Operational Risk Assessment Overview Goal of Operational Risk Assessment Common Risk Types and Categories What to Assess Most Overlooked Items Rating Risk and Reporting Mitigation Strategies Recommendations
The Operational Risk Assessment Goal is to: Discover and categorize exposures that could reduce the effectiveness, compromise, disrupt or destroy the continuity of business operations by negatively impacting: Business reputation, revenues or fiscal stability Personnel, clients and partners Confidentiality, integrity or availability of data, business applications, systems and networks Hard business assets and facilities Risk Types and Categories
Common Risk Types Financial Risk Market Credit Liquidity Business/Product Risk Legal/Regulatory Risk Operational Risk Other Risk Outside the control of the Company Miscellaneous exposures Operational Risks Exposures the Company has some control over Mitigation can be put in place at various levels based on risk appetite and cost Transfer of risk is possible for some of the exposures Business Continuity Plans and Disaster Recovery Plans provide a certain level of mitigation for assumed risk exposures
Operational Risk Categories Environment Building Safety Security Human Regulatory Client Nature Neighbors Risk Management and Business Continuity What to Assess
Environment/Building Environment Geography What is dangerous and quantify the amount Building Structure composite Age and condition Glass HVAC systems Wiring and power
Safety Stairs handrails Tripping, falling hazards Equipment safety features Chemical on premise controls Defibrillators Evacuation routes Emergency response plans and training Workplace violence controls Security Building and entrance Floor and suite security Facility systems - access and security controls IT Network Systems production, test and development Applications Mobility controls Data Access controls Monitoring Encryption Employee training Vendor management Audit internal and external
Human Employees Pre employment screening Policies AUP Desktop Security Onboarding process Monitoring compliance Termination process Contractors Security and Data Privacy adherence Vendors Supply Chain Management
Clients Who are they Their product risk and how they manage it Are they regulated and if so, what are their controls Ethics and integrity Your internal sales process are you vetting clients Financial stability Company history and reputation Contracts Liability language Cyber Regulatory Legal Contractual obligations SLAs State and federal requirements Fiduciary responsibility Social responsibility Societal security Compliance monitoring Internal External - audits
Nature Winter Ice Blizzard term first coined in Emmetsburg, Iowa Summer Lightening Floods or mudslides Tornado, hurricanes or cyclones Earthquakes and fault zones Heat and drought Daylight to night ratio
Neighbors Dams or locks Grain elevators Petroleum or ethanol plants Chemical plants Government offices Transportation routes and cargos Railroad tracks Interstate Ingress/egress speeds Religious sites Schools/colleges/universit ies Financial institutions High profile national monuments or tourist sites Utilities: power, water, communication sites Nuclear sites and targets Others nearly endless
Risk & Business Continuity Management Program Risk and BC Management Program and Policy Policies and Procedures with Executive Approval Assessments Mitigation and Control Strategies Assumption of Risk Process Risk Monitoring and Review Business Continuity Planning (your mitigation for the unfixable ) Program Life Cycle Exercise and Testing Auditable Proofs Most Overlooked Exposures
Most Overlooked Exposures Employee practices Desktop security Company policy enforcement Corporate reputation management Fire suppression Power failure conditions Recovery test compliance Old mining locations now abandoned Sink holes Risk Rating and Reporting
Rating Risk Complex Availability of historical data and loss ratios Need actuaries Simple Zero, Low, Medium, High Business impacts from disruption Cost of impacts Probability Base on how much is present How often it occurs in the region Color code for easy viewing Operational Risk Assessment Collection Tool
Compound Risk These are the What Ifs No fire suppression, no alarms, no conduit for wires in public areas High risk neighbors, next to a train track within 10 yards of your facility Facility is in a flood plain and the demarc along with the generator is in the basement Long time employees and perpetual downsizing and reorganizations Your customer is under attack by PETA and your name is in the paper with them for a new joint venture Report Types Executive summary usually 1 to 3 pages depending on site Risk report 12 to 15 pages Overview Details Recommendations Summary Detailed information as a reference Visuals All the high risks by site Site criticality Revenue impacts Effects of mitigation controls
L O C A T I O N S 1 2 3 4 5 6 7 8 9 10
Mitigation Strategies Mitigation Strategies Pick the highest risk exposures with the most probability Where is your risk appetite? Capital expenditures Cost to fix versus cost if it occurs Use revenue impact by hour, day, week, month Reduce risk transfer costs
Mitigation Strategies Human controls Policies and procedures Training Auditing Transfer of risks insurance Business continuity and DR plans Monitoring controls and testing Recommendations
Recommendations Keep it as simple as possible Look for mitigation and controls that will fix more than one exposure Monitor progress of mitigation and controls Test the controls from time to time Make it visual so it s easy to see and understand Questions? Vicky McKim, MBCP, MBCI vmckim@netins.com 515-830-0233