Living with Operational Risk

by | Cybersecurity Fundamentals

It was Christmas 2022, and a massive winter storm was causing problems across the United States. The difficult weather heaped not only snow and ice but misery and cancellations on airlines across the country. Still, few observers were prepared for the absolute catastrophe that occurred at Southwest Airlines, which found itself paralyzed, canceling more than 16,000 flights and stranding some 2 million passengers.

The Southwest “meltdown,” as the media called it, involved the collusion of two significant operational risks: the weather, on the one hand, and an antiquated, dysfunctional scheduling system on the other.

All those stranded passengers did get home eventually. Southwest, on the other hand, suffered incalculable reputational damage from which it still hasn’t entirely recovered. Anyone who doesn’t want their firm to become the “Southwest” of their specific industry would do well to heed the lessons that Southwest execs learned the hard way.

What is Operational Risk?

Operational risk is a catch-all term for the problems and challenges that arise as part of the normal course of doing business. Operational risk is separate from other types of risk, such as financial or reputational.

Cyber operational risk can be viewed at the top level (what is the risk to operations in the absence or failure of your cybersecurity program) and the operational level (what is the risk if any, some, or all of the controls fail), all the way down to a specific asset’s cyber risk (what happens to your operations if an asset is destroyed/inaccessible and its cascading effect to other assets?).

What Causes Operational Risk?

It doesn’t matter what type of organization you are. Maybe your company makes widgets, or maybe you make commercials for other people’s widgets; maybe you export widgets to foreign markets, or maybe you win legal cases on behalf of widget-makers. But regardless of which one you are, there’s no way to completely eliminate operational risk.

Why is that? A quick look at the causes of operational risk will make the answer clear. Operational risk is caused by: what your company does, who does it, how they do it, and where they do it. In other words, the only way to completely eliminate operational risk is to stop doing . . . well, anything. Clearly, that’s not an option! So, let’s take a closer look at the causes of operational risk and what you can do9 to manage it.

Processes, AKA What Your Company Does

Regardless of what your company does specifically, you have a set of steps that you follow in order to accomplish your goals. And all those steps, or processes, can be sources of operational risk.

Consider factories— which are stews of operational risk— from potential mechanical breakdowns to inventory management to health and safety violations. Meanwhile, a law firm generates massive numbers of documents every week as a natural by-product of their activities. If those documents are not organized and managed effectively, big trouble will follow.

Or consider a bank: the very act of bringing in new customers creates risks for the institution. Banks need to attract solid customers while avoiding bad ones (fraudsters, money launderers, terrorists, and so on). Banks need to make sure that the processes they use in the normal course of doing business are up to the task of weeding out dangerous accounts.

People, AKA Who “Does the Do”

There’s an old story that Alfred Hitchock used to fantasize about how he might one day make films without all the trouble of dealing with actors. I suspect more than a few employers also have that fantasy! (Indeed, that no-people dream underlies a lot of the enthusiasm about AI technologies.)

This is, of course, ridiculous—companies are their employees, period. But people inevitably create operational risk. Whether it’s a doctor making a mistake, a shop assistant stealing from the register, or a sous-chef spitting in the soup, operational risk caused by employees is everywhere. Poor training, bad attitudes, and simple incompetence are a fact of life, and they are a significant part of operational risk management.

Tools, AKA How They Do It

In the Southwest meltdown discussed earlier, a huge part of the problem was the digital infrastructure that the company had been leaning on for far too long. After all, every airline experienced the same blizzard, but only Southwest managed to transform themselves into the travelers’ Public Enemy #1.

You need tools to operate, but tools can let you down. Literal tools can break, of course, while computer systems can get hacked, become out-of-date, or—as with Southwest—reveal themselves to be wholly inadequate to the necessary tasks.

External Events, AKA Where You Do It

Think back to December 31, 2019. What was on your list of Top Ten Worries for the Coming Year? Was Covid-19 included? I bet not. Would a global pandemic have made your Top Twenty list? Your Top Fifty?

The inescapable reality is that there will always be external problems that you can’t possibly see coming. Humans cause problems for one another and we cause problems for the planet . . . and the planet sometimes takes the initiative and causes problems for all of us. All of this falls under the category of external operational risk.

The most extreme forms of this type of risk include natural disasters, social unrest, and as we now know, pandemics. Those sorts of earth-shaking events are out of our control, yet they have the power to control us. The best we can do is have thoughtful plans in place for crisis management and try to make peace with the uncertainty that we can’t necessarily know what the next crisis might be.

