Regulations creating operational risk (and how it relates to POPI)

Ok, so that is an unfair title. But you’ll understand what I mean:

Zurich Financial Services has just been fined £2.3m for a data loss event incurred in 2008 in South Africa.

Zurich joins HSBC, Nationwide and Norwich Union in the club of companies fined by the FSA now.

In fairness, the fine wasn’t so much for losing the data, but rather for:

  • losing
  • unencrypted data
  • and not having monitoring and controls in place
  • so that it was only discovered and reported to regulators a year later

The South African perspective

The FSA’s seriousness about these issues is mirrored in our looming Protection of Personal Information Bill. This is not the same as the disturbing proposals for a Protection of Information Bill which covers public or government information.

The Protection of Personal Information (POPI) Bill seeks to effect provisions in our constitution for rights to privacy. As more and more private and confidential information about each of us is stored, processed, transmitted and mined by institutions, there is a clear need for controls around what can done with this information and what controls and safeguards are required.

Operational or legal risk?

The fines and penalties associated with data and privacy laws create additional risks for any enterprise with customer data on file.  Operational risk is often (although not uniquely) defined as the failure of people, processes or systems giving rise to a loss. Legal or compliance risk is the risk of falling afoul of the law through non-compliance with laws and regulations.

Yes, this risk should be covered by your risk management system

It’s not particularly important how your organisation classifies the risk, but it is critical to identify, measure, manage and monitor the risks as part of an enterprise-wide risk management system.

As with all risks, it’s often the allocation of specific responsibility for risks, the listing of risks in a risk register and the regular reporting on these risks that slowly changes and organisations attitude to it more than anything else. Whether or not you model the risk in detail or attempt some sort of quantitative analysis is decidedly secondary.