Enhanced focus on internal controls by corporate boards and regulators sometimes appears to be a post-financial crisis phenomenon. Those tasked with designing, executing and assuring the resiliency of a corporation’s internal control infrastructure sometimes struggle with articulating the business case for it, as well as defining the business need for internal controls. It is, hence, important to recognize and understand what “controls” are and their value in achieving desired outcomes.
Controls have been utilized for millennia as a means to assure that objectives are met within a range of tolerable outcomes. They have been developed and deployed to reduce uncertainty (or unwanted deviations) within a process or system to achieve a desired outcome. In the third century B.C., Ktesibios’s water clock in Alexandria, Egypt kept time by controlling the water level in a vessel. Today, internet protocol thermostats are available to remotely regulate and control temperature in our homes. There are applications of controls all around us that have become a ubiquitous part of our daily lives. Without effective and reliable controls, it is difficult to ensure outcomes, and this is particularly true for complex processes and systems in the exchange-listed options space.
As a Systemically Important Financial Market Utility (SIFMU) and the foundation for secure markets, OCC understands the value and importance of maintaining and operating an effective and reliable internal control infrastructure that ensures risk management and processing outcomes expected by our stakeholders. Our responsibility to ensure integrity, timeliness and completeness in the services we provide to market participants span beyond the enterprise. That is why we continue to invest in evolving and maturing our internal control infrastructure in response to changing business and regulatory needs.
To maintain a resilient risk management and internal control infrastructure at OCC, we employ the “three lines of defense” model. This model allows us to manage the corporation’s control infrastructure with clarity of ownership and accountability. The first line of defense is the operational business units of the corporation, including financial risk management, operations, technology, legal, regulatory affairs and corporate functions such as human resources, finance, accounting and the program management office. Our first-line colleagues are responsible and accountable for designing, operating and maintaining an effective internal control infrastructure comprised of policies, standards, procedures and guidance that allows us to meet our service obligations. They own and are accountable for our internal control infrastructure and service outcomes.
We support and monitor the efforts of our first-line colleagues using capabilities within a second line of defense consisting of our corporate risk management and compliance functions. The second line designs, implements and maintains an enterprise-wide risk management framework and tools to assess and manage risk at that level. These colleagues work with the first line to assess risks and establish policies and guidelines. They advise, monitor and report on the first line’s effectiveness in managing risk and maintaining and operating a resilient control infrastructure. Our second line of defense is an important portfolio of capabilities that allow our executive management and the OCC Board of Directors to have a comprehensive and objective view regarding the overall health of our risk management and internal control infrastructure and whether our services are being delivered within an agreed-upon risk appetite.
The third line of defense is the OCC Internal Audit function. My team and I work for the Audit Committee of our Board of Directors, and we are accountable for designing, implementing and maintaining a comprehensive assurance program that allows our executive management and Board to receive independent and objective assurance that the quality of our risk management and internal control infrastructure meets our risk appetite and business imperatives. We fulfill our obligations to OCC by maintaining a diverse and skilled team of professionals with a variety of business, technology and assurance skills. The OCC Internal Audit team performs all its activities in compliance with the Institute of Internal Auditors’ standards enshrined in the International Professional Practices Framework.
All my OCC colleagues across the three lines of defense are dedicated to maintaining a resilient risk management and internal control infrastructure to fulfill OCC’s mission, which is to promote stability and market integrity through effective and efficient clearing, settlement and risk management services while providing thought leadership and education to market participants and the public about the prudent use of products we clear.
By enhancing our resiliency through a strong internal control infrastructure, we are not only building a high-performance culture, we are promoting increased operational excellence and fostering growth, innovation and thought leadership. This helps OCC in its role as a leader in the exchange-listed options industry and allows us to better serve market participants and the greater public interest.
To learn more about OCC’s thought leadership on industry issues, visit OCC’s Blog.
Adi Agrawal is Senior Vice President and Chief Audit Executive at OCC. OCC is the world's largest equity derivatives clearing organization.
In this role, Mr. Agrawal is responsible for assuring the effectiveness of OCC's risk management capabilities and internal control environment. He previously served as First Vice President, Internal Audit. Mr. Agrawal is an internationally recognized and experienced assurance and risk executive with more than 25 years of experience leading information technology, process re-engineering, risk and strategy.
Prior to joining OCC, Mr. Agrawal served as Executive Director, Global Assurance at CME Group, where he was responsible for internal audit operations for trading, clearing, market data, proximity-hosting, technology services and self-regulatory organizations. Before that he served as Executive Director of Enterprise Risk Management at CME Group, reporting to the Audit and Risk Committee of the Board and Executive Management, with responsibility for processes and systems to conduct risk assessments, support risk management decisions and prepare the company's risk profile. Before joining CME Group, Mr. Agrawal served in a variety of consulting, operations, technology and audit leadership roles at American Express TBS, SDG Corporation, Transamerica Finance Corporation, Aerial Communication and First Chicago NBD Corporation.
Mr. Agrawal earned a Master of Business Administration in Economics, Finance and International Business from The University of Chicago Booth School of Business and a Master of Science in Computer Science from the State University of New York Polytechnic Institute. He also completed the Executive Certificate Program in Strategic Decisions and Risk Management at Stanford University. 
