The relationship between digital risk and operational risk

Hi. My name is Amalia Barthel. I'm an advisor, consultant, and educator in the areas of digital risk, digital data risks, privacy compliance, and governance. In this talk in the digital risk series, we will explore the relationship between the digital risk and operational risk.

The post pandemic world has seen an exponential increase in startups and innovative hubs. Organisations have new competitors on a weekly basis. One aspect in the survival of any business is operational resilience. We will explore the critical components of digital risk that impact operational risk and we will look at some good hygiene practices in this area. In the NIST special publication 800-39, we saw the three layers where risk needs to be addressed. Organisational level as the first layer, mission/business process is the second layer, and finally, the third layer the operations layer.

At the organisational layer, the board and senior management have to look holistically at all the risks that will impact the mission of the organisation. Risks such as financial, environmental, socio-economic, legal, regulatory, and digital risk. While all the risks must be translated into policies, strategic priorities to take advantage of certain opportunities or avoid others, the digital risk in particular is the one that further permeates into the execution layers and the day-to-day operational layers. The risk is further defined through risk tolerance and thresholds converted into controls. How to define these metrics and acceptable levels is the topic of our next talk, but for now, we will focus on the relationship between digital risk and operational risk. An organisation needs to set up various gatekeepers for risk and that can be achieved through assessments of risk throughout its business and IT processes. In operations, it is IT and information security that are most likely to be responsible for managing the risk introduced by the initiatives and the projects of the business. The enterprise risk management group is considered to be the second line of defense against risk manifestation. An IT risk council may be established to consider IT risk in more detail and advise the ERM enterprise risk management committee. Committee members are usually drawn from the board and the CEO chairs the committee. They need information about the risks being addressed in the operations and how these risks are being managed and monitored. Senior management and governing bodies collectively have responsibility and accountability for setting the enterprise's objectives, defining strategies to achieve those objectives, and establishing governance structures and processes to best manage the risk in accomplishing those objectives. As the first line of defense, operational managers own and manage risk. They also are responsible for implementing corrective actions to address process and control deficiencies, but in practice in small and medium organisations, the risk function may not be adequately resourced, so it is important for the department managers to blend in the various activities of the risk function within their own. They have to encourage the knowledge, regarding risk identification within their teams and a risk and compliance aware culture throughout, including the proactive reporting and escalation of risk. This can be achieved through training their staff so they can understand the commercial reality of the impact of risk and the value of risk management. It may include competitive, operational, regulatory, and compliance requirements, although there may be risk common to a certain industry. Each enterprise is unique in terms of how these risk items impact specific enterprise objectives. Risk management often involves