The definition of "operational risk" is variable but it generally covers the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. I, however, want to re-examine this general definition, so that the definition of operational risk takes into account all the cybersecurity-related risks that are currently plaguing organizations today. With the current definition, one cannot quantify internal processes and people. For example, organizations can ask themselves a few questions. When is there an event that causes a disruption? What internal processes failed? What aspect relating to people needs to re-examined? We know that operational risk exists in every organization and that size does not matter. What matters, however, are two critical areas that need to be included in the operational risk definition: internal controls and user awareness. We have seen (and are still seeing) how organizations have experienced intrusion or losses due to lack (or oversight) of internal controls. Although various organization-style certifications exist that verify all is in place, organizations are dynamic in nature and internal controls, as well as processes, change in a little as a year. Internal controls need to be constantly monitored by the CISO, CIO and internal audit personnel to ensure that changes are managed. Monitoring internal controls must be considered a Standard Operating Procedure (SOP), as this exposes an organization’s crown jewels to unwanted attacks. Now, internal controls usually span a broad spectrum, but can generally cover such areas as:
- User Account Management
- Access to key information based on a need to know basis
- Defense-in-depth
- Network Segmentation
The umbrella to the above consists of alert mechanisms. Knowing that alerts are being generated is one thing but paying attention to these alerts, analyzing and reporting on them is another thing. Time and time again, we have seen where cyber attacks on organizations occurred, and after conducting the relevant post mortem checks and forensics, reporting of alerts generated from key systems were sidelined. Next in the proposed definition change is user awareness, another critical area of the weak link. Organizations must constantly ensure that its end users are always updated on the latest threats and how these can impact its environment. We have seen that a lack of user awareness has caused a number of high-profile data breaches. Ransomware is the first threat that comes to mind. Yes, we can refer back to internal controls and say that with a defense-in-depth approach this can mitigate the intrusion, but in that approach is the end user. Ensuring that the user awareness program is constantly being updated and is reaching the targeted audience is important and critical to ensuring that your user awareness program is working is feedback. You need to know if the education awareness is beneficial and if there are any grey areas that need clarification. Address these urgently. An organization with an educated workforce in cybersecurity is critical to building resilience to a cyber attack. Now, with all that being said, the operational risk definition should be redefined to say:
The risk of loss resulting from inadequate employee education, failed internal controls and systems or from external events
This definition further quantifies where to focus. For example, a person trips on a stairway and falls, a user accidentally opens a file that turns out to be a ransomware or security fails to verify a visitor’s identity before they enter into a building. All these can be considered inadequate employee education. For failed internal controls from an IT perspective, these were previously mentioned in the article. Outside of IT, you can still fail to manage business audit controls and lack of proper risk assessments. Therefore, it's vital to understand the true meaning of operational risk.
About the Author: Adesh Rampat currently works for a financial institution and has 28 years of experience in the IT industry including 10 years in operational risk management. He can be reached at [email protected]. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
