Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 36

- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (ISDA) PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (ISDA). Who Needs Operational Risk?. David Gibbs MSc; Head of Operational Risk BFP. 19 TH April 2005. Presentation title and date. A Moment of Indulgence. David J Gibbs.

Download Presentation

- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (ISDA)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

- Professional Risk Managers’ International Association (PRMIA)- International Swaps & Derivatives Association (ISDA)

Who Needs Operational Risk?

David Gibbs MSc; Head of Operational Risk BFP

19TH April 2005


A moment of indulgence l.jpg

Presentation title and date

A Moment of Indulgence

  • David J Gibbs.

  • David Gibbs MSc, is responsible the Risk & Governance of Barclays Financial Planning. Formerly Information Security Manager within BACS Ltd, one of the largest Clearing Houses in Europe. He has 20 years experience within major companies in the financial sector, including Head of Information Security & Business Continuity for International Financial Data Services UK Ltd, (an organisation jointly owned by State Street Bank and DST) and Head of Operational Risk & IT Security for Barclays Investment Management. He has developed and implemented Enterprise Security Infrastructures in the Bank Assurance and Investment Banking environment. These have been supported by Security Architectures and associated policies based on ISO 17799, together with Governance and Controls manuals and practices in compliance with Regulation and Legislation.

  • The challenges of embracing the e-commerce/ e -enabled world must be faced, as “Complacency is not an Option."


Who needs operational risks l.jpg

Who Needs Operational Risks?


Statement l.jpg

Statement!

  • Risk Management is one of the key ingredients in binding together a business. It’s importance to us should not underestimated.

  • Great Disasters happen, not because people run risks, but because they don’t understand the risks.


Introduction l.jpg

Introduction;

  • Organisations are exposed to a wide range of Risks and the nature of those risks means, if they arise, they may give rise to unexpected losses in finance, reputation and brand value.

  • A sound system of internal control must be implemented and since profits are, in part, the reward for successful risk taking in business, the implementation of a robust Governance Framework is to help manage and control risk appropriately, rather than eliminate it.


Why implement a governance framework l.jpg

  • Asian Financial Crisis of 1997 Korea & Japan.

  • History of Corporate Fraud;

  • Maxwell, Marconi, Enron, Worldcom.

  • Parmalat; actual debt $18 billion (8 times what the company claimed when it went bust in December 03).

  • National Australia Bank (unauthorised trading by four currency option dealers could have cost the Bank as much as A$600million).

  • Adecco (Arguably the worlds biggest recruitment agency. Stock Market value halved after warnings that it’s 2003 figures would be delayed due to accounting irregularities).

  • (iii) Management Incompetence;

  • Equitable Life, Royal Dutch / Shell

  • Collateral Damage;

  • Citigroups’ $9.8 billion litigation reserve of Worldcom, Enron

Why implement a Governance Framework ?


Key failures financial l.jpg

Key Failures, financial;

  • Were not cynical !

  • Reflected systemic weaknesses.

  • Increasingly had worldwide impact.

  • Knock on effect on Pensions Funds and assets of Pensions.


Operational risk example l.jpg

Operational Risk Example??

  • It’s difficult to find anyone with the appropriate accountability.

  • The auditors cannot provide assurance on the legality and

  • regularity of the controls in 95% of the organisation.

  • No double entry accounting systems.

  • Computer systems for financial transactions lacked cohesiveness

  • security and trace ability.


Threats drivers diversity l.jpg

Threats & Drivers Diversity


Slide10 l.jpg

Brand Value

Shareholder Value

Business Risk

Encourages Confidence

Company Integrity

Risks To The Organization

Understanding the

Business Complexity

Compliance, Credit, Environment,

Legal, Market , Product, Taxation,

Risk Appetite, Corporate Risk Profile

Operational Risk

Risk Framework

Audit & Compliance

Approved Functions

Governance & Control

Management Information

Roles & Responsibilities

Incident Management

Project & Change Control

Operational Risk (FSA Key Controls)

Complaints Handling

Data Protection

Information SecurityInfrastructure

Long Tail Risk

Succession Planning

Mission Critical Processes

Training & Competence

Money Laundering (KYC)

Business Continuity Planning

Target Operational

Strategy

Business Model

Operating Model

Technical Model

HR Model

Business Strategic Plan

Budget Cycle

New Ventures

Performance

Metrics

Contracts

Service Level Agreements

Quality Assurance

Retail Price Index

Asset Management

Return On Investment

Key Performance Indicators

Key Risk Indicators

Complaints


Information systems l.jpg

Information Systems

“We have entered a new paradigm in e-business, The same benefits of low cost and high speed we enjoyed in the 90s, are now being exploited by organised crime.

Costs to commit fraud is low and the pay-back can be massive. We must protect the consumer and preserve trust and the integrity in the on-line marketplace.”


