Operational Risk Management

Operational risk, arguably the most important area of risk, is the risk of operational failure.  Most, if not all, of the major losses in the past 20 years are a result of an operational failure.  There have literally been hundreds of case studies written about operational failures and the impact on organizations.  An operational failure can ruin a company.

How many times have companies started security initiatives and the #2 goal, right after protect the company assets, is to “minimize operational impact.”  Now as a security practitioner, that presents a little problem right?  The whole idea of security, whether physical or IT security, is to redefine processes to reduce the exposure to bad events, yet we have to have minimal operational impact.  No wonder so many security professionals end up looking like this:

The real question is why do executives view security as an impediment to operations and not as a way to reduce the operational risk that a company faces?  The basis for this thought process goes back to how executive managers view operational risk and security.  Let’s start with operational risk.  Many executives view operational risk strictly from the prism of failure of normal operations, i.e. the driver left the keys in the car, which resulted in the car being stolen.  Operations failures are a small part of overall operational risk and these failures tend to be limited in size and scope.  The larger operational failures we see are in fact not a failure of normal operations, but are a conscious disregard of normal operations, which leads to multiple failures of normal operations and normal controls.  These are the failures we read about in the media.

Now because executives are still looking at operational risk as failure of normal operations and any security initiative as a purely tactical exercise,  security policy and overarching security initiatives are not viewed as anything more than a way to protect the firm against liability.  To quote the SANS Institute one of the reasons to have a security policy is to “provide evidence that their baseline security controls are in line with regulations and legislation.”  Most executives see this as the only reason to have a security policy or program.  This is a prime example of executives thinking of security as purely tactical not strategic.

Currently, security is viewed as tactical not strategic when security risk is assessed. Because of this, people tend to use a traditional risk assessment model (see the diagram below*), which is excellent if you are assessing tactical risk.  However, information security is not a purely tactical operation.  Modern security needs to be approached at a strategic level and the operational risk associated with information security needs to be assessed using a modern operational risk model.

Ali Samad-Khan put together an excellent detailed description of the differences between traditional operational risk management versus modern operational risk management (where the diagram above came from), which can be found here.  His argument that the traditional approach of risk management, which measures risk based on likelihood and impact, does not apply to strategic risk as the types of failures that occur. These do not happen very often yet have a significant impact on your business.  I not only agree with him, but I think this has a direct correlation to security operational risk assessment.  The security event that is going to really present risk to an organization is not the fact that the employees are downloading the coupons.com toolbar or when Anonymous attempts to hijack your website. The real risk is when someone exploits a vulnerability which allows a payload to be dropped that exports your SAM database or if your organization’s new email system fails to comply with a mandated security standard.

Security should be one of the key aspects of an organization’s approach to modern risk management.  In order to do this we as security practitioners must help our executives learn to look at security not as a set of disparate tasks, or tactical processes, but instead as a strategic tool to reduce operational failures.  When a security policy, procedure or product is deployed we need to position it to our executives as one part of a holistic plan to protect the most valuable assets in the company.  We should not accept the phrase “minimal impact on operations” anymore, because if security is truly strategic then the impact on operations will be for the greater good.

Diagram taken from “MODERN OPERATIONAL RISK MANAGEMENT” by Ali Samad-Khan.