_9 Action Plan_-_9

 Risk Likelihood Rating
Rating Probability Frequency (Comments)

The event is pervasive and is

Highly Likely Greater than 75% expected to occur on a
regular basis.

Expected
Greater than 50% The event will probably
and up to 75% occur in most circumstances

The event should occur in

Possible
Greater than 25% some circumstances and will
and up to 50% possibly occur within the next
2 years.

The event could occur in

Not Likely
Greater than 10% some circumstances within a
and up to 25% timeframe of more than 2
years but less than 5 years.

The event may occur in

exceptional circumstances
Remote Less than 10% and within a timeframe of
more than 5 years and up to
10 years.
 Risk Impact Rating
Risk Category Net Financial Impact Strategic Growth

No growth or Negative growth rate

Severe Greater than SAR 1M i.e., reduction in market share
compared to previous year(s)

Significant decline in growth i.e.,

Greater than SAR Growth rate achieved in terms of
Major 500K but less than market share is less than 50% of
SAR 1M targets/budgets or prior year(s)
growth

Major decline in growth i.e., growth

SAR 50K but less rate achieved in terms of market
Medium
than SAR 500K share is less than 25% of target /
budget or prior years’ growth

Decline in growth rate i.e., growth

Greater than SAR 5K
rate achieved in terms of market
Minor but less than SAR
share is below 15% of targets
50K
budget or prior years’ growth

Minimum impact on growth i.e.,

growth achieved in terms of
SAR 0 but less than
Insignificant market share is less than 5% of
SAR 5K
targets budget or prior years’
growth
 Risk Impact Rating
Staff Impact (in terms of staff
Operational Impact Reputation Impact
functioning)
Potential of operational activiites
Results in significant and sustained
are not conducted at all and
adverse international media coverage. > 50% of staff significantly
there is a certainity that the
Potential to cause erosion of brand affected
objectives of the department will
value in medium to long term.
not be achieved

High impact on the operational

activities and there is a high
potential (50% - 70%) that the
objectives of the department
may not be achieved
Results in significant adverse national
20% to 50% of staff
media coverage Potential to cause
significantly affected
erosion of brand value in short term.

Moderate impact on the

operational activities and tehre
Adverse media coverage and public
is moderate chance (20 -50%) 10% to 20% of staff
opinion at regional/local level/group of
that the objectives of the significantly affected
customers.
department may not be
achieved

Minor impact on the operational

Impacts to small part of the customer
activities of the department / 1% to 10% of staff affected
base, channels, region or portfolio
process

No or immaterial impact on the

Minimal impact to part of the customer
operations of the activities of the < 1% of staff affected
base, channel, region or portfolio
department / process
 Process RCS

Inherent Risk Scale

Risk Impact
1 2 3 4
Insignificant Minor Moderate Major

5 Highly Likely Medium Low Medium High Medium High High

4 Expected Medium Low Medium Low Medium High High

Risk Likelihood

3 Possible Low Medium Low Medium High Medium High

2 Not likely Low Medium Low Medium Low Medium Low

1 Remote Low Low Low Medium Low

Control Effectiveness Scale

Operating Effectiveness
1 2 3 4
Poor Unsatisfactory Satisfactory Effective

1 Poor Low Low Low Medium Low

2 Unsatisfactory Low Medium Low Medium High Medium High

Design Effectiveness

3 Satisfactory Low Medium High Medium High High

Design Effective
4 Effective Medium Low Medium High High Very High

5 Highly Effective Medium Low High High Very High

Action Plan Required

Residual Risk Scale

Overall Control Rating

5 4 3 2
Very High High Medium High Medium Low

5 Very High Medium Low Medium High Medium High High

4 High Medium Low Medium Low Medium High High

Inherent Risk Rating

3 Medium High Low Medium Low Medium Low Medium High

2 Medium Low Low Low Medium Low Medium Low

1 Low Low Low Low Low

Action Plan Required

 Process RCSA Results

Inherent Risk Assessment Result

Impact Criteria
5 1 2 3
Severe Insignificant Minor Moderate

Very High 5 Highly Likely Err:504 Err:504 Err:504

High 4 Expected Err:504 Err:504 Err:504

Probability

Medium High 3 Possible Err:504 Err:504 Err:504

Medium High 2 Not likely Err:504 Err:504 Err:504

Medium Low 1 Remote Err:504 Err:504 Err:504

Control Assessment Result

Control Operation
Combined Heatmap
5 1 2 3
Highly Effective Poor Unsatisfactory Satisfactory