That being said, there are plenty of other, less melodramatic external events that also cause issues for your company. For example, a country that’s home to a key customer base might suddenly pass regulations that greatly complicate your operations. A subcontractor might get hacked or go out of business completely. These smaller problems can cause big problems—but they are also not very surprising. You can, in fact, plan in advance for these types of external risks.

Categories of Operational Risk

Years ago, the Basel Committee on Banking Supervision (a subgroup of the G-10) released a regulatory framework called Basel II. Basel II is significant to this discussion because it outlined operational risk as distinct from other types of risk (financial, reputational, and so on).

Basel II grouped operational risk into seven major categories.

  • Internal fraud
  • External fraud
  • Technology failures
  • Process execution
  • Safety
  • Natural disasters
  • Business practices

The regulations require banks to establish processes that identify, assess, and manage these categories of risk. Banks are expected to conduct regular assessments of their readiness to mitigate all these types of risk.

Over time, Basel II’s conceptualization of operational risk has spread far beyond banking. In the cybersphere we look at operational risk in two main categories:

First, data risk. That is everything from data exfiltration, data destruction, data corruption, and data inaccessibility.

Second, infrastructure risk. This includes any attack against your infrastructure designed to cripple operations. For example, denial of service attacks (you can’t even get to the assets), network attacks, etc.

These areas overlap, much as you would expect an information ecosystem to exist: Data is resident on infrastructure that needs to be accessible, etc. Failure to protect any of these threat surfaces by using the right controls, the right solutions, the right people with the right awareness can result in significant operational risk with the corresponding costs (hard costs, reputational costs, and human costs).

Seeing Your Risk Clearly

When it comes to risk management, there is a lot to consider. Here are a few basic questions to ask yourself about risk management:

Can any specific risks be avoided? In this post, I’ve talked a lot about the inevitability of risk in general—which is true! But that doesn’t mean there aren’t particular risks that you could circumvent, simply by not doing that thing you are considering doing.

Should some risks simply be accepted? You may hear this concept referred to as retention. Picture a factory: it is full of machines, and those machines are going to break down sometimes. That’s just a fact. The only option is to budget for repairs, train your people well, and essentially work that fact of life into your daily operations. Retention means accepting that you fundamentally own the risk of machine failure (or whatever the unavoidable risk might be in your world).

What can you do to prevent or at least reduce risk? An employer can’t 100 percent guarantee that no employee ever steals from the company. But that doesn’t mean you can’t put policies in place that make that event less likely.

Can diversification reduce risk? Management types refer to this as spreading. Just as investors are encouraged to put their money in a variety of places, consider if you can do the same with your operational risk.

What risk can you hand off to someone else? This is called transfer–think insurance, for one example. Also think about your relationships with third-party vendors. Are you accidentally taking on some operational risk that rightfully ought to belong to them? Stop doing that!

How to Manage Operational Risk

There is a famous saying in management science, “If you can’t measure it, you can’t manage it.”

This couldn’t be more true when it comes to managing operational risk. If you don’t know your starting risk (where you started before any controls), your current risk (as it is now, after controls have been in place) and future risk (as you want it to be) then you can’t plan, organize, prove, or manage your operational risk.

The one and only tool that can help you do this is a GRC framework. GRC stands for “Governance, Risk, and Compliance,” and during the past few years has made itself known beyond the “Enterprise” space and is now solidly entrenched in both mid and SBE markets.

A GRC framework will help document your policies, standards, procedures, and guidelines, keep track of your regulatory exposure, provide you with an audit-ready environment, and most importantly: It will shine a constant light on all your risks, their impact, and mitigations. In short, GRC frameworks are indispensable tools that will allow you to perform cost/benefit analysis (e.g. are these controls worth it? Do they mitigate risk to the right level?); provide visibility to areas that were previously invisible (e.g. impact on assets, 3rd party risk impact, workflow shortcomings); and sound the alarm when a policy, control, or process creates unnecessary risk.

Operational Risk Management: Don’t Go it Alone

As both the market, technology, and threats mature, the need for mature governance jumps from “nice to have” to “must have.” Implementing successful governance involves everyone, from the board and executives, the company culture, and, let’s not forget, the right solutions that suit your needs.

CyberCTRL, our industry-first managed cybersecurity solution, has helped our clients mature and significantly reduce their operational risk, saving both time and money. We’ve done this by combining the best-of-breed tools with the necessary expertise and services into one end-to-end solution, allowing even the smallest of companies the benefit of enterprise risk management. Let us show you how.


Submit a Comment

Your email address will not be published. Required fields are marked *