June 2007 Capital Adequacy Extension © Copyright 2007, CCRO. All rights reserved. Page 36 of 92 • Operational: Internal Risks from People, Processes, and Systems • Operations: Physical Risks of the Production, Delivery, and Storage of Energy Commodities • External Factors: Legal, Regulatory, Political, and Environmental exposures may fall into either Operational or Operations categories. This classification of these operative risks is vital because it will dictate how the identified material risks will be measured and mitigated. Within each of these broader categories, it is a prudent practice to further categorize risks into a more granular level. How that categorization is done will largely depend on the factors that affect the various risk types, however it should be done to a level that isolates material operative risks. This will facilitate risk mitigation determination and capital allocation. In addition, this categorization should be separated for the different business units, resulting in a matrix system, allowing for a more specific analysis and resulting in an efficient allocation of capital. The matrix should be constructed in such a way that material risks can be isolated and cause & effect analysis can be done at an appropriate materiality level.9 Let us take a closer look at the broader categories and how the identification process can be dealt with. 4.5.1. Operational: Identification of Internal Risks from People, Processes, and Systems Capital should be deployed to deal with internal risks through a robust internal control and oversight framework. The Sarbanes-Oxley (SOX) Act of 2003 has dictated that publicly traded companies must be certified compliant by their external auditors for their internal control framework and has assigned accountability to company officers for the results of their financial statements. The capital needed to not only comply with this legislation, but also to comply with a company’s own internal risk objectives (creating an adequate internal control and oversight framework) should be assessed and included in the capital budgeting process and allocated appropriately among the business units. The following are examples of departments/functions that risk personnel can coordinate with in order to identify operational risks: • Internal Audit • Human Resources • Information Technology • Corporate Compliance 9 Sound Practices for the Management and Supervision of Operational Risk. Basel Committee on Banking Supervision. Bank for International Settlements. December 2001.