May 19, 2009
Should IT be the second line of defense for Operational Risk function?
As companies gear up to handle the ever increasing risk management and regulatory enviroment, a key aspect in recent times has been emergence of the Operational Risk and the role of IT in the implementation of the op risk initiatives.
With operational Risk broadly defined as risk of losses arising from faliure of systems, processes and people, I often wonder if this is an area that CIO office has a much bigger and strategic role to play especially in organisations whose business model derives its competitive advantage from IT.
Although i guess the CIO office hardly has any bandwidth to pick up this key area. but I see this as a naturall convergence in future given the role of IT in Risk and compliance execution and effective implementation.
In various discussions I have had with leading companies, many proactive CIO's and their directs seem to have a much better handle on the operational risk aspects, actually even better than the business lines themselves. This could be as CIO really has to step back and take a big picture view of the business and priorities. As the focus in Operational risk discipline is really towards making the front line operational staff in the business the first line of defense, IT processes start to become key.
I always made the distinction between IT compliance and business complince but i am beginning to come around to the concept that perhaps the second or 3rd line of defense should be the IT deptt. as well. Which means that IT starts to become a strategic partner in managing operational risk along with the traditional technology risk they have always managed. I will share more on this going forward but welcome any thoughts around this.
Posted by spachava at 04:53 PM
| Comments (2)
