- Governance, Risk & Compliance
- Business Solutions
After extensive research into the main concerns for Chief Risk Officers, Chief Information Officers, Chief Technology Officers and Enterprise Risk Managers, ReadiNow has compiled everything you need to know about the top operational risks facing organisations.
in 2017, 54% of companies experienced one or more successful attacks that compromised their data and/or IT infrastructure. Given that this statistic has been steadily increasing the last few years, it is safe to say that 2018 will be the worst year to date for cyber attacks.
Successful cyber attacks on average cost an organisation $301 USD per employee. Given the security and financial impact that cyber attacks have on organisations, we have ranked this the number one operational risk for 2018.
Cyber attacks will continue to trend into the future as one of the top three operational risks for organisations. It is imperative for organisations to develop an effective cyber risk management framework that can scale as the organisation grows. This framework must also take into account the ever-increasing prevalence of external business software and applications and have clear, succinct security measures to ensure if these applications are compromised at the source, your organisation is not affected.
Only one in three organisations believe that they have the appropriate resources to manage their security effectively. While this is an extremely concerning statistic for Chief Risk Officers and Enterprise Risk Managers, funding for security budgets is continuing to rise with an 8% rise forecast for 2018. However, this increase in budget has been mainly due to organisations reacting to cyber attacks rather than proactively implementing operational risk management frameworks to prevent them from occurring in the first place.
While all operational risks can be linked directly to human error, its proliferation in recent years has caused it to become an even greater concern for Chief Information Officers, Chief Risk Officers and Enterprise Risk Managers.
Over 50% of all the data breaches reported to Australia's Information Commissioner under the new laws were caused by human error. Although the laws have only recently been implemented, the severity of human error negatively affecting an organisation's operational risk is evident.
Human error is preventable and when operational risk management frameworks proactively account and develop strategies to minimise it, organisations often find great ROIs after implementing them.
A good general rule for preventing human error in your organisation's operational risk appetite is to reduce human influence on work processes that can be automated. Workflows that can be automated and laid out with automatic breach triggers and notification systems can greatly reduce the impact of human errors on your organisation.
If you need to look for a real-world example of the impact of regulations for operational risk in Australia, look at the recent Royal Commission into the financial services industry. While fines were given to those businesses found in breach of laws and found guilty of misconduct, arguably the greatest impact for the financial services industry was the loss of social confidence from customers and shareholders.
Corporate social responsibility is continuing to play an increasingly more and more important role in operational risk for organisations. The regulatory landscape is playing catch-up with the technology and business of the digital era. However, when the regulatory enforcement bodies do catch up, organisations who are not properly prepared will be caught out and suffer severe financial and non-financial impacts that could be devastating for their organisation.
There is software out there can make the job of ensuring compliance for organisations simplified. However, decision-makers within organisations are often concerned about the perceived risks that come with automating operational risk management processes. If Chief Risk Officers and Enterprise Risk Managers are serious about their operational risk for 2018 and the future, technology is the key.
Outsourcing is a major operational risk concern for 2018 and will continue to be in the future. Organisations are continuing to become more and more reliant on vendors for the expansion of all their processes from online CRM platforms to increased server storage capacity.
Given the overall acceptance and integration of outsourcing as a commonplace business practice for organisations today, poor third-party management is leaving many organisations exposed to unnecessary operational risks.
New laws such as the GDPR are a wakeup call for organisations who currently do not have a standardised and auditing and consistent selection process for third-party software and vendors.
Outsourcing has also negatively affected the preservation of daily business continuity for organisations as vendors, particularly the larger ones, are often extremely reluctant in negotiating and customising appropriate risk management clauses to satisfy their customer's needs.
Attracting, retaining and training talent is a major concern for operational risk in 2018. One major reason for this is the increase in competition from buzz sectors such as technology and startups.
Recruitment consultants have reported that most acute shortages for organisations in recent times are jobs related to operational risk management. Organisations are increasingly looking for a specific set of skills as well as direct experience with the new and changing operational risk landscape that the digital era is exposing organisations to today and in the future.
The digital era has undoubtedly brought the most added operational risks to organisations in 2018 and will continue to do so in the near future.