Medium Low 1 Poor Err:504 Err:504 Err:504

High 2 Unsatisfactory Err:504 Err:504 Err:504

Control Design

High 3 Satisfactory Err:504 Err:504 Err:504

 Control Desig
Very High 4 Effective Err:504 Err:504 Err:504

Very High 5 Highly Effective Err:504 Err:504 Err:504

Consolidated Residual Risk Assessment Result

Overall Control Rating

1 5 4 3
Low Very High High Medium High

Very High 5 Very High Err:504 Err:504 Err:504

High 4 High Err:504 Err:504 Err:504

Inherent Risk Rating

Medium High 3 Medium High Err:504 Err:504 Err:504

Medium Low 2 Medium Low Err:504 Err:504 Err:504

Low 1 Low Err:504 Err:504 Err:504

Action Plan Required

Result

ct Criteria Risk Events Inherent

No. of Risk Events
4 5 Ratings
Major Severe Very High Err:504

Err:504 Err:504 High Err:504

Err:504 Err:504 Medium High Err:504

Err:504 Err:504 Medium Low Err:504

Err:504 Err:504 Low Err:504

Err:504 Err:504 TOTAL Err:504

Ver

Result

ol Operation
4 5 Control Effectiveness
No. of Controls
Effective Highly Effective Rating

Err:504 Err:504 Very High Err:504

Err:504 Err:504 High Err:504

Err:504 Err:504 Medium High Err:504

 Err:504 Err:504 Medium Low Err:504

Err:504 Err:504 Low Err:504

TOTAL Err:504 Very

sment Result

Control Rating
2 1
Residual Risk Rating Residual Risks
Medium Low Low

Err:504 Err:504 Very High Err:504

Err:504 Err:504 High Err:504

Err:504 Err:504 Medium High Err:504

Err:504 Err:504 Medium Low Err:504

Err:504 Err:504 Low Err:504

Ver
TOTAL Err:504
 Risk Events (Inherent)

Very High High Medium High Medium Low Low

Control Assessment
Very High High Medium High Medium Low Low

Residual Risks

Very High High Medium High Medium Low Low

 Control Design Effectiveness Control Operating Effectiveness
Rating Criteria Rating Criteria
The control is poorly designed and requires design
Poor Poor Control is not applied or applied incorrectly
change

Unsatisfactory The control design is limited and ineffective Unsatisfactory Control is operating with limited effectiveness

The control is designed properly but opportunities for

Satisfactory Satisfactory Control is operating properly and is acceptable
improvement exist

The control is designed fairly to mitigate most

Effective Effective Control is operating well in majority of the cases
aspects of the risk

The control is designed adequately to substantially Control is always operational effectively in the way
Highly Effective Highly Effective
mitigating the risk intended in design
Residual Risk Scale
Control Effectiveness
1 2 3 4 5
Medium Medium
Low High Very High
Low High
1 Low Low Low Low Low Low

Medium Medium Medium

2 Medium Low Low Low
Low Low Low
Inherent Medium Medium Medium Medium
3 Medium High Low
Risk High High Low Low
Medium Medium Medium
4 High High High
High Low Low
Very Medium Medium Medium
5 Very High High
High High High Low
 Action Plan Reference and Details

Risk Mapping Action Plan Reference Number

Action Plan Reference and Details

Action Plan Action Plan Owner

Comments
 Risk Status Risk Causal Factor RISK Category
Active People Reporting
Inactive Process Strategic
System Compliance
External Factor IT
Operational
ALL

Control Classification Control Type Control Frequency

Access Control Preventive On Going
Reconciliation Detective Daily
Review Directive Weekly
Verification and Authorisation NA Monthly
IT / System Control Quarterly
Process Control Half Yearly
Maker Checker Annually
Physical Control On Demand
Other NA
NA

Control Risk
Operating Design Impact
Poor Poor Severe
Unsatisfactory Unsatisfactory Major
Satisfactory Satisfactory Moderate
Effective Effective Minor
Highly Effective Highly Effective Insignificant

Definition
1: Risk Causal Factor

*People Risk of negative impact related to inadequacies in human capital and the management of human re

*Process Risk of negative impact related to weak internal business processes within every aspect of the busin

*Systems Risk of negative impact related to poor internal systems

2: RISK Category Group of potential causes of risk, to allow grouping of individual risks for more evaluating and respo
*Reporting All risks araising form the reliability of financial reporting to TWQ management

*Strategic The risks arising from or resulting in Tanfeeth’s inability to formulate or execute a business strategy

*Compliance The risks arising from or resulting in a failure to comply with existing local, regional, or internationa
regulatory policies or the development, administration, and enforcement of regulations.

*IT The risks arising from or resulting in failure of technology or related systems.

The risks arise from inadequate or failed internal processes, procedures, and people, or from failure
*Operational achievement of related Key Performance Indicators.

