Our recent White Paper on The Evolution of Risk (which can be downloaded at the end of this blog) introduces the 3 categories of risk that can affect your organisation and how we can help you to successfully identify and manage risk through 2i’s bespoke Risk Mitigation Framework, AssureRMF™.
This blog post explains what Operational Risk is, the consequences this can have on your organisation if poorly managed and how we help our clients avoid negative consequences or outcomes through AssureRMF™.
What are the challenges that can lead to Operational Risk?
Today, due to some significant advances in technology, organisations can take advantage of more opportunities than at any time in history. Of course, this is a double-edged sword as it creates challenges and risks that can also NEGATIVELY impact their businesses.
On the positive side of this, companies can use Artificial Intelligence and Algorithms to create autonomous business models and processes that provide valuable insights to inform business strategy.
Then there is ‘Big Data’, which uses pervasive automation to collect and then aggregate data into meaningful reports for marketing teams and business leaders (although I won’t mention the issue that often leaves customers wondering how much they can trust businesses and whether they are operating ethically).
Digital Transformation is another major trend that leads to the introduction of agile self-organising, autonomous teams which focus on delivering products to market rapidly within weeks as opposed to months and years.
Whilst all of this can provide businesses with many benefits and even competitive advantages, it also exposes them to several types of risk that need to be managed effectively to deliver the desired business outcomes.
In larger organisations, in particular, simply changing team structures to focus on reducing time to market just switches risk management from the enterprise level to individual teams. Not what was intended I’m sure.
How do you define Operational Risk?
2i define Operational Risk as follows:
Operational Risk resides within the processes used by an organisation. Digitalisation and process automation can reduce human operational risk but at the same time, if not managed carefully, can magnify cybersecurity risk.
How much should you really trust your autonomous business processes?
If your organisation is already using autonomous business processes, or you are currently thinking about implementing them, then you need to consider what consequences this could have for your business should something go wrong.
Algorithms and Artificial Intelligence are now widely used by organisations to manage many operational processes such as performance management, business administration (timesheets etc) and recruitment processes.
2i recently ran a proof of concept that can use Robotic Process Automation (RPA) to help us identify potential new recruits into our business from various different sources. This approach could bring us many benefits such as efficiency savings, and the ability to analyse larger data sets using automation and should, in theory, increase the likelihood of us identifying and hiring the best people.
However, when taking on such initiatives, all companies must consider how much they trust their algorithms and automation, as well as determining the operational aspects that this could introduce.
For 2i in the example above, we need to look at what this means in relation to the EU’s General Data Protection Regulations (GDPR) and ensure that we comply.
Failing to properly understand genuine Operational Risks that you may have introduced can result in serious negative consequences for your business, such as reputational damage and financial penalties, that completely outweigh the advantages you thought you were introducing.
Don’t create Operational Risk because of your inefficiencies
At 2i, we continue to encounter situations where Operational Risk is introduced as a result of ineffective software delivery processes.
A relatively common example of this relates to security issues when the focus adopted is on delivering more features to customers. Often, work relating to the security aspects of products is deferred until the end of the delivery process. At this stage, it is often too late to address security vulnerabilities prior to releasing their product to market.
This results in Operational Risk being created during the hand-over from the project delivery teams to the business areas that will use the new product and/or features as part of the business as usual activities.
How can 2i help you understand and deal with your Operational Risk?
2i recently delivered our bespoke risk mitigation framework service, AssureRMF, to one of our clients, taking them through the three main phases as described below:
Phase 1: Risk Lab - We reviewed our client’s delivery pipeline to understand the sequence of activities that take place in order to deliver value to their customers. Our expert team identified process deficiencies within the pipeline coupled with poor use of existing tooling to effectively deliver changes to customers. We presented our client with a process improvement roadmap to help improve their processes, how better to use their tooling and, most importantly, how to minimise and remove risk from their delivery stream.
Phase 2: Strategy Hub - Our team was embedded into our client’s organisation to deliver the proposed process improvements. This enabled us to help the client improve their system of work to the point whereby better use of existing tools, including automation, could be introduced.
Phase 3: Excellence Framework – Once the client teams were following the improved system of work, our team built a delivery pipeline using the Azure DevOps offering. This largely automated the process and introduced some much-needed security testing to the pipeline using the open-source Zed Attack Proxy (ZAP) that is available from The Open Web Application Security Project (OWASP). You can see the delivery pipeline below:
As a result, all code changes can now be pushed through the deployment pipeline with automated security testing taking place. This allows the development teams to assess whether or not they should accept the code based on the outcomes from the security testing.
Improving the delivery pipeline in this way means that the likelihood of Operational Risks related to security being handed over to the business will be significantly reduced resulting in better outcomes for our client.
Identify and manage Risk – Don’t create it!
In summary, all organisations would likely want to take advantage of the benefits that process automation and digital transformation can deliver. All of them would also want to minimise any security risks being handed over to the business after they have delivered the products to their customers.
As highlighted here, 2i can help you identify your REAL risks (not just the ones that appear on your RAID logs with constantly changing dates and owners!) and prevent those risks from seeping inadvertently into your organisation.
Only when you can deliver your new products and services with a greater certainty of delivery will you be truly delivering value to your customers.
If you are thinking of introducing process automation or looking to embark upon your own digital transformation journey, then download our White Paper now.
The balance of risk vs reward
How do you move fast without taking more risks? The key is risk intelligence (rq).
Learn insights in to the common types of risks to successful digital delivery, how they can impact and derail your digital strategy and read about our tried and tested actions to de-risk and accelerate your digital delivery.