Operational Risk What it is and how to reduce it Session Overview - - PowerPoint PPT Presentation

What it is and how to reduce it

Operational Risk

• What is Operational Risk
• Common Risk Types and Categories
• What to Assess
• Most Overlooked Items
• Simplified Rating Risk and Reporting
• Mitigation Strategies
• Recommendations

Session Overview

Discover and categorize exposures that could reduce the effectiveness, compromise, disrupt

• r destroy the continuity of organizational
• perations by negatively impacting:
• Reputation, revenues or fiscal stability
• Personnel, clients you serve
• Confidentiality, integrity or availability of data,

applications, systems and networks

• Hard assets and facilities

What is Operational Risk?

Risk Categories and Types

• Financial Risk
• Market
• Credit
• Liquidity
• Product or Service Risk
• Legal/Regulatory Risk
• Operational Risk
• Environment, Governance, Technology
• Other Risk
• Outside the control of the organization, black

swans

Basic Risk Management

• Identifying the exposures the company

has some control over

• Mitigation feasible - based on risk

appetite and cost benefit analysis

• Transfer of risk is possible for some of

the exposures - insurance

• Business Continuity/Disaster Recovery

provide an additional level of mitigation for assumed risk exposures

• Environment
• Infrastructure
• Building
• Safety
• Security
• Nature
• Neighbors
• Technology
• Cyber
• Physical Environment
• Network
• Governance
• Corporate
• Human
• Employees
• Vendors
• Partners
• Clients
• Information

Protection

• Regulatory
• Risk Management /

Business Continuity

Operational Risk Categories

What to Assess

• Exposures:
• Vulnerabilities
• Threat rating:
• Velocity of onset
• Probability
• Impact to operations
• How effective are

current controls

• Do they reduce any of

the above

• Locale
• Geography
• Neighboring sites, structures and operations
• Infrastructure - utilities
• Building
• Structure composite
• Age and condition
• Glass
• HVAC systems
• Wiring and power
• Control panels

Environment/Building

• Stairs – handrails
• Tripping, falling hazards
• Equipment safety features
• Chemical on premise controls
• Defibrillators
• Evacuation routes
• Emergency response plans and training
• Workplace violence controls
• Fire Suppression and Alarm

Environment/Safety

• Building and entrance
• Floor and suite

security

• Facility systems -

access and security controls

• Desktop environment
• Employee training
• Vendor management
• Audit – internal and

external

• IT
• Network Servers
• Systems – production,

test and development

• Application Servers
• Mobility controls

Environment/Security

• Winter
• Ice
• Blizzard – term first coined in Emmetsburg, Iowa
• Summer
• Lightening
• Floods or mudslides
• Tornado, hurricanes or cyclones
• Earthquakes and fault zones
• Heat and drought
• Underground threats – abandoned coal mines

Environment/Nature

• Dams or locks
• Grain elevators
• Petroleum or ethanol

plants

• Chemical plants
• Government offices
• Transportation routes

and cargos

• Railroad tracks
• Interstate
• Ingress/egress speeds
• Religious sites
• Schools/colleges/

universities

• Financial institutions
• High profile national

monuments or tourist sites

• Utilities: power, water,

communication sites

• Nuclear sites and targets
• Others – nearly endless

Environment/Neighbors

• Employees
• Pre employment

screening

• Policies
• AUP
• Data protection
• Desktop security
• Regulatory

compliance

• Ethics
• Harassment
• Job specific
• Other
• Employees cont.
• Onboarding process
• Monitoring

compliance

• Termination process
• Contractors
• Security and Data

Privacy adherence

• Vendors
• Supply Chain

Management

Governance/Human

• Who are they
• Their risk and how they manage it
• Are they regulated and if so, what are their

controls

• Ethics and integrity
• Their internal processes – are they managing

employee risk

• Contracts
• Liability language
• Cyber
• Ethics

Governance/Clients

• Legal
• Contractual obligations
• SLAs
• State and federal requirements
• Fiduciary responsibility
• Social responsibility
• Societal security
• Compliance monitoring
• Internal
• External - audits

Governance/Regulatory

• Risk and BC Management Program and Policy
• Policies and Procedures with Executive Approval
• Assessments
• Mitigation and Control Strategies
• Assumption of Risk Process
• Risk Monitoring and Review
• Business Continuity Management

(your mitigation for the “unfixable”)

• Program Life Cycle
• Exercise and Testing
• Auditable Proofs

Governance/Risk & BCM

• Assets
• Data
• Applications
• Hardware
• Network
• Technology Governance
• Logical or Virtual Configurations
• Logging and Monitoring
• Access Controls
• Patch Management
• Development
• Testing

Technology

Employee Practice & the Dreaded Sticky Note

Gotcha!

• Employee practices
• Desktop security
• Policy enforcement
• Reputation management
• Fire suppression
• Power failure conditions
• Recovery test compliance
• Geological threats

Most Overlooked Exposures

• Complex
• Availability of historical data and loss ratios
• Need actuaries
• Simple: Zero, Low, Medium, High
• Impacts
• Business impacts from disruption
• Cost of impacts
• Probability
• Base on how much is present
• How often it occurs in the region
• Velocity – speed of onset
• Color code for easy viewing

Rating Risk

Operational Risk Tool

• These are the “What Ifs”
• No fire suppression, no alarms, no conduit for

wires in public areas

• High risk neighbors, next to a train track within 10

yards of your facility

• Facility is in a flood plain and the demarc along

with the generator are in the basement

• Long time employees, unexpected organizational

changes resulting in low morale

• Your client is under investigation and your name

is in the paper with them

Compound Risk

• Executive summary – usually 1 to 3 pages

depending on site

• Risk report – 12 to 15 pages
• Overview Details
• Recommendations
• Summary
• Detailed information as a reference
• Visuals
• All the high risks by site
• Site criticality
• Revenue impacts
• Effects of mitigation controls

Report Types

L O C A T I O N S

1 2 3 4 5 6 7 8 9 10

• Pick the highest residual risk exposures with

the most probability

• Where is your risk appetite and tolerance?
• Cost Benefit Analysis
• Cost to fix versus cost if it occurs
• Use revenue impact by hour, day, week, month
• Reduced insurance costs

Mitigation Strategies

• Human controls
• Policies and procedures
• Training
• Compliance auditing
• Transfer of risks – insurance
• Business continuity and disaster recovery

plans

• Monitoring controls and testing

Mitigation Strategies

• Keep it as simple as possible
• Look for mitigation strategies and controls

that fix more than one exposure

• Monitor progress of mitigation and controls
• Test the controls from time to time
• Make it visual so it’s easy to see and

understand

Recommendations

Vicky McKim, AFBCI, MBCP, CRMP vicky.mckim@aureon.com 515.830.0233

Questions?