Page 22 - Risk Management Bulletin Jan- Mar 2022
P. 22
RMAI BULLETIN JANUARY - MARCH 2022
assessed and monitored against the tolerance constraints, obtaining board approvals. For many
limits set. institutions they might be still using outdated
technology systems, while at the same time trying to
Risk Tolerance: Is setting impact tolerances for
meet the market needs by innovating new products.
each important business service, such as
maximum acceptable outage time of a business
External challenges : In addition to the budget
service. The firm while setting the impact
constraints there are external challenges like the
tolerance must assume that the incident has
emerging technologies such as artificial intelligence,
happened, and then set the maximum tolerable
Block chain-distributed ledger technology,
level and duration of the disruption. Risk tolerance
sophistication of external threats in the cyber security
is different from Risk appetite. Risk appetite is the
space, demand for crypto-assets, increased scrutiny on
level of risk the organization is willing to take for
value for money from customers, who so easily switch
example, risk appetite for Return on equity would
to new providers; system complexity and third party
be set more than cost of equity.
risk. To drive innovation organizations, must balance
Mapping of systems and processes needed to concentration risk that may provide economies of scale
support the important business services: While against spreading the risk of supplier failure.
mapping of systems and processes it needs to be
ensured that the action plan is not complex, Thus, the key threats that come out of the
substitute resources are available and no challenges and need to be focused on are:
overreliance on a single resource is there. The
speed of technological changes
mapping and the plan must be well documented
disruption from less established technologies
and communicated. The operating people need to
be made aware of the sensitivity and importance Increase in the frequency and severity of cyber
of process. attacks
Testing using plausible scenarios: Organizations Physical Risk due to Climate change: Resilience will
need to build a library of severe scenarios be put to test under physical risk due to climate
considering the rapid changing environment and change and disruptions caused to mitigate it
external incidents. This would help in identifying
Organizations lagging in developing resilience or having
low frequency, high severity vulnerabilities, the
operational weaknesses will be targeted by fraudsters.
organisation is likely to be exposed to. The most
These key threat areas are broadly similar for all
important point to consider is that no plausible
organizations, it is the approach adopted by the
scenario should be rejected on the ground that it
organization that will differentiate them in the long
cannot happen to my organization. They need to
run. To gain a competitive advantage the organization
have an action plan in place for such scenarios.
that adapts and adopts a dynamic risk assessment
The action plan formulated should also be put to
methodology which is proactive, integrated and based
test. While testing it is important to verify that the
on concept of granularity will increase its chances of
scenarios are as per the nature, size, scope of its
survival. Going granular helps in identifying its leading
business activities. The action plan should clearly
indicators. This not only reduces the complexity but
state the people, process systems that need to
is easy to communicate and implement as the
deliver at the time of crisis. Bottom up approach
operational level team can relate.
works better as resilience not only needs to be
built in the design / functionality of the system
Way Ahead:
and process, but it is required to be built in the
culture of an organization. Organization level:
The organizations need to develop on the existing
Challenges: governance and risk frameworks and keep pace with
Internal challenges: There are certain challenges which innovations. Operational resilience needs to be built
the financial organizations face especially budget into business plans , which would require a clarity of
20
