Management, compliance & auditing

Understanding the Link Between Business, Operational & Security Risks

January 9, 2018 by Graeme Messina

When it comes to risk planning and mitigation, it is important for you as an information security professional to understand the difference between a security risk and a business risk. This is not to say the two terms are mutually exclusive, as a single risk can be one or the other, or both at the same time.

We will delve into some of the more nuanced terminology and try to understand what you should be mindful of when evaluating the potential risks to your company’s information security and how you can prepare for potential security breaches.

What is a Business Risk?

A business risk is the possibility of a company making a loss instead of a profit during a defined time period. This could come about in many different ways, and the business risks themselves are also definable under different categories.

One of the most common risks a business can face is a drop in sales numbers due to a smaller demand than was projected at the start of the financial quarter. This means budgets that were drawn up against a projected income must be reworked, and sometimes abandoned.

This can have dire consequences for a company, regardless of their size, so planning effectively and having a secondary strategy is essential. It is for this reason that business planning is of such high importance within an organization, and why the right people are needed for the job of managing this risk.

What Are the Different Types of Business Risks?

There are many different kinds of business risk, both internal and external. The main ones that we focus on are:

  • Strategic risk: An example of a strategic risk is if new product or service adoption is flatter than projected. Another example of strategic risk is if a competitor was to enter the market and start applying pressure to your pricing structure. Both of these are possibilities when you are competing in a free market, and are strategic risks that could affect your organization.
  • Compliance risk: Keeping a close eye on the latest compliance requirements for your industry will help you avoid fines, penalties and even law violations. This means your company must constantly check with all of the relevant authorities for any notices or potential amendments to existing rules for your industry.
  • Operational risk: This could include theft of equipment from your organization, or damage to equipment caused by negligence, natural disaster or sabotage. Although these things cannot be predicted, they can be planned for. Your operations director and their subordinates must ensure all such eventualities have been planned for, and the procedures necessary to avert any prolonged downtime are all in place and ready to be implemented in case of an emergency.
  • Financial risk: This is perhaps one of the broadest areas of risk within a business, because all businesses are vulnerable to such a risk. A basic example of how a company could be exposed to financial risk is in the case of non-payment by a client. Another instance where financial risk comes into play is when a loan amount accrues too much interest, making the repayment schedule untenable for the organization.

Security risk management is directly related to compliance and operational risks, so understanding these risks are critical to ensuring the safe and continued operation of an organization.

What Techniques Can I Use to Control Business Risks?

Let’s look at some of the most fundamental risk control techniques, and how they apply generally to businesses.

  • Risk avoidance:  This is perhaps one of the most important techniques in our list. Risk avoidance is the ability of a company to side step a perceived issue altogether, making themselves invulnerable to that particular risk. An example would be of a customer that does not pay their invoice on time, making the cash flow of the business suffer as a result. The solution would be to implement a cash-on-delivery structure, meaning the client would have to pay for their goods and services upfront, thus allowing your company to avoid the risk altogether.
  • Prevention: It is not always possible for a company to avoid risk altogether, meaning that your organization will have to develop strategies around a potential failure, and figure out how to prevent the maximum damage from occurring. This is done through loss prevention, and is a useful tool for businesses to use. Loss prevention could be implemented in a variety of ways, like installing security and fire systems to prevent theft and fire damage to a premises.
  • Duplication: IT professionals are all too familiar with duplication, and with good reason: it just works. Applying this technique to business can be expensive, but is well worth the effort in the event of unforeseen events such as fire or natural disaster. Duplication of information systems as well as replications of essential servers is a must. In some cases, a company might have an entire backup office with duplicated data for employees to use in times of emergency.

What Are the Major Security Risks Facing Enterprises?

Security risks come in many different forms, and information security professionals must be prepared for all of them. Data security is one of the most sensitive areas of your organization’s weaknesses, and cybercriminals are not afraid to exploit this weakness if it means that they can capitalize on it. This risk can be mitigated by employing a proper IT security policy document, and by bolstering your organization’s network security resources.

