05 Mar Operational Risks
What is Operational Risk?
Operational risk, as defined by the Risk Management Association, is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an institution’s business functions.
To simplify that, you could just say it’s the inherent risk of running a business. It is the possibility that something could go wrong, affecting your company’s operations.
Top Operational Risks
There are a lot of operational risks. Of course, “a lot” is referring to pretty much any risk that exists in your business. Since that would be quite along read, for the sake of this blog we will limit this to the five top operational risks. These aren’t necessarily the risks that will cause the biggest impact to your organization, but are applicable to many companies and are ones you should recognize.
IT disruptions could stem from system failures due to improper maintenance, a cyber breach, or failure to implement a backup power supply, to name a few. Outmoded hardware and software also add unnecessary risk to an organization. IT disruptions such as unreliable internet connection or inability to access company data will cause issues. Any type of outage, whether customer facing or internal, is going to result in lost revenue.
Third-party risk can be difficult to mitigate since most organization’s don’t have fully control of their third-party partners. These are your third-party vendors, contractors, systems, services, etc. When these third parties are allowed access to your company assets (think data, facilities, equipment) you’re increasing the number of risks you’re subject to. Opus & Ponemon Institute announced in the results of their 2018 Third-Party Data Risk Study that “59% of Companies Experienced a Third-Party Data Breach, Yet Only 16% Say They Effectively Mitigate Third-Party Risks” You also need to be concerned about the reliability of the third-arty and their ability to meet expectations. A partner experiencing an issue can cause delays to your operations.
In today’s climate, you’ll find there is an increasing number of regulations and a demand for operational transparency. Not only will non-compliance to regulations result in hefty fines that take resources from your organization, it will likely result in loss of business due to reputational damage and increase risk in other areas where you’re non-compliant. Data shows that on average, fees and penalties from non-compliance cost more than twice the cost of just maintaining compliance.
Theft encompasses loss due to both physical and digital means. Physical theft can be any asset not properly protected, such as products, equipment, or even physical records. Cyber theft can occur through the use of key loggers, skimmers, malware, or other methods to steal company data, ideas, practices, etc. Losing access to company assets inhibits your ability to continue day to day operations in providing products or services.
Employees remain a component of operational risk as they carry the threat of sabotage, theft, espionage, fraud, and competitive advantage. There are also unintentional actions with adverse results, such as ignoring company policy for convenience, clicking on phishing links, or losing credentials or company data. This category includes not only current employees, but also former employees. Especially as many workforces have transitioned into remote work, employee threats have grown as each employee has a different level of physical security protecting their work devices and different networks. It is easier to stray from company policy in this setting, and many business are reporting issues with employees working on VPN’s. According to Verizon’s 2020 Data Breach Investigations Report, 30% of breaches were caused by insiders.
How to Mitigate Operational Risk
So how can you mitigate operational risk? You complete a detailed risk management plan. As mentioned, operational risks include a vast array of areas. This leaves a difficult, but manageable task for your company. Start by determining responsible parties that will monitor risk and ensure things are palatable. This will typically require performing regular assessments, performing remedial tasks, issuing policies, and monitoring to ensure risk is reducing and compliance is improving.
Your organization could then implement a system for detecting abnormal behavior. Organizations, knowing what to look for, can begin monitoring for suspicious or risky activity. Managers should have a good handle on if their employees are ignoring policies or engaging in tasks outside of their normal job functions. Keep detailed records of everyone’s access and review periodically. Review logs of downloads for sensitive information and scan employee emails for abnormalities.
Restrict access, limit workers to only data necessary for their jobs. Create and enforce policies that require regular maintenance and evaluations. Increase employee training and highlight issues. This all contributes to a safer, more productive, less risky environment.