Reducing your operational risk

If you’re a senior manager or director in a financial services company, then it’s more than likely that your main concern in life is managing your operational risk – after all if things go wrong you’re not only going to be held accountable but you’ve also got both your own reputation to consider and the jobs of your staff. So what can you do to reduce your exposure to risk whilst also ensuring that the legal system will be inclined to give you the benefit of the doubt?

In our increasingly technology focused industry we face numerous threats and challenges; we’re expected to keep up with technology, push the envelope, innovate and automate where possible whilst maintaining costs and ensuring that the IT systems are not only fully operational 24/7 but are comparable to a shield on the front of the building stopping all the criminals from getting in – and then we also need to consider the question of internal threats.

From an IT and business perspective there are numerous frameworks out there that we can embrace such as:

• TOGAF – architecture
• PMI – Project management
• ITIL – Service delivery
• COBIT – Governance
• DevOps – Software development and deployment

There are a lot more but at the time of writing these were the some of the most popular in our industry (some industries have their own specific frameworks, such as aviation, pharma and logistics, but these are the most common in financial services at present).

Each of these frameworks on their own deliver something to the organisation but none of them are a silver bullet for the question of risk management.

One of the operational risks that companies have a tendency to ignore or not take seriously enough is the audit that all regulated entities will be subject to periodically which is strange because this is perhaps the only risk that is scheduled ahead of time.

So if you’re the IT manager, a director or a CEO that’s worried about the business (and its reputation) as a whole what can you do?

You could have a look at ISO27001 and the Cyber Essentials schemes.

These two options effectively deliver a few ways of ensuring that your business is more secure and your risk is reduced. From least to most your options are:

• You could implement only the cyber essentials
• You could become ISO27001 aligned
• You could become ISO27001 aligned and implement cyber essentials
• You could become ISO27001 certified
• You could become ISO27001 certified and implement cyber essentials

There’s also a Cyber essentials plus certification if you find the essentials to be of value to the organisation.

Both of these certifications are things that you can either do yourself or bring in resources for and both are schemes that will improve your standing and trust levels (and in certain cases would also form a valid defence in a court of law). The above mentioned frameworks also fit in to both of these certifications as enablers.

You may have noticed that I have referred to ‘aligned’ as well as certified. In this example aligned refers to the fact that you have made changes to reflect ISO certification standards but not all of them or not enough of them to achieve certification – it could also be that the cost of the associated certification in both time and resources is something that is beyond your enterprise size at present but you are none the less attempting to orientate yourselves towards a professional state of operations thus ensuring that you are actively managing your risk.

So what’s involved and why would you bother?

Lets start with the Cyber essentials certification. This certification if concerned with verifying that your systems are secure and being actively monitored for external intrusions (the essentials Plus certification also tests for internal intrusions and sources of data loss/manipulation).
The certification process involves a number of vulnerability tests, documenting policies and procedures and a general health check (the Plus certification also includes internal vulnerability identification).

This type of certification allows the business to formalize how they deal with a number of situations, how staff should behave on a daily basis and allows it to define a number of roles and responsibilities.

Although this isn’t a particularly difficult certification to achieve it delivers a number of benefits to the SME (this type of certification is specifically aimed at the SME environment and is designed to start the company down the road to being a formalised success).

These benefits include a change of company culture towards one of awareness to security (thus making the company a harder target before anything else is done), an infrastructure that is more robust, a system and service monitoring ability that ensures systems are fit for purpose (if you’re already monitoring for threats and intrusions you will also be monitoring performance which in turn means that system issues will be picked up by your staff before customers see them).

One other benefit that has been noted is that if you take cyber security insurance as part of your business insurance this could result in lower premiums. This type of certification is also something that will set you apart from the competition and will give you a badge to put on your website demonstrating to potential clients that you are a professional outfit.

If we then move on to ISO27001 certification we can see that this is a serious undertaking and from experience I can say that the degree to which a company will enjoy the ISO27001 certification process will come down to how well the internal culture of the business is being managed.

If the company is subject to weak leadership and the associated poor culture then achieving ISO certification will be a difficult undertaking – however, if the company is prepared to embrace a degree of formality, to ensure a healthy culture and competent leadership then ISO27001 certification will not be easy but it will be an enabler allowing them to focus on growth whilst delivering superior services and products to clients.

So what’s involved?

• Information Security Controls
• Management System
• Risk Management
• Business Continuity
• Internal Audit

This is list shows the section headers for ISO27001, each one of these contains a number of sub sections – for example the information security section includes how you’re going to manage such items as device security, how you’re going to manage vendors, what security access you’re going put in place, how you’re going to deal with incidents, how you’re going to classify data – and LOTS more.

The business continuity section deals primarily with how you’re going to deal with disaster recovery and ensure that the business is either capable of running under adverse conditions or how you’re going to deal with failure. Each of the sections focusses on a variety of different issues but each will enable the business to develop its capabilities and although the work can be quite hard the change in culture and pace that it brings with it is normally a welcomed change.

As I mentioned at the start of this piece, certification might not be the ‘right’ path for your company at the moment but I’ve not found an SME yet that wouldn’t benefit from being aligned with ISO27001. But what are the benefits of implementing ISO27001 standards?

• An internationally recognised standard
• Decreased vulnerability via IT systems
• Proactive management of Risk
• Data confidentiality
• Decreased operational Risk
• Better service delivery ability
• Increased ability to deliver change
• Increased credibility when dealing with HNW clients or Vendors

And the list goes on.

I should perhaps also mention that this is, as with the Cyber Essentials certification, something that will need to be maintained (achieving certification is a one shot deal but it needs to be monitored, managed and audited on an annual basis).

This might seem a strange subject for a piece and some of you may well be wondering what the punch line is going to be.

The reason that I’ve focussed on describing how you can reduce operational risk is because we all know that companies within the SME environment need help building their credibility, we also know that in a number of organisations leadership ability is something that needs some attention – in short our culture is something that is not currently enabling the growth that could be achieved.

The SME financial services environment is an area that can be truly dynamic, could lead fantastic financial growth and set the standard for the market BUT without embracing professional, recognised standards we run the risk of not achieving our potential and that of some of the truly remarkable people that work for us. Average is not something to aspire to.

Paul Foley is a seasoned CIO working in Financial Services with a track record of delivering operational excellence, innovation and remarkable teams. For more information about GDPR visit tcgeurope.com