Presentation on theme: "- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (ISDA) Who Needs Operational Risk? David."— Presentation transcript:
- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (ISDA) Who Needs Operational Risk? David Gibbs MSc; Head of Operational Risk BFP 19 TH April 2005
2 A Moment of Indulgence Presentation title and date David J Gibbs. David Gibbs MSc, is responsible the Risk & Governance of Barclays Financial Planning. Formerly Information Security Manager within BACS Ltd, one of the largest Clearing Houses in Europe. He has 20 years experience within major companies in the financial sector, including Head of Information Security & Business Continuity for International Financial Data Services UK Ltd, (an organisation jointly owned by State Street Bank and DST) and Head of Operational Risk & IT Security for Barclays Investment Management. He has developed and implemented Enterprise Security Infrastructures in the Bank Assurance and Investment Banking environment. These have been supported by Security Architectures and associated policies based on ISO 17799, together with Governance and Controls manuals and practices in compliance with Regulation and Legislation. The challenges of embracing the e-commerce/ e -enabled world must be faced, as “Complacency is not an Option."
3 Who Needs Operational Risks?
4 Statement! Risk Management is one of the key ingredients in binding together a business. It’s importance to us should not underestimated. Great Disasters happen, not because people run risks, but because they don’t understand the risks.
5 Introduction; Organisations are exposed to a wide range of Risks and the nature of those risks means, if they arise, they may give rise to unexpected losses in finance, reputation and brand value. A sound system of internal control must be implemented and since profits are, in part, the reward for successful risk taking in business, the implementation of a robust Governance Framework is to help manage and control risk appropriately, rather than eliminate it.
6 Why implement a Governance Framework ? (i)Asian Financial Crisis of 1997 Korea & Japan. (ii)History of Corporate Fraud; Maxwell, Marconi, Enron, Worldcom. Parmalat; actual debt $18 billion (8 times what the company claimed when it went bust in December 03). National Australia Bank (unauthorised trading by four currency option dealers could have cost the Bank as much as A$600million). Adecco (Arguably the worlds biggest recruitment agency. Stock Market value halved after warnings that it’s 2003 figures would be delayed due to accounting irregularities). (iii) Management Incompetence; Equitable Life, Royal Dutch / Shell (iv)Collateral Damage; Citigroups’ $9.8 billion litigation reserve of Worldcom, Enron
7 Key Failures, financial; Were not cynical ! Reflected systemic weaknesses. Increasingly had worldwide impact. Knock on effect on Pensions Funds and assets of Pensions.
8 Operational Risk Example?? It’s difficult to find anyone with the appropriate accountability. The auditors cannot provide assurance on the legality and regularity of the controls in 95% of the organisation. No double entry accounting systems. Computer systems for financial transactions lacked cohesiveness security and trace ability.
9 Threats & Drivers Diversity
10 Risk Framework Operational Risk (FSA Key Controls) Compliance, Credit, Environment, Legal, Market, Product, Taxation, Risk Appetite, Corporate Risk Profile Operational Risk Performance Metrics Brand Value Shareholder Value Business Risk Encourages Confidence Company Integrity Risks To The Organization Target Operational Strategy Information Security Infrastructure Audit & Compliance Approved Functions Management Information Incident Management Complaints Handling Roles & Responsibilities Project & Change Control Data Protection Long Tail Risk Service Level Agreements Governance & Control Training & Competence Mission Critical Processes Business Continuity Planning Money Laundering (KYC) Business ModelOperating ModelTechnical Model New VenturesHR ModelBusiness Strategic PlanBudget Cycle Contracts Succession Planning Quality Assurance Retail Price Index Return On Investment Asset Management Key Performance Indicators Complaints Key Risk Indicators Understanding the Business Complexity
11 Information Systems “We have entered a new paradigm in e-business, The same benefits of low cost and high speed we enjoyed in the 90s, are now being exploited by organised crime. Costs to commit fraud is low and the pay-back can be massive. We must protect the consumer and preserve trust and the integrity in the on-line marketplace.”
12 Attack Sophistication High Low 19801985199019952000 password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors sweepers sniffers packet spoofing GUI automated probes/scans DoS www attacks Tools Attackers Intruder Knowledge “stealth” / advanced scanning techniques burglaries DDOS attacks Attack Sophistication v Intruder Knowledge
13 Information Security Current Picture & Challenges Emerging Technologies. Fraud, Identity Theft, 419 Scams. Sophistication of Attacks,(PHISHING) Tools and on-line help. Money Laundering. Deliberate Damage (Human Error !!). Distributed Denial Of Service (DDOS) attacks. Viruses ? More focused Regulation and Legislation. Terrorists / Disasters ?
