Building the Op Risk Team

The harsh reality is that most Operational Risk Officers are not in a position to order or direct other employees to follow the policies and procedures. Typically the Operational Risk Officer is in a staff or support position within the management hierarchy and does not have enough direct authority to mandate compliance. While it may sound strange, this lack of authority is a good thing. You don't want to mandate people to follow the rules, you want the rules to be a normal part of each person's daily responsibilities. You want to encourage acceptance, not compliance with the rules.

The best way to facilitate this acceptance is to build a network of colleagues who can support the information security program throughout the business. And one of the best ways to create this network is through the assessment process, for you will need to bring a host of departments together in order to perform a complete inventory. For example, the following people within the business (if present) will need to be consulted:

  1. Information Owners - Owners of the information used in the various business processes. For example, someone from HR will need to provide input on the classification of HR data and the risks involved in payroll and other processing.
  2. Process Owners - Often the same managers as Information Owners, these are the managers in charge of the significant or core processes within the business.
  3. Application Owners - The business will likely use one or more significant applications to support the processes. Avoid the temptation to look to the technology groups to provide guidance on the business' software. It is important hat you obtain input from the business management that sponsors the application. For example, the application owner for a payroll application is not the technology group that supports the process, but the HR department. But be prepared for push back, since many business managers wash their hands of an application once they have handed it over to the technology side.
  4. Technology Owners - These are people that manage and deploy the hardware and software within the business on a day-to-day basis
  5. Vendors - If a critical process is performed by a third party you will need to identify a manager within the business responsible for overseeing the activities of the vendor.
  6. Legal - Many of the business' risks involve contract issues, compliance with laws and regulations and the threat of litigation.
  7. Audit & Compliance - If the business is large enough to have separate audit and/or compliance groups, they will need to be consulted
  8. Business Continuity Planning - If the business already has a BCP or disaster recovery program, you may find that you can utilize much of the risk assessment work performed to develop those programs.
  9. Physical Security - You will need to interface with the security and guard functions utilized to protect the physical assets of the business
  10. Mergers & Acquisitions - Project or Program Management - A good assessment needs to address future risks. The M&A group or project managers may be good resources for guidance of initiatives that may impact the business' risk profile.

One further note - it is important that you develop a network at all levels of the business. Many control failures develop slowly and often people see the early signs of a problem without taking action. If employees know that your door is always open and you are more than willing to listen to their concerns and suspicions, you will increase the probability of detecting problems early enough to minimize the damage.

©2009 ISRMC, LLC