Redefining the definition of operational risk
- Published: Tuesday, 09 October 2018 10:08
Adesh Rampat explains why he believes that the definition of operational risk needs updating to take into account the development of cyber security related risks, and including aspects of internal controls and user awareness.
The definition of operational risk varies but generally covers the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. However, I want to take a fresh look at this general definition and present what I believe operational risk should reflect, taking into account all the cyber security related risks that are currently plaguing organizations.
We know that operational risk exists in every organization and size does not matter. What matters however are two critical areas that need to be included in the operational risk definition:
- Internal controls
- User awareness.
We often see organizations of all sizes that have experienced intrusion or losses due to lack of (or failed oversight of) internal controls. Although various certifications exist that verify that all is in place, organizations are dynamic in nature and internal controls and processes change rapidly. Therefore, internal controls need to be constantly monitored by the CISO, CIO and Internal Audit to ensure that changes are managed; and monitoring internal controls must be considered a standard operating procedure (SOP).
Internal controls usually span a broad spectrum but generally cover such areas as:
- User account management,
- Access to key information on a need to know basis,
- Defense / defence in depth,
- Network segmentation.
The ‘umbrella’ for the above is alerting mechanisms. Knowing that alerts are being generated is one thing but paying attention to these alerts, analyzing them and reporting on them is another thing. Time and time again we have seen situations where cyber attacks on organizations have occurred and after conducting the relevant post mortem checks and forensics, reporting of alerts generated from key systems was seen to be sidelined.
Next in the proposed definition change is user awareness: another critical area which is often a weak link. Organizations must constantly ensure that end users are always updated on the latest threats and how these can impact the operational environment. We have frequently seen how lack of user awareness has caused high profile data breaches; ransomware is the first threat that comes to mind. Yes, we can refer back to internal controls and say that with a defense in depth approach this can mitigate this threat; but within that defense in depth approach is the end user!
Ensuring that the user awareness program is constantly being updated and is reaching the targeted audience is important; and feedback is critical to ensuring that your user awareness program is working. You need to know whether the education was successful and beneficial; and if there are any grey areas that need clarification. When identified these need to be addressed urgently. Having a cyber security educated workforce is critical to building resilience to a cyber attack.
My definition of operational risk
Taking the above into account, I propose that the operational risk definition should be redefined to say: The risk of loss resulting from inadequate user education, failed internal controls and systems, or from external events.
Adesh Rampat currently works for a financial institution and has 28 years of experience in the IT industry including 10 years in operational risk management. He can be reached at firstname.lastname@example.org