This column is excerpted from the white paper Data Warehouse Solutions for Achieving Compliance and Managing Operational Risk, written by William McKnight. For a copy of the full paper, please visit

Risky derivatives investments by major banks gone bad - as in billions of dollars bad - and unencrypted data tapes from two major U.S. financial institutions gone missing while being transferred to backup centers are incidents that indicate appropriate safeguards are not in place in our enterprises.

These are only two examples of operational risk management opportunities. Operational risk assumes myriad appearances, many having to do with levels of capital as well as the levels institutions set for interest and exchange rates. Economic capital measures are increasingly being used as the basis for allocating risk capital to business units, and risk-adjusted measurement tools must measure the return on capital assigned to business units.

Managing operational risk is vitally important to business success, and numerous initiatives, such as those from Basel II and Sarbanes-Oxley (SOX), are enforcing operational risk management. How? With fines and prosecution.

The new Basel Capital Accord (Basel II) comes from the latest round of deliberations in Basel, Switzerland, by central bankers from around the world. It has a planned implementation date of December 2006, superceding 1998's Basel I, which is now viewed as outdated. The deliberations are aimed at enforcing global consistency in the approach to credit and operational risk, especially capital requirements.

Basel II is part of a series of worldwide agreements and regulations driving more stringent operational risk management. Others include Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), the Federal Deposit Insurance Corporation Improvement Act (FDICIA) and even the Patriot Act. Taken together or apart, accountability of information is clearly a must-have for the remainder of our professional lives.

The Basel committee on banking supervision has defined operational risk as "the risk of losses resulting from inadequate or failed internal processes, people and systems or external events." Basel II divides operational risks into broad categories for inclusion in capital models but leaves flexibility in the specification of the model to company management. Areas of risk include:

  • Internal fraud;
  • External fraud;
  • Employee practices and workplace safety;
  • Clients, products and business practices;
  • Damage to physical assets;
  • Business disruption and system failures; and
  • Execution, delivery and process management.

Sarbanes-Oxley, signed into law on July 30, 2002, enforces mandates on public organizations to track its data, especially financial, as well as anything that may affect that data. It demands that executives be aware of and disclose "material events" on a timely and precise basis. This affects every department in an enterprise. We think of it as the enforcement of Deming on the business world. SOX is the single most important piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting thus far and even has skeptics of legislative concern taking note. If anything, many believe that the Act is unnecessarily complex and overreaching. Regardless, enterprises now face an excess of ever changing and often confusing policies affecting their data management practices.
For operational risk management, companies must look at any people, process or technology and events - both internally and externally - that will have an impact on credit, market or operational risk. This information will be used to determine capital requirements based on homegrown methodologies for assessing their exposure to operational risk using the risk classifications in Basel II. Such methodologies will be subject to regulatory review and evaluation.

One of the most timely requirements of Sarbanes-Oxley is the reporting of material events no later than 48 hours after their occurrence. Requirements such as this are destined to grow in the future. Business activity monitoring (BAM), enterprise application integration (EAI) and operational BI techniques can play a role in the proactive nature of these requirements. This new series of requirements being placed on companies leads to the appropriate response of an enterprise data warehouse.

In my next column, I will discuss where the current preparation is for compliance, additional benefits of compliance and the enterprise data warehouse for operational risk management.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access