3: Risk Data Source Is information (data) that is used by an organization for diverse Risk Management and other busine

*Audit Points Through any audit point that resulted from observation and/or reports.

*Customer Complaints A complaint is an expression of dissatisfaction made to an organization, related to its products, or th

*External Audit Through external audit points and reports

*Incidents Through any incident or event that impacted the organization earlier

*Internal Audit Through IA function

*Process Notes Activity or set of activities that use resources to transform inputs into outputs.
Establishing effective and efficient processes that are consistently followed and improved upon is th

*Regulatory Inspection Through regulatory inspection, SAMA, Ministry of commerce and any other regulatory inspector

*SOP Refrers to policy, procedures, methodology, and framework

*Fund Policy Policies established by a Fund for the purpose of eliminating or reducing any dilution of the value o
Fund's current prospectus.

*Whistle Blowing Whistleblowing can be internal, an employee reports wrongdoing using the reporting channels with

*CSA Control Self Assessment (CSA) is defined as an effective approach to identifying and managing areas

*Emerging Risk A new or unforeseen risk that we haven't yet contemplated. This risk should be on our radar, but it

4: Control Classification Classification of information is a process that enables organizations to group information assets into

*Access Control Process of granting authorized users the right to use a service while preventing access to non-autho

*Reconciliation An accounting process in which two sets of records are compared to ensure that the results are acc

*Review A regular evaluation exercise

*Verification and Authorisation Independent procedures are used to check that a product, service, or system meets requirements a
*IT / System Control Information technology software and/or system

*Process Control Criteria and methods are needed to ensure that both the operation and control of these processes

*Maker Checker One of the central principles of licensing in the information systems of financial organizations.

*Physical Control Measure that modifies or maintains risk. Those measures might include policies, processes, practice

5: Control Type The control type is a process effected by an entity's board of directors, management, and other per

*Preventive Decrease the chance of errors and fraud before they occur, and often revolve around separating du
quality.

*Detective They are designed to find errors or problems after the transaction has occurred. Detective controls
the-fact chance to detect irregularities.

*Directive A control that guide, and usually impel toward an action or goal.
 Risk Data Source SOP
Audit Points Yes
Customer Complaints No
External Audit
Incidents
Internal Audit
Process Notes
Regulatory Inspection
SOP
Fund Policy
Whistle Blowing
CSA
Emerging Risk
Others
Control Category
Manual
Automated
Both
NA

Risk
Probability Final Rating
Highly Likely VERY HIGH (VH)
Expected HIGH (H)
Possible MEDIUM HIGH (MH)
Not Likely MEDIUM LOW (ML)
Remote LOW(L)

al and the management of human resources

sses within every aspect of the business

al risks for more evaluating and responding to risks.

WQ management

mulate or execute a business strategy that successfully meets Tanfeeth’s Vision & Mission.

isting local, regional, or international laws or regulatory policies. Unexpected changes to existing local, regional, or international laws or
forcement of regulations.

ated systems.

ocedures, and people, or from failure of asset infrastructure resulting in poor performance, protection, and utilization of existing assets and non-

Risk Management and other business processes.

reports.

nization, related to its products, or the complaints handling process itself, where a response or resolution is explicitly or implicitly expected.

earlier

ts into outputs.
tly followed and improved upon is the basis for most management standards.

nd any other regulatory inspector

reducing any dilution of the value of the outstanding shares issued by the Fund resulting from short-term trading, as described in the applicable

ng using the reporting channels within the organization, or external, i.e., an employee reports wrongdoing to parties outside the organization.

ch to identifying and managing areas of risk exposure

his risk should be on our radar, but it is not, and its potential for harm or loss is not fully known.

tions to group information assets into relevant categories depending on the level of protection each category of information should be provided.

while preventing access to non-authorized users.

ed to ensure that the results are accurate and consistent

ice, or system meets requirements and specifications and fulfills its intended purpose.
ation and control of these processes are effective.

tems of financial organizations.

t include policies, processes, practices, devices, or other conditions or actions.

rectors, management, and other personnel, designed to provide reasonable assurance regarding the control.

d often revolve around separating duties. From a quality standpoint, preventive controls are essential because they are proactive and focused on

tion has occurred. Detective controls are essential because they provide evidence that preventive controls operate as intended and offer an after-

l.
 function
All
Center of Excellence
HR Operations
on.

o existing local, regional, or international laws or

nce, protection, and utilization of existing assets and non-

ponse or resolution is explicitly or implicitly expected.

ng from short-term trading, as described in the applicable

reports wrongdoing to parties outside the organization.

known.

otection each category of information should be provided.

regarding the control.

s are essential because they are proactive and focused on

preventive controls operate as intended and offer an after-