14 Emerging Technologies. Wireless technologies 3G Mobile Increased bandwidth
15 419 reported one fifth of some West African countries revenue. - ATM envelope, ATM investment, and Salami scams. - Currently over 40,000 people are subject to identity theft, the fastest growing fraud. - Government figures financial fraud in the UK equates to £800 per minute. - Card fraud over the past 5 years has increased by 30% year on year, APACS figures quoted UK card fraud £402.4 million card fraud for 2003. - 419 reported one fifth of some West African countries revenue. - ATM envelope, ATM investment, and Salami scams. - Currently over 40,000 people are subject to identity theft, the fastest growing fraud. Fraud, Identity Theft, 419 Scams.
16 Sophistication of Attacks,(PHISHING) Tools and on-line help. October 2003 Halifax Bank (UK) the unprecedented step of closing down its online banking service affecting 1.5 million customers. APACS reported that in the region of 2,000 UK online account holders were taken in by Phishing attacks in2004. Loss in the region of £4.5m in total. 4%-5% account holders respond.
17 PHISHING Example
18 Money Laundering. Not only UK banks but globally Money Laundering is rife. Home office believes that around £18 billion is Money Laundered through the UK every year. It is estimated that Worldwide, between £??? and £??? billion is Laundered
19 Anti Money Laundering Challenges ? Alignment of Small Businesses to comply with the Money Laundering Legislation. Accepting the corporate responsibility to fight crime. Robustness of controls in large Financial Organisations. Presence of underground Banking (Hawala &Hundi) Arguably,”One of the safest methods for Money Launderers to transfer money”. Getting the balance between the privacy of individual’s rights, versus the need to protect our society against criminals and terrorists. Identity Theft
20 Deliberate Damage (Human Error). - Downsizing & Outsourcing people feel unwanted. - Over 60% incidents caused internally. - Thorn UK, stressed – out computer man is jailed over £500k sabotage. - Daily Mail, man arrested 6 hours before the deadline to Crash the newspaper systems. Demand for £600k, could have cost the Newspaper £13.9m. - Arab Emirates, hacker shut down the entire country’s Internet Network. Claim for compensation in the region of £650k. - Root Key, where did it go ?
21 Distributed Denial Of Service (DDOS) attacks. - DDOS attacks have recently emerged as one of the most news-worthy, if not the greatest weakness of the Internet. - DDOS attacks swamp their victims Internet connectivity and by doing so render useless any on-site security barriers. (Even when on-site solutions are effective in preventing any actual breach of the security wall provided by Firewalls and Intrusion Detection Systems).
22 Denial of Service (Business) Attacks. The controller machine never connects directly to the Zombie machines, additionally protection is provided by the use of encrypted/obsucated communication channels between the controller and the Handlers. Simliar levels of protection are applied between the handler and the zombie agent. This gives the controller a safe location to launch attacks on targets, without the victims being able to determine where the attacker is located.
23 Case Studies; Yahoo; The site was taken down for several hours during 2000 by exploiting a weakness in the router software, generating lots of traffic by attack amplification. The attacker compromised a large number of systems on the Internet. WorldPay; The online payment provider suffered from the effects of a sustained DDOS attack during November 2003. The attack, which limited the available bandwidth for genuine users, lasted for 3 days. WorldPay, were also “hit” early in 2004 where there was an outage for several hours. Online Gambling Sites; Are being targeted by organised criminals, who are Blackmailing organisations with the threat of DDOS attacks, if they refuse to pay the money requested.
24 Viruses Hackers have created over 70,000 viruses. 1 in 12 e-mails contain a virus. 1 in 4 e-mails are Spam. February, March 2004 Estimated that more than 72 million working days have been lost world wide because of viruses Variants of My DOOM, BAGLE & NETSKY Bugs are costing billions of pounds (Melissa caused over £80 million world wide alone) Estimate that Net Sky has caused more than £20 million in losses worldwide this year alone.
25 More Focused Governance Legislation and Regulation UK Combined Cadbury & Greenbury Code 1998. UK Turnbull Report 1999. FSA Basel II Organisation Economic Cooperation & Development (OECD) Principles of Corporate Governance (1999/2004) Sarbanes Oxley (2002) made Corporate Governance a legal requirement HIPPA, Glam Leach Bliley, Patriot Act. UK & EU Directives.
