Operational Risk What it is and how to reduce it Session Overview - PowerPoint PPT Presentation

Operational Risk What it is and how to reduce it

Session Overview • What is Operational Risk • Common Risk Types and Categories • What to Assess • Most Overlooked Items • Simplified Rating Risk and Reporting • Mitigation Strategies • Recommendations

What is Operational Risk? Discover and categorize exposures that could reduce the effectiveness, compromise, disrupt or destroy the continuity of organizational operations by negatively impacting: • Reputation, revenues or fiscal stability • Personnel, clients you serve • Confidentiality, integrity or availability of data, applications, systems and networks • Hard assets and facilities

Risk Categories and Types • Financial Risk • Market • Credit • Liquidity • Product or Service Risk • Legal/Regulatory Risk • Operational Risk • Environment, Governance, Technology • Other Risk • Outside the control of the organization, black swans

Basic Risk Management • Identifying the exposures the company has some control over • Mitigation feasible - based on risk appetite and cost benefit analysis • Transfer of risk is possible for some of the exposures - insurance • Business Continuity/Disaster Recovery provide an additional level of mitigation for assumed risk exposures

Operational Risk Categories • Environment • Governance • Infrastructure • Corporate • Building • Human • Safety • Employees • Vendors • Security • Partners • Nature • Clients • Neighbors • Information • Technology Protection • Cyber • Regulatory • Physical Environment • Risk Management / • Network Business Continuity

• Exposures: What to Assess • Vulnerabilities • Threat rating: • Velocity of onset • Probability • Impact to operations • How effective are current controls • Do they reduce any of the above

Environment/Building • Locale • Geography • Neighboring sites, structures and operations • Infrastructure - utilities • Building • Structure composite • Age and condition • Glass • HVAC systems • Wiring and power • Control panels

Environment/Safety • Stairs – handrails • Tripping, falling hazards • Equipment safety features • Chemical on premise controls • Defibrillators • Evacuation routes • Emergency response plans and training • Workplace violence controls • Fire Suppression and Alarm

Environment/Security • Building and entrance • Vendor management • Floor and suite • Audit – internal and security external • Facility systems - • IT access and security • Network Servers controls • Systems – production, test and development • Desktop environment • Application Servers • Employee training • Mobility controls

Environment/Nature • Winter • Ice • Blizzard – term first coined in Emmetsburg, Iowa • Summer • Lightening • Floods or mudslides • Tornado, hurricanes or cyclones • Earthquakes and fault zones • Heat and drought • Underground threats – abandoned coal mines

Environment/Neighbors • Dams or locks • Religious sites • Grain elevators • Schools/colleges/ universities • Petroleum or ethanol plants • Financial institutions • Chemical plants • High profile national monuments or tourist • Government offices sites • Transportation routes • Utilities: power, water, and cargos communication sites • Railroad tracks • Nuclear sites and targets • Interstate • Ingress/egress speeds • Others – nearly endless

Governance/Human • Employees cont. • Employees • Pre employment • Onboarding process screening • Monitoring • Policies compliance • AUP • Termination process • Data protection • Contractors • Desktop security • Security and Data • Regulatory Privacy adherence compliance • Vendors • Ethics • Supply Chain • Harassment Management • Job specific • Other

Governance/Clients • Who are they • Their risk and how they manage it • Are they regulated and if so, what are their controls • Ethics and integrity • Their internal processes – are they managing employee risk • Contracts • Liability language • Cyber • Ethics

Governance/Regulatory • Legal • Contractual obligations • SLAs • State and federal requirements • Fiduciary responsibility • Social responsibility • Societal security • Compliance monitoring • Internal • External - audits

Governance/Risk & BCM • Risk and BC Management Program and Policy • Policies and Procedures with Executive Approval • Assessments • Mitigation and Control Strategies • Assumption of Risk Process • Risk Monitoring and Review • Business Continuity Management (your mitigation for the “unfixable”) • Program Life Cycle • Exercise and Testing • Auditable Proofs

Technology • Assets • Data • Applications • Hardware • Network • Technology Governance • Logical or Virtual Configurations • Logging and Monitoring • Access Controls • Patch Management • Development • Testing

Gotcha! Employee Practice & the Dreaded Sticky Note

Most Overlooked Exposures • Employee practices • Desktop security • Policy enforcement • Reputation management • Fire suppression • Power failure conditions • Recovery test compliance • Geological threats

Rating Risk • Complex • Availability of historical data and loss ratios • Need actuaries • Simple: Zero, Low, Medium, High • Impacts • Business impacts from disruption • Cost of impacts • Probability • Base on how much is present • How often it occurs in the region • Velocity – speed of onset • Color code for easy viewing

Operational Risk Tool

Compound Risk • These are the “What Ifs” • No fire suppression, no alarms, no conduit for wires in public areas • High risk neighbors, next to a train track within 10 yards of your facility • Facility is in a flood plain and the demarc along with the generator are in the basement • Long time employees, unexpected organizational changes resulting in low morale • Your client is under investigation and your name is in the paper with them

Report Types • Executive summary – usually 1 to 3 pages depending on site • Risk report – 12 to 15 pages • Overview Details • Recommendations • Summary • Detailed information as a reference • Visuals • All the high risks by site • Site criticality • Revenue impacts • Effects of mitigation controls

1 2 L 3 O C 4 A T 5 I 6 O N 7 S 8 9 10

Mitigation Strategies • Pick the highest residual risk exposures with the most probability • Where is your risk appetite and tolerance? • Cost Benefit Analysis • Cost to fix versus cost if it occurs • Use revenue impact by hour, day, week, month • Reduced insurance costs

Mitigation Strategies • Human controls • Policies and procedures • Training • Compliance auditing • Transfer of risks – insurance • Business continuity and disaster recovery plans • Monitoring controls and testing

Recommendations • Keep it as simple as possible • Look for mitigation strategies and controls that fix more than one exposure • Monitor progress of mitigation and controls • Test the controls from time to time • Make it visual so it’s easy to see and understand

Questions? Vicky McKim, AFBCI, MBCP, CRMP vicky.mckim@aureon.com 515 . 830 . 0233