The importance of assessing and addressing operational risk in 2024

George Ralph, Global Managing Director and CRO at RFA

Operational risk management is a subject I am regularly exploring with RFA clients. It is an essential part of business continuity planning and cybersecurity management. I spoke at the HFM’s European Emerging Manager Summit discussing the importance of ‘Assessing and addressing operational risk in 2024’. It is worth noting that assessing and addressing operational risk is particularly important for small teams. It’s never been more vital to regularly reassess common risk areas, pinpoint potential pressure points, and explore the range of risk mitigation strategies available.

Some really interesting points came out of that chat, and I wanted to review those and give them some more thought:

Investing in Business Continuity Planning (BCP)

Firms are constantly at risk of a cyberattack and such attacks are becoming increasingly systematic and severe in nature. It really is no longer a question of if an attack happens, but rather, when. On the subject of Business Continuity Planning, long term strategy is as important as the short term. This is critical because planning a firm’s operational response to a cyberattack could drastically minimise the overall financial cost of a cyberattack. Financial damage can include ransom payments and lost revenue due to business downtime. The longer a company takes to recover from an attack, the more money it loses.

An effective BCP will involve assessing a company’s entire operational structure to determine vulnerabilities and areas whereby a firm can improve their risk posture. Such planning will require testing systems and should include the staging of fake cyberattacks to see how a company responds in a crisis situation. RFA have worked with many clients on BCP’s over the last 5 years; we have the experience your firms require to support you in developing yours if you feel it isn’t at the level of detail it should be.

Increased FCA focus on operational resilience

Operational resilience is a key part of the FCA’s regulatory objectives for 2024 and of course since July 2017 has been a big part of FP16/5. When it comes to managing this risk, firms should be vigilant to ensure they meet the standard security mandated by the FCA. This level is constantly being redefined and now general best practices and guidelines outside the sector are coming into play, especially with the introduction the EU’s DORA act. A primary focus for firms will be to manage operational risk within their processes and systems, ensuring a clear understanding of what this looks like at board level. Such procedures can be inclusive of WISP, BCP and data protection andgovernance. Another key focus within systems includes the role of automation and cyber controls. Firms need to ensure that they can manage their operational risk to the standard of the regulator, whilst also keeping up to date with any changes and technological developments.

Assessing key vulnerabilities within working environments and models

A key area of consideration for firms is their capacity to manage operational risk in hybrid working formats. The level of risk in the age of digital transformation and teams working remotely has skyrocketed. Linkedin Pulse shared an interesting finding at the end of last year, stating that since 2020, cyberattacks on remote workers have increased by 238%. Such operational structures need careful assessment when it comes to understand the potential risks and thus devise plans on how best to mitigate them.

Managing third party risk

Firms will also need to be vigilant regarding their operational risk structure when it comes to working with outsourced service providers. This is something that has been a particular focus within the European Union’s DORA Digital Operational Resilience Act (DORA). Established in 2023, with an implementation deadline of January 25th, 2025, firms will need to assess the level of operational risk that their managed service providers present to the business. They will need to ensure that their contracts and processes with these providers are compliant with the European Union’s regulatory guidelines set out in the DORA act. Whether you are UK based, have entities in the EU or US, my team has the expertise to help you on your operational risk journey, supporting your firm to have a robust solution in place.

Assessing and addressing operational risk will be a key business priority in 2024. If you would like to learn about how RFA can support you with your operational risk posture, do get in touch.