Fixing the Foundations: The Case for Rigorous Data Controls and RCSA Programmes That Actually Deliver

Regulatory patience with poor data governance has been exhausted. For banks and insurers, the priority now is not diagnosing the problem, it is building programmes that fix it and make the fix stick.

A governance failure, not a technology failure

Financial institutions have invested significantly in data infrastructure over the past decade. The persistent problem is not the technology; it’s the governance around it. Ownership of data is frequently unclear, lineage is poorly documented, and the controls designed to catch errors before they reach models, or regulatory outputs are either absent or untested. Industry analysis suggests only around 30% of organisational data meets standards that could be considered reliable. In capital-intensive, model-dependent businesses like banking and insurance, that gap between data reality and data aspiration carries material consequences.

It’s a hot topic with the regulators. The FCA's enforcement activity in 2024 reached £176 million in fines, a 230% increase in value on 2023, with governance and controls failings a recurring theme. The Citibank case, which attracted cumulative OCC penalties of over $500 million between 2020 and 2024 for inadequate data governance and insufficient remediation progress, illustrates what institutional under-investment in this area ultimately costs. The PRA's supervisory statement SS1/23 on model risk management and the Basel Committee's long-standing BCBS 239 principles make clear that data governance and risk control frameworks are regulatory requirements, not aspirational standards. For insurers, Solvency UK reform places equivalent demands on data quality underpinning internal models, SCR calculations and the ORSA process.

Where RCSAs break down and what a good one looks like

Risk and Control Self-Assessments sit at the centre of any firm's operational risk framework. In principle, they are one of the most powerful diagnostics available: a structured mechanism for business lines to identify where their risks are, assess the effectiveness of controls, and surface emerging vulnerabilities before they crystallise into losses or regulatory findings. In practice, they are one of the most criticised components of the risk management toolkit.

The core failure is disconnection. RCSAs are typically conducted annually, under time pressure, and disconnected from the operational data that would make their ratings credible. Control effectiveness ratings are self-assessed without independent validation. When regulators or internal audit challenge the outputs, firms struggle to evidence their positions with anything more substantive than narrative.

A well-designed RCSA is fundamentally different. It connects risk ratings to real operational data; it validates control effectiveness through testing rather than assertion; and it produces outputs genuinely used to prioritise remediation activity rather than filed until the next annual cycle. Getting there requires both the regulatory expertise to design the right framework and the programme management discipline to embed it across the organisation, which is rarely a single-team problem.

The firms that recover credibility with their regulators fastest are not those with the most sophisticated frameworks on paper. They are the ones that can demonstrate systematic, evidenced improvement, quarter on quarter, control by control.

From design to delivery: how Delta Capita works

Delta Capita brings together two practices that are too often engaged separately: Risk & Regulation, and Transformation & Change. In our experience, this is precisely where RCSA and control remediation programmes fail; the regulatory design is sound, but the delivery infrastructure is insufficient to drive change at the pace and consistency regulators expect.

In practice, this means we have helped banks and insurers run multi-workstream RCSA remediation programmes from the initial diagnostic through to embedding improved controls in day-to-day operations and preparing the evidence packs that satisfy supervisory review. Our project managers work alongside our risk specialists from day one, ensuring that what gets designed can be delivered, and that delivery is tracked and reported with the rigour that regulators and boards now expect.

The cost of continuing to defer

The firms that treat data quality and control frameworks as problems to be managed at the margin will continue to face the same regulatory findings, the same remediation cycles, and the same reputational exposure. Those that invest in getting the foundations right, with the governance clarity, programme discipline and independent expertise to make change stick, find that the investment pays back in stronger supervisory relationships, more credible risk models, and the ability to make consequential decisions on data they trust.

Delta Capita is ready to help. Whether you are responding to a regulatory finding, preparing for a supervisory review, or seeking to transform your RCSA and data governance framework proactively, our combined Risk & Regulation and Transformation & Change practices offer the full spectrum from design to delivery.