Malicious code and the relatively recent phenomenon of crypto ransomware means companies that are unprepared and unaware of this potentially business-fatal attack are not in a position to recover. It is for this reason the proper preventative measures must be put in place for your company and that you are prepared for any system-critical emergency that comes your way.

There are countless ways for users to extract data from your company and take it off site, so an information security professional must understand how to prevent, monitor and minimize such occurrences so management can be informed accordingly.

Linking Security Risk Management & Operational Risks

Security risk management is a means by which information security and operational risks are controlled. An operational risk can be thought of as a potential issue that could arise as a result of one or more of the processes in your company’s production procedure when bringing a product or service to the market. We can think of this as a failed product, a supplier letting you down or as a manufacturing defect that causes a product recall.

A risk management plan must manage all levels of access to your information systems. This is when a security risk assessment needs to be conducted. As a result, there must be documentation and policies created to enforce the objectives of your plan. This means everything from equipment and information services, to employee activity on company resources must be logged and monitored.

As an information security professional, you will need to ensure all of your company’s resources are protected. IT policy documents that are flouted or ignored have the potential to create breaks in your security, which has the potential to allow malware or hacking attempts to breach your network.

Proprietary information and customer details that fall into the wrong hands can have a devastating effect on your company’s reputation and revenue, regardless of how well your operational systems are functioning. It is for these reasons you must adhere to your security risk management plan, as system failures will have a direct impact on the operational functions of your company.


Being tasked with ensuring an organization’s operational stability is no easy task. Providing a security risk assessment, coupled with a comprehensive security policy, will help you secure the essential information services needed to keep the wheels turning within your organization.

Posted: January 9, 2018
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.

One response to “Understanding the Link Between Business, Operational & Security Risks”

  1. Alan says:

    But isn’t a key problem we are facing the disjunction between security and business risks? The incentives are strong to ignore security because paying attention to security is a business risk. We have IOT, software, and microprocessor vulnerbilities because if companies had paid attention to making their software and hardware secure they wouldn’t have gotten to market fast enough and the companies would have failed. The same applies to other businesses decisions. Security is an immediate cost that gets in the way of short-term gains/advantages so you ignore it, calculating that you’ll be in a position later on to address security or at least survive the long-term consequences of ignoring it. This is not an irrational calculation. It’s a gamble that often makes sense for individuals, companies, groups, etc. From a socieatal persepctive it’s not particularly good. Companies get away with it because the costs of their actions are moved elsewhere. The only way you can change this is by regulation that makes it prohibitively costly and risky to avoid baking in security at the start. But given the widespread belief in the market solves all problems that’s not going to happen. Politicians, unfortunately, often have little incentive to govern responsibly.

    All this gets a lot more interersting when you look at say something like climate change. It’s not at all clear that the short-termism that drives specific interests won’t be catastrophic for all in the long-term.

    We’ve been struggling with this issue for a long time. Here’s Adam Smith writing in 1776 about the sometimes dire consequences of unrestrained self-interest and the the need for regulation to prevent catastrophic failure (just ignore everything you’ve learnt about Smith from economists — very few of them have read nveremind understood any of his works):
    “To restrain private people, it may be said, from receiving in payment the promissory notes of a banker, for any sum whether great or small, when they themselves are willing to receive them, or to restrain a banker from issuing such notes, when all his neighbours are willing to accept of them, is a manifest violation of that natural liberty which it is the proper business of law not to infringe, but to support. Such regulations may, no doubt, be considered as in some respects a violation of natural liberty. But those exertions of the natural liberty of a few individuals, which might endanger the security of the whole society, are, and ought to be, restrained by the laws of all governments, of the most free as well as of the most despotical. The obligation of building party walls, in order to prevent the communication of fire, is a violation of natural liberty exactly of the same kind with the regulations of the banking trade which are here proposed.”
    Smith was somewhat pessimistic about governments meeting their obligations given the rampant political corruption of his time.

Leave a Reply

Your email address will not be published.