Explore
Close
Your acceptance of all cookies will permit robust site functionality. If you don't allow cookies, some features and functionality of OCC's site may not operate as expected. If you do not choose either cookie setting for our site, or if you close this window, this message will continue to display on each page you visit. Cookie settings can be controlled in your Internet browser to automatically reject some forms of cookies. For more details on cookies this site uses, see our OCC Site Cookies page. In addition to using cookies, we retain other information, including your Internet Protocol (IP) address, for the purposes listed in the Privacy Policy.

Some Thoughts by OCC on Risk Management

John J. Fennell
December 06, 2016
By John J. Fennell, Chief Risk Officer

What is the role of the Chief Risk Officer in promoting an enhanced risk culture?
Evolving the risk culture and its footprint is one of the things I am most excited about in my role at OCC. Because of my tenure and expertise, I can talk with my industry peers about clearing issues and share a depth of understanding on various issues, whether it is technology, operations, finance or accounting. But what I am really interested in doing is to ingrain the risk culture in OCC. That means, for example, having colleagues look at their processes at a very granular level. This means encouraging people who are engaged in day-to-day activities and who see issues first, when they see something, they should say something. When people in an organization are not conditioned to escalate issues and bring awareness to them, those issues can continue to occur and become the status quo. It is foundational that in our process we identify and escalate issues immediately, and with that level of awareness, determine the best way to mitigate the risk. Our message at OCC is "identify, escalate, and then debate."

Do you draw on any best practice models?
Risk focus, or risk culture, has evolved over the past ten years. Something we are going through now at OCC is a risk culture audit. We bring in a firm specifically to audit the culture, evaluate the tone of our messaging, and how we are communicating those messages. A key component of infusing a risk culture in an organization is through compensation and performance evaluation. You want to incent people to highlight and report issues. We are thinking about things like self-identified findings; in your internal audit review, what percentage of the findings are self-identified? The more of those that you have, the better an organization's risk culture. It shows that people are aware of the risks, they are reporting the risks, and they are creating plans proactively to mitigate those risks.

How big a concern is information security?
Technology and cyber risk is an area that we want to stay ahead of in managing, and it consumes a big part of my day. If anybody wants to breach your walls, with enough resources and commitment, they will do it. A good risk manager has to, as quickly as possible, identify and quarantine the issue and then have continuity plans to mitigate the issue. In our world, we have access to federal-level resources as far as understanding when a potential cyber attack is emerging. While we have built processes and have resources available to us, it is always about improving the infrastructure, identifying the issues as they are emerging, and have robust contingency plans to react to and mitigate the incident. It is always issue number one for a central counterparty like OCC to make sure that market confidence is not eroding, that issues are addressed, and that business continues.

How do you keep an eye on technological innovations?
In our governance structure, new technologies go through a rigorous vetting process before they are adopted. A good example today is the cloud. As we build up our risk analytics, and as we go from an overnight batch process to a real-time process, data storage is going to be key, and it becomes imperative to access and leverage cloud technology. There are obvious risks involved: storing data on someone else's servers, making sure the data is secure. A key component of my role is to empower the firm to evaluate a new technology comprehensively to understand the risks, put mitigating controls in place, and enable the business to take advantage of the technology. It is a different kind of risk if an organization is narrow-minded and takes years in evaluating a technology and never gets to take advantage of it.

This web site discusses exchange-traded options issued by The Options Clearing Corporation. No statement in this web site is to be construed as an endorsement, recommendation or solicitation to purchase or sell a security, or to provide investment advice. Options involve risk and are not suitable for all investors. Prior to buying or selling an option, a person must receive a copy of the disclosure document, Characteristics and Risks of Standardized Options. Individuals should not enter into option transactions until they have read and understood this document. To obtain copies, contact your broker, any exchange on which options are traded, or The Options Clearing Corporation, 125 S. Franklin Street, Suite 1200, Chicago, IL 60606 ([email protected]).