Many questions were asked and I would like to focus on a few of them as they raise some interesting ideas for all of us.

A risk manager from the United States wanted to know about the overlap between Operational Risk and Sarbanes-Oxley. Whilst this blog won’t go into a lot of detail about the similarities and differences, the point that I made was around Controls coverage.

The SOX program covers all of the controls surrounding the Financial Reporting process, as well as the information flows into the end financials. The analysis on these controls is incredibly rich and deep, from identification, assessment, and all the way through to testing.

In contrast, Operational Risk covers a much broader set of controls across the organization; however the analysis on these controls is generally a lot shallower. Quite often it is sufficient to record that the controls exists and that they work.

These different approaches are both supported by the easy2comply SOX and Operational Risk software.

Another question was asked about how to deal with HR and IT in an Operational Risk program. This is something that always comes up, and needs a clear policy that makes sense for the organization. I would argue that Risks need to be managed where the exposure is, and that depends on the individual risk.

If we look at a trading desk, the manager as part of his Op Risk assessment may rightly identify an exposure to a specific individual or perhaps to a core IT system that supports his entire business operation. The trading desk’s exposure to these risks is very real, and as such, it should be part of his assessment even though they are HR and IT risks.

On the other side, the IT and HR department should be performing their own risk assessments for issues that are relevant to them. HR can be managing general exposures, focusing on for example standardization of hiring procedures, discrimination policies, and staff training. By contrast, the trading desk manager might not be concerned about the male/female ratio but the HR manager will be.

IT should and most likely already do manage their own risks. IT have a certain advantage in the world of Risk Assessment as the nature of their work is very output oriented and as such can be measured and reported on. There will be risks that the IT department will manage such as management of Service Level Agreements with third parties, overall system downtime across the organization, or the policies on migrating software from testing into production. These risks will never feature on the trading desk manager’s assessment unless they give him a specific and personal exposure.

The key thing to remember is that Risk Assessment is a partnership, and the Operational Risk Manager needs to coordinate activities across both the business units and the support units to ensure that all material risks are being identified and worked on.