Overview. An old adage is “it is difficult to manage what you do not measure”, yet operational risk is not easy to quantify. In this assignment, you will determine key metrics and tolerances for each of the three top ORs you previously developed. Because it is important to have controls and mitigation for each of the top risks, you will also develop risk and control assessments for one of your top three risks.
- Discuss the importance of risk and control self-assessments and describe EIG’s process for developing these. Be sure to include:
- How often are these performed?
- Who leads the process?
- Are these discussed with executive leaders and/or the board?
- For one of the top 3 ORs you developed in the previous assignment, design a “mini” risk and control assessment for oneOR:
- Show one risk control
- Show the residual risk
- Give one action plan
For example, if one of your top three ORs was EIG could lose confidential customer information, which would cause fines, penalties, financial loss, and reputational damage, the controls could be
(1) EIG annually hires a respected external consultant to find vulnerabilities and it makes improvements based on the results;
(2) EIG has a mandatory annual training module for all employees to train on the importance of data hygiene, prevalence of phishing, and the need to protect sensitive data;
(3) EIG purchases $100m of cyber risk coverage from a top-rated insurance carrier.
- Discuss the importance of metrics and tolerances in a firm’s OR framework.
- For each of the top 3 ORs you developed in the previous assignment, design
- one key metric (for each of the top 3ORs)
- one tolerance (to go along with the key metrics) above which the breach will be reported to executive management and the board.