II.A Operational Risk

Operational risk is the risk of failure or loss resulting from inadequate or failed processes, people, or systems. Operational risks from IT are present not only in back-office operations and transaction processing but also in areas such as customer service, systems development and support, internal controls and processes, and capacity planning. Operational risk may cross all lines of business and can be caused by internal or external events. Operational risk from IT primarily affects reputation, strategic, and compliance risks, although other risks may be affected.

Management should be aware of the implications of operational risk from IT, including the following:

  • Strategic risk can stem from inaccurate information or analysis that causes management to make poor IT strategic decisions.
  • Compliance risk can result from an institution's inability to meet the regulatory and legal requirements associated with its products and services. Compliance risk can also result from an institution's dependence on products and services to meet its operations and reporting requirements.
  • Reputation risk can stem from errors, delays, omissions, unauthorized access to IT systems, or loss of confidential information that become public knowledge. Such occurrences may directly affect business partners and customers and may result in a loss of customers, customer withdrawal of funds, and loss of trust in the institution's products or services.

Management should have a comprehensive view of operations and business processes that are supported by technology. IT management should maintain an active role in institution strategic planning to align IT with established business goals and strategies. Additionally, management should ensure that effective IT controls exist throughout the institution, either through direct oversight or by holding lines of business accountable for IT-related controls. From a control standpoint, management should participate in the ITRM process to identify and measure risk from the use of IT, support decisions on how to mitigate the risks, implement the mitigation decisions, and monitor and report on the resulting outcomes.

 

Previous Section
II Risk Management
Next Section
III IT Risk Management