Until recently organisations were able to put operational risk and information security into separate, watertight compartments. Operational risk sat in the audit department and probably reported to the CFO. While information security (if such a function existed) sat in the IT department and reported to the CIO (eventually).
Today this approach is not a true solution to adequate risk management. Today’s information dependent organisation requires the walls of these separate compartments to be broken down.
The most obvious reasons for breaking down the compartments, and the subsequent consequences of failure to do so, are easy to understand. In recent years we have been bombarded with legislation and regulation; such as Basel II (if you’re a bank), the Turnbull report (if you’re quoted on the London Stock Exchange) or the Sarbanes-Oxley Act (if you’re quoted on the New York Stock Exchange). All of these effectively say that if you do not have in place adequate mechanisms for controlling and auditing the flow of information through your organisation; then your company will lose a lot of money, or someone important in it will go to jail – or both.
Operational Risk has much to learn from IT INFOSEC and they have more to learn about the intersections of risk across all the business units. The goal should continue to be to develop a management system that encompasses the entire enterprise.
The conclusion is obvious. Operational risk and information security cannot afford to engage in a battle for who owns the responsibility for business risk. They must agree to a contract of mutual support. Operational risk needs to know more about the threats to, and vulnerabilities of, those vital networked assets; and information security needs to understand more about how to determine the business criticality of the assets for which they are responsible. In short, they need to meet and shake hands over the level three controls.