« Liquidity Management - The future blueprint |
Main
| SEC tweets on twitter too - Digital Assets Risk Managment- Has its time come? »
May 19, 2009
Should IT be the second line of defense for Operational Risk function?
As companies gear up to handle the ever increasing risk management and regulatory enviroment, a key aspect in recent times has been emergence of the Operational Risk and the role of IT in the implementation of the op risk initiatives.
With operational Risk broadly defined as risk of losses arising from faliure of systems, processes and people, I often wonder if this is an area that CIO office has a much bigger and strategic role to play especially in organisations whose business model derives its competitive advantage from IT.
Although i guess the CIO office hardly has any bandwidth to pick up this key area. but I see this as a naturall convergence in future given the role of IT in Risk and compliance execution and effective implementation.
In various discussions I have had with leading companies, many proactive CIO's and their directs seem to have a much better handle on the operational risk aspects, actually even better than the business lines themselves. This could be as CIO really has to step back and take a big picture view of the business and priorities. As the focus in Operational risk discipline is really towards making the front line operational staff in the business the first line of defense, IT processes start to become key.
I always made the distinction between IT compliance and business complince but i am beginning to come around to the concept that perhaps the second or 3rd line of defense should be the IT deptt. as well. Which means that IT starts to become a strategic partner in managing operational risk along with the traditional technology risk they have always managed. I will share more on this going forward but welcome any thoughts around this.
Posted by spachava at May 19, 2009 04:53 PM
Sai
Good Post
My first reaction (as an IT guy) is that it would never work, we have enough examples where we do not manage our own risks very well, especially Project Risks.
But your point is well made. If we did actually get around to managing IT risks in a professional manner, then those skills would be very useful in assisting Operational Risk managers, as a second line of defense.
If we look at the four dimensions of Op Risk, Systems risk is a natural to start with, while IT would have little to offer on People and External risks (except for Technology changes in the environment)
The interesting area is Process Risk. If IT professionals looked at processes from a risk perspective, instead of trying to automate everything just for the sake of it, there would be benefits to both IT and the business. IT would gain a much better understanding of the firm's processes before automation and business would have a better understanding of where IT could add real value (as opposed to costs).
Look forward to your thoughts
Posted by: Pat Mc Connell at May 30, 2009 04:19 AM
Pat, you make interesting and valid comments;
Agree that IT itself may often fall short of managing its own risk such as project risk, deployment risk, project scope creep risk etc.
About focusing on system risk in the op risk, yes i agree; but i particularly like your thoughts on the process part. I see a broader role for IT in helping embed risk management best practices in the business processes. I envison the future state where technology can be a key component of influencing behaviour and hence risk management culture in the organizations in the long run.
thanks for your comments; Keep em coming;
Posted by: sai sireesh at June 1, 2009 08:29 PM
Post a comment
