In late January, a computer worm called Sapphire (a.k.a., "Slammer") spread quickly throughout the Internet and overwhelmed business computers with data. It was a nightmare for business operations, shutting down ATMs, clogging online ticketing systems and blacking out an emergency call center in Seattle. It highlighted a fear by corporate managers and directors everywhere of operational risk. Operational failures such as those caused by Sapphire can result in huge financial losses and a damaged corporate reputation, which could put an end to any manager's career.

Operational risk is commonly defined as the risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events. Clearly, worms are external events; but many internal process failures can create situations with similar results. Whether it's a senior manager perpetrating fraud or an internal system or process failure that results in a loss of customer information, serious consequences can result.

Operational risk is difficult to define for a particular company, difficult to quantify and difficult to insure against. Does this mean you should stick your head in the sand and merely hope it doesn't happen to your company? Clearly, there are dangers in following this path.

In the past, organizations may have had disaster recovery plans for their information technology functions and resources. These plans were typically invoked only in a major disaster situation, when computers and other IT resources were knocked out by some significant event. These plans now have more of a "business continuity" focus, reflecting the broader context for potential situations in which they could be invoked. Nonetheless, business continuity plans don't usually address inadequate or failed processes or people. There are many situations that could occur (remember Andersen's shredding of the Enron documents?) which would not trigger a business continuity or disaster recovery plan, but which could have devastating (even fatal) consequences for a company.

It is difficult to list risks in a way that can help managers see how they connect to one another and connect to business lines, to weight them in importance and to manage them. However, an effort to define operational risk for an organization, along with refining that definition over time, will be key to avoid being blindsided by potentially devastating events. What are some examples of operational risk? In the case of people, examples might be fraud or incompetence, allowed by control weaknesses in processes or systems. Technology risks could include programming errors, system failures or information risks. Process risks include model or methodology errors. Transaction risks could be a booking or settlement error, product complexity, or documentation or contract risk. Operational control risks would be security risks, risks of exceeding limits, and so forth. There can even be strategic risks such as taxation or political risks.

Software and technology firms are beginning to provide products that help companies assess their operational risks. These tools enable the identification of potential risks, sometimes including scoring mechanisms to create a measure of comparative severity, and can help organizations document processes for dealing with operational risks. Some solutions incorporate a loss/near-miss database, which can help companies begin to quantify the impact of operational risk on the organization. Insurance companies are beginning to offer policies to protect against operational risk, but there will undoubtedly be some requirement for objective measurement in order to obtain coverage.

The benefits to addressing operational risk management are many. Being able to identify potential problems earlier and faster, and being able to better communicate them through more well-defined escalation channels have shown demonstrable reductions in losses, errors and incidents, as well as improvements in core processes to fix recurring problems. Training on operational risk exposures and priorities produces improved understanding and awareness, as well as better decision making.

Operational risk is becoming a hot topic. It's going to be difficult to define, measure and mitigate it. However, developing and documenting processes for dealing with it can help minimize what could otherwise be a significant negative effect on the organization. Internet worms will continue, and it may be impossible to avoid their spreading at lightning speed and clogging the Internet in the future. However, preparation for what to do when the worm turns on your organization, along with a quick and definitive response, can help mitigate what otherwise could be a devastating impact.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access