How Wachovia is integrating ops risk management with Sarbanes-Oxley and Basel II

RMA Journal, The, Dec 15, 2006 by Kevin Slane, Donnie Pickett

Wachovia's vision, say the authors, is to become the best, most trusted and admired financial services institution. To achieve that goal, the firm regards effective management of operational risk as an important element. Now Wachovia is going a step further by incorporating SOX results and Basel II requirements into its operational risk program.

Wachovia Corporation has put substantial research, resources, and planning into its operational risk management program--its design, development, and implementation. The company's Sarbanes-Oxley (SOX) program was designed independently and is being integrated into the operational risk program. Operational Risk Management at Wachovia

Wachovia's operational risk program focuses on providing management with high-quality information to support decision making on all operational risk-related issues--with a concentrated effort to address Basel II requirements.

During 2004, Wachovia moved from the concept and design work to implementation of an enterprise-wide program, improving the ability to capture and use high-quality information for measurement and management purposes. A great deal of time and effort also went into education and awareness so that business units and individuals understand their roles and responsibilities.

A formal governance structure oversees the operational risk program and the associated policies, controls, and guidelines.

Wachovia's leadership is strongly committed to effective operational risk management, starting with the CEO. Executive sponsorship, combined with the emphasis on awareness and training, has reinforced operational risk management competencies across the company.

A Unique Program That Integrates Different Processes

Operational risk is categorized into 12 different functional risk areas, such as technology risk and vendor risk. For each functional risk area, a business executive is charged with developing policies, guidelines, and networks to effectively manage the respective risk across the company.

Wachovia's operational risk management program is unique in the industry because of the following attributes:

* An integrated framework that brings together governance, technology, processes, people, and information. * Significant executive commitment and investment of financial and human resources.

* Emphasis on creating a strong risk management culture in which employees know and do the right thing.

Wachovia has implemented an integrated set of processes to help management assess, understand, and mitigate operational risk exposures across the enterprise and to support the calculation of operational risk capital. A comprehensive risk-profile process was developed, combining loss data capture, business-unit risk and control assessments (including SOX program results), and analysis of issues identified by auditors and regulators. This information was supplemented with external loss data, an analysis of the business environment, and a facilitated management workshop to complete and document a comprehensive business-unit risk profile.

The operational risk management program will enable the transition to a more risk-sensitive economic capital model, incorporating proposed regulatory capital standards under the AMA. The new model includes historical internal loss experience and forward-looking scenario analysis based on the risk profiles, business environment, and external loss data. The result is a more risk-sensitive calculation and allocation of operational risk capital that was incorporated into the 2005 budget.

The Benefits of Integrating SOX and Basel II

The operational risk and financial governance teams at Wachovia have been working closely to integrate the SOX and Basel II requirements into the operational risk program. During 2004, SOX results were loaded into the program in order to create comprehensive operational risk profiles.

There are a number of reasons why it makes sense to integrate SOX and Basel II, and, indeed, there are similarities associated with both efforts. Financial risk is a key component of operational risk and an integral component of Wachovia's program. Both SOX and Basel II are enterprise-wide initiatives and assess risks and strength of controls. Both also monitor actions, require ongoing analysis and assessment, and demand board and executive oversight.

Integrating SOX and Basel II will also afford banks a number of opportunities, including the ability to:

* Create standard processes, methods, and tools.

* Leverage information and avoid duplication of efforts.

* Establish a common language and integrated reporting.

* Develop a comprehensive and integrated view of risk.

Moreover, integrating the operational risk program with SOX and Basel II supports the cultural shift to improved operational risk management.

Technology Makes the Integration Possible

A key component to integrating SOX and Basel II is the underlying technology. In 2003, Wachovia selected a technology platform from Centerprise, which enables the processes to improve the efficiency and consistency of collecting and reporting data on risks, controls, and losses.