Risk specialists and IT staff need to work together - mutual support is vital to protect business information, says Jeremy Ward.
New international legislation and regulation, such as Basel 2 and Sarbanes-Oxley, states that if you do not have adequate mechanisms for controlling and auditing the flow of information in your company, you will incur penalties.
This has caused people responsible for operational risk to wake up to the fact that IT is important for information flow and auditing.
At the same time, IT people have realised that to understand their job, they ought to know a bit more about the business impact associated with the assets for which they are responsible. As a result, the previously separate orbits of operational risk and information security have begun to overlap.
Unfortunately, each party seems to treat the other with suspicion. Both seem to be fighting over this concept of "risk". Operational risk specialists feel they are the experts in this area, but information security people feel that operational risk people do not understand information security risk. So who is right?
Preserving the confidentiality, integrity and availability of information involves people, processes and systems. Failure of these would certainly increase the risk of loss, so information security can clearly be seen to constitute an important factor in the control of operational risk. In this sense, information security might be seen as contributing to operational risk management, but playing a subordinate role.
However, information is fundamental to the operation of any business. It is impossible to run a successful business without detailed and specific information, and if you cannot trust the confidentiality and integrity of this information, your business will not survive.
In the wider sense operational risk management is contingent on good information security. In turn, security may be seen as conditioning operational risk.
The problem lies in the understanding of risk. Operational risk specialists spend their professional lives thinking about what it means to the business in terms of consequences and costs, but information security has a poor track record of speaking meaningfully about risk in this way.
Traditionally, security specialists in the IT department think about the risks to the bits and bytes, but not about their criticality to the business overall. By contrast, operational risk specialists have existed at a more rarified level, unlikely to consider the consequences of the failure of the information on which businesses depend. In the newly regulated world, these two levels of understanding must come together.
Specialists in operational risk and information security cannot afford to fight about the ownership of risk. They must agree to a contract of mutual support. Operational risk managers need to know more about the threats to networked assets, and IT security leaders need to understand more about how to determine the business criticality of the assets for which they are responsible.
What do you think?
How strong is your understanding of operational risk and security? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Jeremy Ward is a consultant at Symantec
This was first published in April 2004