Most companies only test their backups after a system fails. They buy Disaster Recovery provisions for computers only after a catastrophic event has impacted the business and only buy CCTV after a break-in has occurred.
The result is usually a patchwork of overlapping and gap-ridden investments reflecting past decisions. Rarely the provisions match the organization’s actual needs and these flaws are left exposed.
There are many good reasons for undertaking an Operational Risk Management program. Some are:
- The changing environment invites new risks and dilutes old ones
- Prospective customers expect risk management to be in place
- IPO acquisitions require Operational Risk Management or devalue accordingly
- The cost of even a brief period of downtime is now often considered unacceptable
- Corporate governance is already under the audit spotlight
Operational Risk Management is a logical response to the following requirements:
- Systematic – ensuring all risks are identified and treated appropriately
- Repeatable – as part of a process that accommodates change
- Auditable – documenting governance decisions
- Entirely as the discretion of the business – you choose to accept or mitigate a risk based entirely on the evidence placed before you
You do already manage your exposure to operational risk in a number of ways, by locking your doors, closing your windows, and running anti-virus software. But these alone still leave your business with tremendous operational risks. The first important step is to be aware of the value of Operational Risk Management. In the next blog we will cover the next step, how Operational Risk can be managed.