In a presentation by Brett Williams, the retired Air Force Major General discussed the need for leaders that understand cyber risk. In one of his Linkedin posts he also talked about “The technology is going to change, but leadership and culture are technology agnostic.” Just how do you get the leaders of an organization to recognize this and what additions to their education and training could help?
The daily revelations from the Experian compromise, makes it clear that it was a failure of senior management and the board of directors to understand the operational risks facing the organization and then doing something to mitigate those risks. The big question then is where do we get managers, at all levels, that understand operational risk?
Why Operational Risk?
For those involved with a financial institution you may be aware of the concept because your regulators have made you be aware. I am not sure it is as pervasive in other, not regulated, industries. The Federal Reserve Bank of San Francisco defines Operation Risk as “… as the risk of monetary losses resulting from inadequate or failed internal processes, people, and systems or from external events.” It also goes on to say that these risks are more firm-specific and closely tied to an organization’s products and lines of business. I recommend reading the full FRBSF Economic Letter (http://www.frbsf.org/economic-research/publications/economic-letter/2002/january/what-is-operational-risk/#subhead1). It’s one thing to understand how operational risks are defined, it’s another to do something about.
In another web article from Bay Dynamics, reporting on a survey commissioned by them, of executives that serve on the boards of directors of enterprises “to get their thoughts on what they think about the information they receive from IT an security professionals.” Several items in the report seem at odds with each other. The biggest is between their perception that the information being proved is to technical vs. board members understand everything they’re being told by the IT and security executives.
Maybe a Common Language Would Help
The Bank for International Settlements, Basel Committee on Banking Supervision, has published guidance (read regulations to many). They mostly focused on capital adequacy to prevent financial institution insolvency. One pillar of risk that affects capital is operation risk. Their publications around operation risk and other sources could for the basis for a common language between the Board Members and IT/Security management. If a model is created, how could it be communicated? This seems to be a chicken/egg problem. If we train board member and current IT/Security management to communicate, maybe it will solve the problem in the short run but how do we keep feeding the system with people that understand the concept of operation risk?
What Needs to Change
I researched the required courses for basic management degrees of the top 10 universities in the state of Michigan (based on their reported attendance) and found NO required course the clearly addressed the concept of “Operational Risk”. They addressed the classics - accounting, economics, strategic planning and especially diversity - but other than some courses related in insurance, there were none to be found. Thinking that my sample size was too small I expanded the search to include most of the top 10 universities as identified by a recent Wall Street Journal article. Still nothing.
Many top universities offer both Executive Education and Undergraduate programs. By including a course on Operation Risk to both colliculi you provide a consistence approach – the executives better understand these risks and the individual coming into the organization now can provide the information in a way the executives understand. A common language around risk could be developed and a better understanding of the organization’s risk tolerance would be communicated.
What hasn’t this been done? My guess the key objection to this would be that the programs are now loaded with the basics so how do you add operational risk to the mix? Maybe you just add a requirement because of the importance of the concept. These institutions found a way to include diversity, why not operational risk? Or is failing to have a diverse organization just special case operation risk?
My Next Steps
I am working to create an outline of a single semester class that that would address the basics of operational risk and it management. I welcome any suggestions or links to existing programs that I was unable to find. Thanks in advance for your input.