Operational Risk is broadly defined as error or fraud associated with people, processes, or technology and Acts of God. With the exception of Acts of God, what are the worst kind of Operational Risk Events? Cyber attacks were cited as the highest technology-related risk in the World Economic Forum, Global Risks 2015. However, according to a recent online Fortune article, data breaches have cost big publicly traded companies “Shockingly little”, typically amounting to less than 1% of annual revenue. This statistic is a big surprise and leaves one wondering what truly are the biggest IT / Operational risks? I suggest that they are System Development Life Cycle (SDLC) / product and service liability-related.
Perhaps the most costly and notorious IT Risk-related event in recent history was the SDLC / product failure of Knight Capital, when Knight placed an erroneous trading algorithm into production that cost the company $460 Million in customer reimbursements, $400 Million in market capitalization and $12 Million in regulatory fines. Ultimately, it forced Knight to sell themselves to another company.
If you examine product liability claims with the notion that they mostly result from the introduction of new product defects, poor SDLC practices, and errors and omissions in the ongoing management of products and services, the picture gets much worse. In 2006, the most recent year for which relevant data are available, there were over 54,000 product liability cases filed across all State and Federal courts! Although a number of companies self-insure, you can get a sense of the magnitude of product liability risk by examining insurance premiums collected. Net premiums for liability insuance tripled from $6.61 billion in 1979 to $19.08 billion in 1988 and amounted to $160 Billion and $84 Billion globally and in the U.S., respectively in 2013. Of this amount, only $1.3 billion was cyber-liability related.
Some of the most significant product liability claims to date have ranged from automobile design failures that resulted in multiple deaths and hundreds of millions of dollars in compensation, medical device and drug liability claims, and even exploding portable gas cans that forced the manufacturer out of business.
Flawless Product development, project management, and product operations can be extremely difficult. Often the complexity can be overwhelming because it depends on the comprehensive identification of interdependencies and management of risk originating both internally and as a result of third party relationships. Preventing the introduction of significant errors and fraud in computer systems and customer-facing products and services requires a very methodical approach to risk management. You must be able to answer questions like: what new products and services are being introduced throughout the company? What business processes (people, process, and technology) and third parties support this product and service? What kind of risk is introduced by a new product? What could go wrong / what is the worst-case scenario? What is being done to mitigate and transfer risks and are mitigation activities designed and operating effectively?
RSA Archer helps in the methodical assessment and management of risk whether it originates from IT or non-IT activities, from third parties, from business interruptions, or relates to corporate or regulatory compliance obligations. On a combined basis, Archer can help an orgainiazation to manage and mitigate its product liability risk. This capability invariably translates into greater confidence that reliable products can be delivered to market more quickly with fewer suprises, loss events, and lower product liability insurance premiums. We do this with attention to detail and risk management standards and best practice such as ISO 31000 that establishes principles and guidelines to effectively identify, assess, decision, treat, and monitor risk.
Our capabilities to assist organizations in managing risk in each of these core areas were evaluated by Gartner in the last half of 2014. In each area, Business Continuity Management, IT Vendor Risk Management, It Risk Management, and Operational Risk Management. In each of these four evaluations, Gartner placed our product in the Leaders Quadrant! Learn more about these reports
We believe that Gartner’s assessments underscore the importance of risk management in surviving today’s competitive market. Nearly every business unit within an organization is getting involved to actively identify and manage risks as they arise. After all, they are the ones that understand their business, are most in-tune with risks within the business line and they are also best equipped to accept, treat and mitigate the risk in accordance with the organization’s risk tolerance, policies and procedures. As a result, business units are now engaging fully in the risk management framework. A coordinated, integrated level of risk intelligence helps enable CEOs and management teams to fuel their businesses more actively with new opportunities that are within their risk tolerance, minimizing SDLC and product liability risk.