A positive result of more interest in operational risk has been a reinforcing of the value of internal controls and fresh potential for analysing the role of internal controls in reducing or mitigating risks. Most banks noted in the interviews that internal controls are seen as the major tool for managing operational risk. The controls cited include the full range of control activities described in the Basle Committee's paper on internal controls such as segregation of duties, clear management reporting lines and adequate operating procedures. Many banks expect most operational risk events to be associated with internal control weaknesses or lack of compliance with existing internal control procedures.

Interest in formalising an operational risk discipline appears to be coinciding with another development detected in the earlier survey of audit issues. Over the past several years, many banks have adopted some form of self-assessment program. Much of the data for monitoring operational risk, both currently and prospectively, is generated by the responsible business unit's techniques for self-assessment of its internal control environment. The results of such self-assessments can be among the factors used to evaluate operational risk, along with internal audit ratings and external audit or supervisory reviews. At least two banks described their efforts to further enhance the incentive to discover and report problems internally by penalising the discovery of problems by supervisors or internal audit more heavily than problems uncovered in the self-assessment process.

The activities of internal auditors were also seen as an important element of operational risk management. In particular, the identification of potential problems, the independent validation of business management's self-assessments and the tracking of problem situations with the progress toward resolving the problems were cited by several banks as important to managing operational risk.

In addition to internal audit, important roles were ascribed to independent financial and internal control functions (including the audit committee). These may either be corporate-wide functions or units housed in individual business or product areas. These areas typically do not focus solely on operational risk. Moreover, some banks referred to additional resources such as external auditors and the various regulatory authorities as important stimuli in creating organisational risk controls.