Internal disruption is a major factor for organisations as they continue to keep up with the rapid pace of technology changes that their competitors and other industries are implementing. Because other organisations are using the technology, many companies often do not carry out their due diligence and research the technology from third-parties they are going to implement, leaving them severely exposed. It is imperative to do your own research when implementing new technology. Just because your competitors are using a new technology doesn't mean you should.
External disruption is a whole new ball game. As technology adoption rates are increasing dramatically across all industries, chances are your competitors may have a new, more shiny version of the business software and applications you are currently using. However, as stated earlier, just because it is shiny, does not make it operationally risk-friendly. A lot of the third-party technology being adopted by organisations have minimal security measures such as simple password access. Given the majority of people are notoriously bad at generating strong passwords, it is no wonder this is having such a big impact on operational risk for organisations.
Planning for successful IT implementation involves more than just choosing the right software. It is imperative that organisations adequately prepare for the implementation of new IT services, particularly when they are enterprise-wide. IT implementation is a major operational risk for organisations today as they continue to transition and update their legacy-based IT services.
When implementing new IT services, information is key. Information on the software, but also information regarding how ready, and willing, their organisation is to adopt new IT that will change the way they work. While IT change brings operational risk with it, IT complacency is often a far greater concern.
To understand whether you really need an IT solution implemented, develop a succinct current-future state proposition of your organisation that takes into account the operational risks of all your paths moving forward. Make sure the IT implementation is aligned with your organisational vision, objectives and goals, because if it isn't, what's the point?
Data analytics are continuing to be realised as a key metric for all organisations. Therefore data should be a key driver for all organisational decision-making. The digital era has served organisations as an invaluable resource that should not be overlooked. It is imperative that organisations found all their decision-making processes in data, rather than on instinct or familiarity.
However, how could data analytics possibly impact an organisation's operational risk? Well, it's not so much how organisation's are using data, but how they are obtaining it.
Almost nine in ten Australians believe that personal information that is used for purposes other than it was provided for is a misuse of data. While current regulations do not make these current data usages illegal, regulations such as the GDPR are highlighting that Governments are listening to their citizens' concerns for data privacy.
Operational risk should come into play with the organisation's data analytics when they are judging the financial and non-financial fallouts if their customers were made aware of how they were using their information. Approaching data analytics like this means you will develop a healthy data appetite that your customers will not be upset with.
One industry that is facing particularly concerning cyber fraud incidents on a daily basis is the financial services industry. Phishing attempts from scam emails to malware network integration attempts are daily occurrences for financial institutions of all sizes.
Interestingly, some operational risk managers are reporting that financial institutions which are perceived to have strong cyber defences are less likely to be targeted by cyber fraud.
Given these insights, it's no wonder operational risk managers in financial institutions are more worried about cyber bandits than physical robberies.
The difficulty for Chief Risk Officers and Enterprise Risk Managers for 2018 and the future will be developing effective operational risk management plans that are highly variable to the financial severity of similar cyber fraud attack types. For example, an email phishing attempt could result in a couple of hundred dollars lost or potentially millions, greatly increasing the overall impact it will have on a financial institution.
Organisational change is a considerable operational risk for organisations when you consider the number of variables and different outcomes that could occur, particularly if the organisation is not used to change.
Organisational change is often necessary, yet is often not executed in the most practical and non-disruptive manner. As the digital era continues to force organisations to change their operations, those who are staying ahead of their competition by proactively changing are the organisations less likely to face operational risks during and after the process.
Organisational change does not have to increase an organisation's operational risk, yet it does because of the way organisations approach change. Make sure a solid pre, during and post approach is taken to any organisational change, no matter how small. This structure will make sure best practice is the norm for your organisation which will be especially vital when larger change projects take place.
No organisation likes to admit it, however, every business can improve its current work processes to reduce their overall operational risk. Whether your operational risk management is done on spreadsheets or through intelligent software, there is always room for improvement. Regular testing and internal auditing are just two of the many ways in which an organisation can easily scope out new operational risks that have not been accounted for.
Make internal testing and auditing a habit. If you are regularly stress-testing and looking for gaps in your risk frameworks, it is guaranteed you will find problems, but more importantly, improve your current risk management processes.
However, it is important to remember, the more you are regularly testing and updating your operational risk management frameworks, the more tedious working with spreadsheets and inefficient framework processes will become.
Intelligent software isn't the solution for all businesses when it comes to optimising operational risk processes, yet it is certainly worth looking into.