Renovating OCC's Risk Culture

March 02, 2017

When I took on the role of chief risk officer at OCC, I realized that as a company we needed to mature from a process-oriented culture to more of a risk-oriented culture. To better serve market participants in our role as the foundation for secure markets, we are working towards this transformation by incorporating a risk lens as we look to improve resiliency, enhance operational effectiveness and prioritize our strategic initiatives. To transform our culture, we have to ingrain that risk-focused mindset into our everyday work. We need to be asking ourselves; where is risk present, how do we measure it, and how do we manage our business with risk as the primary driver?

To our way of thinking, awareness is the key at the board of directors and management level. Everyone must agree that good risk management leads to a more secure and sound business environment. This is important because when you start getting down into the different layers of management and staff, awareness is necessary to really drive the value proposition of taking a risk-based focus throughout the organization.

Another challenge is having the business units own the risks, and empowering them to evaluate risks in a consistent way across the firm. Once business units are capable of identifying and measuring risk in a consistent manner firm-wide, the firm will have a demonstrable way to prioritize initiatives, which will have a snowball effect for process owners to know where and how to make investments. Then they can start to incorporate risk management into the overall strategy, looking at one-year, two-year, and five-year perspectives so the overall strategy becomes risk-based.

It is incumbent on the second line to define the manner in which risks are measured for the firm. You have to start at the top, identify your key risks and risk appetite, and then communicate them across the company. You must create consistency in how you evaluate and measure risk; asking the question, what is the risk taxonomy? Is it a severe, moderate or low risk? Then you create mechanisms to provide transparency and oversight into how the firm is performing from a risk perspective, linking risk measurement to performance and driving that into the business.

The evolution of OCC's risk culture will be driven by these key words; identify, escalate and debate. In the past, our risk culture was very process-oriented. People would be performing a function and when an event would happen causing disruption, the firm would come together quickly to address the issues and get the process operating, but the firm would sometimes neglect to consider and address the root cause. The other piece that was neglected was the escalation of the event. Escalation needs to happen immediately so the firm can have a more comprehensive understanding of what took place and so different areas outside the core process owners can consider additional mitigation, such as business and compliance implications and other reporting obligations. Escalation provides transparency and allows the firm to ensure that the impact of the issue can be assessed more broadly while we debate the root cause and optimal mitigation strategies.

(This blog was taken from an interview Mr. Fennell conducted with the Wall Street Journal Risk & Compliance Journal that appeared on February 15, 2017.)

To learn more about OCC's thought leadership on industry issues, visit OCC's Blog.

Your acceptance of all cookies will permit robust site functionality. If you don't allow cookies, some features and functionality of OCC's site may not operate as expected. If you do not choose either cookie setting for our site, or if you close this window, this message will continue to display on each page you visit. Cookie settings can be controlled in your Internet browser to automatically reject some forms of cookies. For more details on cookies this site uses, see our OCC Site Cookies page. In addition to using cookies, we retain other information, including your Internet Protocol (IP) address, for the purposes listed in the Privacy Policy. Do not accept analytic cookies Accept analytic cookies