Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Intentional and Unintentional Acts

As a Threat a person (typically an employee or agent of the organization) can act:

  • Intentionally - An employee defrauds their employer, a hacker breaks into a Web site, or a government or competitor takes proprietary information from a company; or
  • Unintentionally - A lawyer inadvertently leaves vital documentation on an unannounced merger on a restaurant table or an employee mistakenly inputs the wrong amount into a wire transfer system.

Any process that addresses Operational Risk must take this distinction into account, since a process that just focuses on preventing intentional acts from causing harm will leave an organization exposed to losses from errors. For example, a business can implement an automated control in a payroll system to prevent HR administrators from defrauding the company by setting up phantom employee accounts. The control could be as simple as a requirement that all new accounts created by an HR administrator need to be approved on the system by a manager, who confirms that the new account corresponds to a recently hired employee. But what if this is the only check that the manager performs? What if the new account is valid, but the HR administrator inadvertently added an extra zero to the new hire's paycheck? The more efficient and effective control would be for the manager to review the request for unintentional and intentional harmful acts.

People are not perfect and a business' processes and controls must be designed to take the unpredictability of human actions and emotions into account.