We (can hopefully) assume that most people are inherently risk averse when it comes to their work environment. We perform our duties with good intentions and expect our relevant skills and experience to keep us from exposing our business to unnecessary risk as this will have an impact on our own brand as well as the organisation in some way, shape or form. In fact, we could propose that in many cases when an employee does expose their business to risk this is because they are unaware of the potential consequences of their actions, which talks to possible breakdowns in the internal awareness training and control environment (think of a tekkie posting a question on a Forum asking for troubleshooting advice and including the specifics of hardware, software and network configuration).
If entrusting everyone to do their roles as we expect was a feasible risk management approach, then there would be little use for the assurance providers and risk managers in an organisation. Sadly this is not the case, and despite our best intentions we may not always identify risks in our own actions. The level of risk may increase over time, starting at an acceptable level, but then rise due to a range of factors such as more reliance placed on an individual, business process changes or external events. The danger is that this could happen without management being aware.
Identification of risk and monitoring of control effectiveness are key roles to work in conjunction with operations. Often those working in the operational roles may become blinded to risk identification as they are (correctly) focused on their operational activities and often not the bigger picture.
For example, a DBA managing a set of systems may prove to be exceptional in managing, optimising and controlling her databases, and thus management assigns more databases to her portfolio. As the number of databases under her management increase, so too could the amount of critical or sensitive information within her reach. Management understands that this information requires additional controls, and tasks the DBA to build in a robust monitoring solution.
An independent party (e.g. second or third line of defence) will easily pick up that the person responsible for managing the database environment is also the same person responsible for securing it. This lack of segregation of roles may be overlooked by management due to the trust element and high performance of the DBA in question. Despite this the scenario still presents a threat to the organisation by providing an opportunity and method for malicious activity to be executed without detection. All that is required is motivation (which could take many forms) and the risk becomes very real.
My point is that everyone has a role to play in identifying and managing risks while allowing the business to perform efficiently. The operations team in this instance must acknowledge that the independent risk managers have correctly identified a risk that needs to be managed.
On the other end of the scale it is also easy for risk managers to err on the side of caution and to avoid risk rather than looking to manage it. It is forgivable to be cautious in the current economic environment, but this stifling of management’s intentions could also have a negative impact on the bottom line as opportunities could be missed.
We can’t expect everyone to be experts in both operations and risk management, as each side needs to have a deep understanding of their areas within the context of the business. Rather, it is a fundamental requirement to establish a trusted environment between the disciplines through identifying the relationships and tensions that exist between the various teams. In this way the business can prevent each discipline from restricting the other’s effectiveness, as in the end both are equally important to support and sustain the organisation’s strategy.