The definition of “operational risk” is variable but it generally covers the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
I, however, want to re-examine this general definition, so that the definition of operational risk takes into account all the cybersecurity-related risks that are currently plaguing organizations today. With the current definition, one cannot quantify internal processes and people.
For example, organizations can ask themselves a few questions. When is there an event that causes a disruption? What internal processes failed? What aspect relating to people needs to re-examined?
We know that operational risk exists in every organization and that size does not matter. What matters, however, are two critical areas that need to be included in the operational risk definition: internal controls and user awareness.