Why A Resilient Risk Management and Internal Control Infrastructure Matters

October 25, 2016
By Adi Agrawal

Enhanced focus on internal controls by corporate boards and regulators sometimes appears to be a post-financial crisis phenomenon. Those tasked with designing, executing and assuring the resiliency of a corporation's internal control infrastructure sometimes struggle with articulating the business case for it as well as defining the business need for internal controls. It is, hence, important to recognize and understand what "controls" are and their value in achieving desired outcomes.

Controls have been utilized for millennia as a means to assure that objectives are met within a range of tolerable outcomes. They have been developed and deployed to reduce uncertainty (or unwanted deviations) within a process or system to achieve a desired outcome. In the third century B.C., Ktesibios's water clock in Alexandria, Egypt kept time by controlling the water level in a vessel. Today internet protocol thermostats are available to remotely regulate and control temperature in our homes. There are applications of controls all around us that have become a ubiquitous part of our daily lives. Without effective and reliable controls it is difficult to assure outcomes and this is particularly true for complex processes and systems in the exchange-listed options space.

As a Systemically Important Financial Market Utility (SIFMU) and the foundation for secure markets, OCC understands the value and importance of maintaining and operating an effective and reliable internal control infrastructure that assures risk management and processing outcomes expected by our stakeholders. Our responsibility to assure integrity, timeliness and completeness in the services we provide to market participants span beyond the enterprise. That is why we continue to invest in evolving and maturing our internal control infrastructure in response to changing business and regulatory needs.

To maintain a resilient risk management and internal control infrastructure at OCC we employ the "three lines of defense model". This model allows us to manage the corporation's control infrastructure with clarity of ownership and accountability. The first line of defense is the operational business units of the corporation including financial risk management, operations, technology, legal, regulatory affairs and corporate functions like human resources, finance, accounting and program management office. Our first line colleagues are responsible and accountable for designing, operating and maintaining an effective internal control infrastructure comprising of policies, standards, procedures and guidance that allows us to meet our service obligations. They own and are accountable for our internal control infrastructure and service outcomes.

We support and monitor the efforts of our first line colleagues using capabilities within a second line of defense consisting of our corporate risk management and compliance functions. The second line designs, implements and maintains an enterprise-wide risk management framework and tools to assess and manage risk at that level. These colleagues work with the first line to assess risks and establish policies and guidelines. They advise, monitor and report on the first line's effectiveness in managing risk and maintaining and operating a resilient control infrastructure. Our second line of defense is an important portfolio of capabilities that allow our executive management and the OCC Board of Directors to have a comprehensive and objective view regarding the overall health of our risk management and internal control infrastructure and whether our services are being delivered within an agreed upon risk appetite.

The third line of defense is the OCC Internal Audit function. My team and I work for the Audit Committee of our Board of Directors, and we are accountable for designing, implementing and maintaining a comprehensive assurance program that allows our executive management and Board to receive independent and objective assurance that the quality of our risk management and internal control infrastructure meets our risk appetite and business imperatives. We fulfil our obligations to OCC by maintaining a diverse and skilled team of professionals with a variety of business, technology and assurance skills. The OCC Internal Audit team performs all its activities in compliance with the Institute of Internal Auditors' standards enshrined in the International Professional Practices Framework.

All my OCC colleagues across the three lines of defense are dedicated to maintaining a resilient risk management and internal control infrastructure to fulfil OCC's mission; which is to promote stability and market integrity through effective and efficient clearing, settlement and risk management services while providing thought leadership and education to market participants and the public about the prudent use of products we clear.

By enhancing our resiliency through a strong internal control infrastructure, we are not only building a high performance culture, we are promoting increased operational excellence and fostering growth, innovation and thought leadership. This helps OCC in its role as a leader in the exchange-listed options industry and allows us to better serve market participants and the greater public interest.

To learn more about OCC's thought leadership on industry issues, visit OCC's Blog.

Your acceptance of all cookies will permit robust site functionality. If you don't allow cookies, some features and functionality of OCC's site may not operate as expected. If you do not choose either cookie setting for our site, or if you close this window, this message will continue to display on each page you visit. Cookie settings can be controlled in your Internet browser to automatically reject some forms of cookies. For more details on cookies this site uses, see our OCC Site Cookies page. In addition to using cookies, we retain other information, including your Internet Protocol (IP) address, for the purposes listed in the Privacy Policy. Do not accept analytic cookies Accept analytic cookies