What is the role of the Chief Risk Officer in promoting an enhanced risk culture?
Evolving the risk culture and its footprint is one of the things I am most excited about in my role at OCC. Because of my tenure and expertise, I can talk with my industry peers about clearing issues and share a depth of understanding on various issues, whether it is technology, operations, finance or accounting. But what I am really interested in doing is to ingrain the risk culture in OCC. That means, for example, having colleagues look at their processes at a very granular level. This means encouraging people who are engaged in day-to-day activities and who see issues first, when they see something, they should say something. When people in an organization are not conditioned to escalate issues and bring awareness to them, those issues can continue to occur and become the status quo. It is foundational that in our process we identify and escalate issues immediately, and with that level of awareness, determine the best way to mitigate the risk. Our message at OCC is "identify, escalate, and then debate."
Do you draw on any best practice models?
Risk focus, or risk culture, has evolved over the past ten years. Something we are going through now at OCC is a risk culture audit. We bring in a firm specifically to audit the culture, evaluate the tone of our messaging, and how we are communicating those messages. A key component of infusing a risk culture in an organization is through compensation and performance evaluation. You want to incent people to highlight and report issues. We are thinking about things like self-identified findings; in your internal audit review, what percentage of the findings are self-identified? The more of those that you have, the better an organization's risk culture. It shows that people are aware of the risks, they are reporting the risks, and they are creating plans proactively to mitigate those risks.
How big a concern is information security?
Technology and cyber risk is an area that we want to stay ahead of in managing, and it consumes a big part of my day. If anybody wants to breach your walls, with enough resources and commitment, they will do it. A good risk manager has to, as quickly as possible, identify and quarantine the issue and then have continuity plans to mitigate the issue. In our world, we have access to federal-level resources as far as understanding when a potential cyber attack is emerging. While we have built processes and have resources available to us, it is always about improving the infrastructure, identifying the issues as they are emerging, and have robust contingency plans to react to and mitigate the incident. It is always issue number one for a central counterparty like OCC to make sure that market confidence is not eroding, that issues are addressed, and that business continues.
How do you keep an eye on technological innovations?
In our governance structure, new technologies go through a rigorous vetting process before they are adopted. A good example today is the cloud. As we build up our risk analytics, and as we go from an overnight batch process to a real-time process, data storage is going to be key, and it becomes imperative to access and leverage cloud technology. There are obvious risks involved: storing data on someone else's servers, making sure the data is secure. A key component of my role is to empower the firm to evaluate a new technology comprehensively to understand the risks, put mitigating controls in place, and enable the business to take advantage of the technology. It is a different kind of risk if an organization is narrow-minded and takes years in evaluating a technology and never gets to take advantage of it.