26 Terrorists & Disasters Nine / Eleven world wake up call and “watershed”for us all. Baltic Exchange Bomb London Docklands Bomb Twin Towers Bali Night Club Bombing Madrid, March 11 th Personal Impact & £24b loss. Russia (School) Jakarta Where Next ???????
27 Terrorists & Disasters Terrorism; Every 3 months from Nine / Eleven a small / medium size bombing has occurred. Since 9 / 11 over 100 plots have been disrupted. Last week in March 2004 an associated group of Al K, were prevented from delivering 20tons of chemicals in the Middle East. The target was the American Embassy and the Palace. (80,000 people could have been maimed / killed. The Gravity of terrorism was always in the Middle East. In Asia there are 30 / 40 Islam terrorists groups. The lifeblood of terrorist attacks is Money, most of which is transferred through traditional banking systems Source; Proffessor Rohan Gunaratna
28 Meeting the Challenges; There is need to fully understand an organisation’s risks and vulnerabilities. Knowing the drivers for change, both the external & internal influences. Develop a Corporate Risk profile. Implement a strong Governance and Controls infrastructure. Monitor and maintain the Security and Risk profile to meet new challenges. Take a corporate (holistic) approach to address the challenges. (One size does not fit all).
29 Business Complexity Governance & Control Architecture Implementation Modules Preventative & Monitoring Tools Web Based Security / Infrastructure Operational Procedures, Topologies/Designs Public Key Infrastructure (PKI) Modular Approach, covering the End To End Value Chain
30 Methodology Information Security Policies (ISO 17799) Governance Day to day Incident Management Best Practice & Guidelines Your Responsibilities Booklet Controls Executive Reporting Information Security Technical Architecture Audit (External & Group ) Security Awareness Staff Handbook Audit & Review Security Reviews Penetration Testing (External & Internal) Risk Assessments Business Continuity Continuity New Technology Legislation Regulation Changes in Business Model Sophistication of Attacks. Monitoring (Security Control Checklists ) Drivers for Change Dispensation Against Policy Business as Usual Support (Member Banks) Induction Technology and Product review Client Alignment (Third Party Reviews) Legislative Awareness Research Monitoring and Tracking Internet/E-mail/Telephony Investigation Best Practice Handouts (AUP) Governance Planning/Road Map Business Impact Analysis Governance Manual Data Classification Corporate Risk Profile (CORSICA/RMSAP) Basel II Requirements Roles & Responsibilities Development Methodology Outsourcing Guidelines Corporate Security Profile Information Security Governance
31 Essentials; A Control Model, Key Requirements; Understanding Business Complexity and Risk. Strong Governance & Controls Infrastructure. End-to –End Security Architecture. Deployment of Strategic Preventative and Monitoring Tools.. Sound Controls supported by up to date Policies and Procedures. Developing a Corporate Culture, where Risk and Security awareness is an integral pat of the day to day activity. Audit, Audit, Audit.
32 External Drivers For Change New Legislation and Regulation. Changes To the Business Model. Outsourcing. New Ventures. New Exposures (Sophistication of Attacks). Failing to meet Performance Metrics. Changes in Key Indicators (e.g.Complaints). Operational Strategy Risk Management External Governance Change Control Process Asset Management. Quality Assurance. Change Capital Adequacy. Change Management. Release Management. Change Reporting. Development Methodology Target Business Model. Target Operating Model. Target Technical Model. Target HR Model (Organisation & People). Risk Appetite. Corporate Risk Profile. Risk Management Methodology. Risk Management Committee. Legal Department. Performance Metrics. Contracts. Service Level Agreements.. FSA Reviews. External Auditors. Peer Reviews. SAS 70 FRAG 21. Technical Reviews (Consultants Pen Tests). Remedial Action Plan. Corporate Risk Log. Monitoring. Risk Reporting. Internal Governance Strategic Plan Budget Cycle Budget Review Business Mangnt Actuarial Internal Audit Compliance IT Security Business Continuity Operational Risk Finance Legal Policies& Procedures Executive Co Board Shareholders Internal Drivers Model Organisational Control Overview;
33 Operational Risk; Summary The control environment of organisations should be based on four key elements; (i)Commitment from senior management and all employees to a control ethic based on competence and integrity. (ii)Identification and evaluation of risks and control objectives. (iii)Control and information procedures that identify and capture relevant and reliable data to monitor risks within pre-determined limits. (iv)Formal procedures for monitoring, reporting, escalation and remedial follow up actions.
34 Operational Risk. IT’s A LOT MORE THAN THAT! Operational Risk is not just about Capital Requirements.
35 A Last Thought! “Life is a balance between Risks and Benefits.” RB