Enhanced focus on internal controls by corporate boards and regulators sometimes appears to be a post-financial crisis phenomenon. Those tasked with designing, executing and assuring the resiliency of a corporation’s internal control infrastructure sometimes struggle with articulating the business case for it, as well as defining the business need for internal controls. It is, hence, important to recognize and understand what “controls” are and their value in achieving desired outcomes.
Controls have been utilized for millennia as a means to assure that objectives are met within a range of tolerable outcomes. They have been developed and deployed to reduce uncertainty (or unwanted deviations) within a process or system to achieve a desired outcome. In the third century B.C., Ktesibios’s water clock in Alexandria, Egypt kept time by controlling the water level in a vessel. Today, internet protocol thermostats are available to remotely regulate and control temperature in our homes. There are applications of controls all around us that have become a ubiquitous part of our daily lives. Without effective and reliable controls, it is difficult to ensure outcomes, and this is particularly true for complex processes and systems in the exchange-listed options space.
As a Systemically Important Financial Market Utility (SIFMU) and the foundation for secure markets, OCC understands the value and importance of maintaining and operating an effective and reliable internal control infrastructure that ensures risk management and processing outcomes expected by our stakeholders. Our responsibility to ensure integrity, timeliness and completeness in the services we provide to market participants span beyond the enterprise. That is why we continue to invest in evolving and maturing our internal control infrastructure in response to changing business and regulatory needs.
To maintain a resilient risk management and internal control infrastructure at OCC, we employ the “three lines of defense” model. This model allows us to manage the corporation’s control infrastructure with clarity of ownership and accountability. The first line of defense is the operational business units of the corporation, including financial risk management, operations, technology, legal, regulatory affairs and corporate functions such as human resources, finance, accounting and the program management office. Our first-line colleagues are responsible and accountable for designing, operating and maintaining an effective internal control infrastructure comprised of policies, standards, procedures and guidance that allows us to meet our service obligations. They own and are accountable for our internal control infrastructure and service outcomes.
We support and monitor the efforts of our first-line colleagues using capabilities within a second line of defense consisting of our corporate risk management and compliance functions. The second line designs, implements and maintains an enterprise-wide risk management framework and tools to assess and manage risk at that level. These colleagues work with the first line to assess risks and establish policies and guidelines. They advise, monitor and report on the first line’s effectiveness in managing risk and maintaining and operating a resilient control infrastructure. Our second line of defense is an important portfolio of capabilities that allow our executive management and the OCC Board of Directors to have a comprehensive and objective view regarding the overall health of our risk management and internal control infrastructure and whether our services are being delivered within an agreed-upon risk appetite.
The third line of defense is the OCC Internal Audit function. My team and I work for the Audit Committee of our Board of Directors, and we are accountable for designing, implementing and maintaining a comprehensive assurance program that allows our executive management and Board to receive independent and objective assurance that the quality of our risk management and internal control infrastructure meets our risk appetite and business imperatives. We fulfill our obligations to OCC by maintaining a diverse and skilled team of professionals with a variety of business, technology and assurance skills. The OCC Internal Audit team performs all its activities in compliance with the Institute of Internal Auditors’ standards enshrined in the International Professional Practices Framework.
All my OCC colleagues across the three lines of defense are dedicated to maintaining a resilient risk management and internal control infrastructure to fulfill OCC’s mission, which is to promote stability and market integrity through effective and efficient clearing, settlement and risk management services while providing thought leadership and education to market participants and the public about the prudent use of products we clear.
By enhancing our resiliency through a strong internal control infrastructure, we are not only building a high-performance culture, we are promoting increased operational excellence and fostering growth, innovation and thought leadership. This helps OCC in its role as a leader in the exchange-listed options industry and allows us to better serve market participants and the greater public interest.
To learn more about OCC’s thought leadership on industry issues, visit OCC’s Blog.