Assess, Control, Monitor & Respond

The Operational Risk Framework is based on the following four-step process:

  1. Assess the risks in the business
    • Inventory the processes, technology and other business assets
    • Determine the risk profile
    • Assess the inherent risk for each process
  2. Implement controls to mitigate those risks
    • Inventory the existing controls
    • Determine if the controls adequately address the risk or if modifications or additional controls are necessary
    • Assess the residual risk of each process based on these controls
  3. Monitor the performance of those controls
    • Implement periodic testing and reporting to identify deficiencies in controls
  4. Respond to instances where the controls are deficient
    • Implement procedures to limit losses caused by control failures
    • Create a process of continuous improvement that adjusts controls based on changes to the risk environment

and repeat...

It's that simple - and it is important to keep that in mind. Operational Risk is a very complex discipline. Just understanding the technology used in information security or planning for a critical business emergency are daunting challenges. Add on to that the applicable laws and regulations, the threats, policies, standards and guidelines, the ever changing business environment, etc. and you have a job that can frequently be overwhelming. But no matter what issue confronts you, it will fit within and be addressed by the process above. Just follow the steps discussed on the following pages.

For a further discussion of how this methodology applies to information security, click here.

©2009 ISRMC, LLC