Redefining the Meaning of Operational Risk

The definition of “operational risk” is variable, but it generally covers the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.

I, however, want to re-examine this general definition and so that the definition of operational risk takes into account all the cyber security related risks that are currently plaguing organizations today. With the current definition, one cannot quantify internal processes and people. So, for example, organizations can ask themselves a few questions. When is there an event that causes a disruption? What in the organization’s internal processes failed? What aspect relating to people needs to re-examined?

We know that operational risk exists in every organization and that size does not matter. What matters, however, are two critical areas that need to be included in the operational risk definition:

• Internal Controls
• User Awareness

We have seen (and are still seeing) how organizations (Again, size does not matter.) have experienced intrusion or losses due to lack (or oversight) of internal controls. Although various organization-style certifications exist that verifie all is in place, organizations are dynamic in nature, and internal controls as well as processes change in a little as a year.

Internal controls need to be constantly monitored by the CISO, CIO and internal audit personnel to ensure that changes are managed. Monitoring internal controls must be considered a Standard Operating Procedure (SOP), as this exposes an organization’s crown jewels to unwanted attacks. Now internal controls usually span a broad spectrum but can generally cover such areas as:

• User Account Management
• Access to key information based on a need to know basis
• Defense in depth
• Network Segmentation

The umbrella to the above consists of alert mechanisms. Knowing that alerts are being generated is one thing, but paying attention to these alerts, analyzing (Read more...)