Operational risk is not a bad business decision

I was looking at the CSI 2008 security survey recently and noticed that the top three loss categories are fraud (number 1), viruses (number 2) and data loss (number 3).

I’m a little dubious about viruses landing up in the number 2 slot.  We haven’t even installed anti-virus software on our office workstations in the past 4 years and we haven’t had a single event.  It might be Symantec and McAfee gaming the numbers in order to prop up flagging anti-virus sales from people like me who use Google Applications and practice safe email and safe surfing.

However fraud and data loss are classic mainstream categories of operational risks.

I like the definitions in the Basel II regulation, which defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

Although originally designed for banks and protection of of the banking system and economy from large scale failure; a systematic approach to operational risk management is important for any kind of organization.  Operational risk is not about damage to the business from a bad strategic decision (like getting into a new market segment and losing your pants).

Basel II defines 6 types of operational risk:

1. Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, corruption and bribery
2. External Fraud- theft of information, hacking damage, third-party theft (including data loss) and forgery
3. Employment practices and Workplace Safety – discrimination, workers compensation, employee health and safety Clients, Products, & Business Practice- market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
4. Damage to Physical Assets - natural disasters, terrorism, vandalism Business Disruption &
5. Systems Failures – utility disruptions, software failures, hardware failures
6. Execution, Delivery, & Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

In our experience:

• The most damaging attacks on a company are launched from inside the offices. Competitors and criminals exploit systems and employees in order to access and manipulate customer data, financials, marketing plans and intellectual property.

• Current security focus is on outside hackers, despite the fact that insider fraud and data theft are leading white-collar crimes worldwide. As a result, many companies cannot even detect,  let alone monitor, quantify and prevent fraudulent events inside their organization.

• Fraud and data theft can be committed through many methods, including mobile phones and the Internet. The difficulty of validating online identity, the speed with which hackers can exploit IT vulnerabilities, the international dimensions of the Web and ease with which users can hide their identity, all contribute to making the Internet the fastest growing area of fraud and data theft.