printer friendly version

Effective risk management

Operational risk and information security need to co-exist if businesses want to effectively manage risk.

A long time ago (about last Tuesday) organisations were able to put operational risk and information security into separate, watertight compartments. Operational risk sat in the audit department and probably reported to the CFO. While information security (if such a function existed) sat in the IT department and reported to the CIO (eventually).

Today, this approach is not a true solution to adequate risk management. Today's information dependent organisation requires these compartments to be broken down.

The most obvious reasons for breaking down the compartments, and the subsequent consequences of failure to do so, are easy to understand. In recent years we have been bombarded with legislation and regulation; such as Basel II (if you are a bank), the Turnbull report (if you are quoted on the London Stock Exchange) or the Sarbanes-Oxley Act (if you are quoted on the New York Stock Exchange). All of these effectively say that if you do not have in place adequate mechanisms for controlling and auditing the flow of information through your organisation; then your company will lose a lot of money, or someone important in it will go to jail - or both.

So operational risk people have woken up to the fact (if they did not realise it already) that the IT people are somewhat important in the process of information flow and audit. And the IT people (or at least some of them) have realised that to understand their job they ought to know a bit more about the business impact associated with the assets for which they are responsible.

As a result of this regulatory-inspired revolution therefore, the previously separate orbits of operational risk and information security have begun to overlap. If they have not yet done so in your organisation, then they soon will.

Unfortunately, each party seems to treat the other with mutual suspicion. Both seem to be defending their responsibility over the concept of 'risk'. Naturally, operational risk specialists feel that they are the experts in this area. But information security people in turn feel that operational risk people do not understand information security risk.

At this stage it might be useful to consider what we mean by operational risk and information security. Operational risk was defined by the Bank of International Settlements' Basel Committee in 1999 as: "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events". Information security is defined in the international standard for information security management systems (ISO 17799) as: "preservation of confidentiality, integrity and availability of information".

So where is the conflict, or even overlap, between the two concepts? It seems clear that preserving the confidentiality, integrity and availability of information must involve people, processes and systems. And that failure of these would certainly serve to increase the risk of loss. Information security can therefore be seen to constitute an important factor in the control of operational risk. In this sense, information security might be seen as contributing to operational risk management, but playing a subordinate role.

However, information itself must be seen as fundamental to the operation of any business. It is impossible to run a successful business without detailed and specific information. Even digging a hole in the road requires information about local traffic conditions, the location and depth of the hole, the type of soil and rock that will be encountered and the likelihood of hitting water-pipes or electricity cables. Not to mention about the employees who will be doing the digging, their terms of employment and the tools they will be using. If you cannot trust the confidentiality and integrity of this information, you cannot be sure that you will be able to complete the job; and if the information is not available, you cannot even begin it!

In the wider sense, therefore, operational risk management is contingent on good information security. In turn, information security may be seen as conditioning operational risk. The problem lies in the understanding of 'risk'. Operational risk specialists spend their professional lives thinking about what it means to the business - in terms of its consequences and costs. Information security on the other hand has a poor track record of speaking meaningfully about risk in this way.

Historically, information security specialists have been familiar with networks and electronic threats and vulnerabilities. As a consequence, they have tended to live within the IT department; where they have thought a lot about the risk to the bits and bytes of networked assets, but not much about their criticality to the business as a whole. Whilst operational risk specialists have existed at a more rarified level, and have been unlikely to consider the consequences of the failure of the bits and bytes of information on which businesses now increasingly depend.

In the newly regulated world, these two levels of understanding must come together. To see how this could be done, let us look at possible controls for information security risk in a business. Such controls may be envisaged at a number of different levels in the business process. In the diagram below, five levels are considered; from operational security to strategic planning.

Information security risk control levels

Most business have put in place much of the technology that enables them to deal with operational security (firewall and anti-virus systems, for example). And successful businesses would quickly become unsuccessful if they failed to implement managerial and strategic planning controls. However, most businesses would admit that they have shortcomings in the intermediate levels between these two.

Perhaps the majority of serious shortcomings are at control level three. Few businesses have clearly identified all their critical information assets, still less have they understood what they need to do to protect their availability, or how to identify if their confidentiality or integrity have been breached. From the discussion above, it will be appreciated that information security generally operates at levels one and two, whilst operational risk works at levels four and five. Failures at level three are probably no coincidence therefore - as no group has clear responsibility for this level of control.

This failure to take responsibility for the identification and protection of business-critical information assets has further consequences. In the diagram above, the control levels are shown as arrows. The implication of this is that information must flow from operational security controls to managerial and strategic planning, and vice versa. Operational controls cannot be effective unless they are sensitised to what is strategically important to the business, nor can strategic controls be effective if they do not have a baseline derived from day-to-day operational security information.

It follows that any break in the chain will result in the complete or partial failure of the system to transfer information up and down the chain of control. Such failures must impact on the ability of the business to control its information security, and thus its operational risk. Therefore, if businesses are not implementing level three controls effectively, they must be on course for failure to meet the demands of regulation.

The conclusion is obvious. Operational risk and information security cannot afford to engage in a battle for who owns the responsibility for business risk. They must agree to a contract of mutual support. Operational risk needs to know more about the threats to, and vulnerabilities of, those vital networked assets; and information security needs to understand more about how to determine the business criticality of the assets for which they are responsible. In short, they need to meet and shake hands over the level three controls.

Jeremy Ward, service development director at Symantec

Share this article:

Further reading: