Effective risk management

April 2005 Security Services & Risk Management

Operational risk and information security need to co-exist if businesses want to effectively manage risk.

A long time ago (about last Tuesday) organisations were able to put operational risk and information security into separate, watertight compartments. Operational risk sat in the audit department and probably reported to the CFO. While information security (if such a function existed) sat in the IT department and reported to the CIO (eventually).

Today, this approach is not a true solution to adequate risk management. Today's information dependent organisation requires these compartments to be broken down.

The most obvious reasons for breaking down the compartments, and the subsequent consequences of failure to do so, are easy to understand. In recent years we have been bombarded with legislation and regulation; such as Basel II (if you are a bank), the Turnbull report (if you are quoted on the London Stock Exchange) or the Sarbanes-Oxley Act (if you are quoted on the New York Stock Exchange). All of these effectively say that if you do not have in place adequate mechanisms for controlling and auditing the flow of information through your organisation; then your company will lose a lot of money, or someone important in it will go to jail - or both.

So operational risk people have woken up to the fact (if they did not realise it already) that the IT people are somewhat important in the process of information flow and audit. And the IT people (or at least some of them) have realised that to understand their job they ought to know a bit more about the business impact associated with the assets for which they are responsible.

As a result of this regulatory-inspired revolution therefore, the previously separate orbits of operational risk and information security have begun to overlap. If they have not yet done so in your organisation, then they soon will.

Unfortunately, each party seems to treat the other with mutual suspicion. Both seem to be defending their responsibility over the concept of 'risk'. Naturally, operational risk specialists feel that they are the experts in this area. But information security people in turn feel that operational risk people do not understand information security risk.

At this stage it might be useful to consider what we mean by operational risk and information security. Operational risk was defined by the Bank of International Settlements' Basel Committee in 1999 as: "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events". Information security is defined in the international standard for information security management systems (ISO 17799) as: "preservation of confidentiality, integrity and availability of information".

So where is the conflict, or even overlap, between the two concepts? It seems clear that preserving the confidentiality, integrity and availability of information must involve people, processes and systems. And that failure of these would certainly serve to increase the risk of loss. Information security can therefore be seen to constitute an important factor in the control of operational risk. In this sense, information security might be seen as contributing to operational risk management, but playing a subordinate role.

However, information itself must be seen as fundamental to the operation of any business. It is impossible to run a successful business without detailed and specific information. Even digging a hole in the road requires information about local traffic conditions, the location and depth of the hole, the type of soil and rock that will be encountered and the likelihood of hitting water-pipes or electricity cables. Not to mention about the employees who will be doing the digging, their terms of employment and the tools they will be using. If you cannot trust the confidentiality and integrity of this information, you cannot be sure that you will be able to complete the job; and if the information is not available, you cannot even begin it!

In the wider sense, therefore, operational risk management is contingent on good information security. In turn, information security may be seen as conditioning operational risk. The problem lies in the understanding of 'risk'. Operational risk specialists spend their professional lives thinking about what it means to the business - in terms of its consequences and costs. Information security on the other hand has a poor track record of speaking meaningfully about risk in this way.

Historically, information security specialists have been familiar with networks and electronic threats and vulnerabilities. As a consequence, they have tended to live within the IT department; where they have thought a lot about the risk to the bits and bytes of networked assets, but not much about their criticality to the business as a whole. Whilst operational risk specialists have existed at a more rarified level, and have been unlikely to consider the consequences of the failure of the bits and bytes of information on which businesses now increasingly depend.

In the newly regulated world, these two levels of understanding must come together. To see how this could be done, let us look at possible controls for information security risk in a business. Such controls may be envisaged at a number of different levels in the business process. In the diagram below, five levels are considered; from operational security to strategic planning.

Information security risk control levels

Most business have put in place much of the technology that enables them to deal with operational security (firewall and anti-virus systems, for example). And successful businesses would quickly become unsuccessful if they failed to implement managerial and strategic planning controls. However, most businesses would admit that they have shortcomings in the intermediate levels between these two.

Perhaps the majority of serious shortcomings are at control level three. Few businesses have clearly identified all their critical information assets, still less have they understood what they need to do to protect their availability, or how to identify if their confidentiality or integrity have been breached. From the discussion above, it will be appreciated that information security generally operates at levels one and two, whilst operational risk works at levels four and five. Failures at level three are probably no coincidence therefore - as no group has clear responsibility for this level of control.

This failure to take responsibility for the identification and protection of business-critical information assets has further consequences. In the diagram above, the control levels are shown as arrows. The implication of this is that information must flow from operational security controls to managerial and strategic planning, and vice versa. Operational controls cannot be effective unless they are sensitised to what is strategically important to the business, nor can strategic controls be effective if they do not have a baseline derived from day-to-day operational security information.

It follows that any break in the chain will result in the complete or partial failure of the system to transfer information up and down the chain of control. Such failures must impact on the ability of the business to control its information security, and thus its operational risk. Therefore, if businesses are not implementing level three controls effectively, they must be on course for failure to meet the demands of regulation.

The conclusion is obvious. Operational risk and information security cannot afford to engage in a battle for who owns the responsibility for business risk. They must agree to a contract of mutual support. Operational risk needs to know more about the threats to, and vulnerabilities of, those vital networked assets; and information security needs to understand more about how to determine the business criticality of the assets for which they are responsible. In short, they need to meet and shake hands over the level three controls.

Jeremy Ward, service development director at Symantec
Jeremy Ward, service development director at Symantec

For more information contact Jeremy Ward, service development director at Symantec. www.symantec.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Risk management and compliance enforcement
Security Services & Risk Management
Having a risk management and compliance programme (RMCP) is not just a procedural formality; it is a legal requirement under Section 42 of the Financial Intelligence Centre Act (FICA).

Read more...
The dangers of poor-quality solar cables
Security Services & Risk Management Smart Home Automation
Reports indicate that one in six fires attended by South African firefighters is linked to substandard solar installations, often due to faulty wiring or incompatible components.

Read more...
Growing risks for employers
Security Services & Risk Management
With South Africa’s unemployment rate exceeding 32% and expected to rise beyond 33% this year, desperation is fuelling deception in the job market. Trust is no longer a given, it is a gamble.

Read more...
Chubbsafes celebrates 190 years
Gunnebo Safe Storage Africa News & Events Security Services & Risk Management
Chubbsafes marks its 190th anniversary in 2025 and as a highlight of the anniversary celebrations it is launching the Chubbsafes 1835, a limited edition 190th-anniversary collector’s safe.

Read more...
New law enforcement request portal
News & Events Security Services & Risk Management
inDrive launches law enforcement request portal in South Africa to support safety investigations. New portal allows authorised South African law enforcement officials to securely request user data related to safety incidents.

Read more...
Continuous AML risk monitoring
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
AU10TIX, launched continuous risk monitoring as part of its advanced anti-money laundering (AML) solution, empowering businesses to detect behavioural anomalies and emerging threats as they arise.

Read more...
Growing risks for employers
Security Services & Risk Management
With South Africa’s unemployment rate exceeding 32% and expected to rise beyond 33% this year, desperation is fuelling deception in the job market. Trust is no longer a given, it’s a gamble.

Read more...
Managing mining physical security risks
Zulu Consulting Security Services & Risk Management Mining (Industry) Facilities & Building Management
[Sponsored] Risk-IO, a web app from Zulu Consulting, is designed to assist risk managers in automating and streamlining enterprise risk management processes, ensuring no steps are skipped and everything is securely documented.

Read more...
SAFPS issues SAPS impersonation scam warning
News & Events Security Services & Risk Management
The Southern African Fraud Prevention Service (SAFPS) is warning the public against a scam in which scammers pose as members of the South African Police Service (SAPS) and trick and intimidate individuals into handing over personal and financial information.

Read more...
Rewriting the rules of reputation
Technews Publishing Editor's Choice Security Services & Risk Management
Public Relations is more crucial than ever in the generative AI and LLMs age. AI-driven search engines no longer just scan social media or reviews, they prioritise authoritative, editorial content.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.