Slide12 l.jpg

“stealth” / advanced scanning techniques

Tools

High

packet spoofing

DoS

DDOS attacks

sniffers

Intruder

Knowledge

sweepers

www attacks

GUI

automated

probes/scans

back doors

disabling audits

burglaries

Attackers

exploiting known vulnerabilities

Attack

Sophistication

password cracking

self-replicating code

password guessing

Low

1980

1985

1990

1995

2000

Attack Sophistication v Intruder Knowledge


Information security current picture challenges l.jpg

Information Security Current Picture & Challenges

  • Emerging Technologies.

  • Fraud, Identity Theft, 419 Scams.

  • Sophistication of Attacks,(PHISHING) Tools and on-line help.

  • Money Laundering.

  • Deliberate Damage (Human Error !!).

  • Distributed Denial Of Service (DDOS) attacks.

  • Viruses ?

  • More focused Regulation and Legislation.

  • Terrorists / Disasters ?


Emerging technologies l.jpg

Emerging Technologies.

  • Wireless technologies

  • 3G Mobile

  • Increased bandwidth


Slide15 l.jpg

Fraud, Identity Theft, 419 Scams.

Government figures financial fraud in the UK equates to £800 per minute.- Card fraud over the past 5 years has increased by 30% year on year, APACS figures quoted UK card fraud £402.4 million card fraud for 2003. - 419 reported one fifth of some West African countries revenue. - ATM envelope, ATM investment, and Salami scams. - Currently over 40,000 people are subject to identity theft, the fastest growing fraud.


Sophistication of attacks phishing tools and on line help l.jpg

Sophistication of Attacks,(PHISHING) Tools and on-line help.

  • October 2003 Halifax Bank (UK) the unprecedented step of closing down its online banking service affecting 1.5 million customers.

  • APACS reported that in the region of 2,000 UK online account holders were taken in by Phishing attacks in2004. Loss in the region of £4.5m in total.

  • 4%-5% account holders respond.


Phishing example l.jpg

PHISHING Example


Money laundering l.jpg

Money Laundering.

  • Not only UK banks but globally Money Laundering is rife.

  • Home office believes that around £18 billion is Money Laundered through the UK every year.

  • It is estimated that Worldwide, between £??? and £??? billion is Laundered


Anti money laundering challenges l.jpg

Anti Money Laundering Challenges ?

  • Alignment of Small Businesses to comply with the Money Laundering Legislation.

  • Accepting the corporate responsibility to fight crime.

  • Robustness of controls in large Financial Organisations.

  • Presence of underground Banking (Hawala &Hundi)

  • Arguably,”One of the safest methods for Money Launderers to transfer money”.

  • Getting the balance between the privacy of individual’s rights, versus the need to protect our society against criminals and terrorists.

  • Identity Theft


Deliberate damage human error l.jpg

Deliberate Damage (Human Error).

  • - Downsizing & Outsourcing people feel unwanted.

  • - Over 60% incidents caused internally.

    - Thorn UK, stressed – out computer man is jailed over £500k sabotage.

    - Daily Mail, man arrested 6 hours before the deadline to Crash the newspaper systems. Demand for £600k, could have cost the Newspaper £13.9m.

    - Arab Emirates, hacker shut down the entire country’s Internet Network. Claim for compensation in the region of £650k.

  • Root Key, where did it go ?


Distributed denial of service ddos attacks l.jpg

Distributed Denial Of Service (DDOS) attacks.

  • - DDOS attacks have recently emerged as one of the most news-worthy, if not the greatest weakness of the Internet.

  • DDOS attacks swamp their victims Internet connectivity and by doing so render useless any on-site security barriers.

  • (Even when on-site solutions are effective in preventing any actual breach of the security wall provided by Firewalls and Intrusion Detection Systems).


Denial of service business attacks l.jpg

Denial of Service (Business) Attacks.

The controller machine never connects directly to the Zombie machines, additionally protection is provided by the use of encrypted/obsucated communication channels between the controller and the Handlers. Simliar levels of protection are applied between the handler and the zombie agent. This gives the controller a safe location to launch attacks on targets, without the victims being able to determine where the attacker is located.


Case studies l.jpg

Case Studies;

  • Yahoo; The site was taken down for several hours during 2000 by exploiting a weakness in the router software, generating lots of traffic by attack amplification. The attacker compromised a large number of systems on the Internet.

  • WorldPay; The online payment provider suffered from the effects of a sustained DDOS attack during November 2003. The attack, which limited the available bandwidth for genuine users, lasted for 3 days.

  • WorldPay, were also “hit” early in 2004 where there was an outage for several hours.

  • Online Gambling Sites; Are being targeted by organised criminals, who are Blackmailing organisations with the threat of DDOS attacks, if they refuse to pay the money requested.


Viruses l.jpg

Viruses

  • Hackers have created over 70,000 viruses.

  • 1 in 12 e-mails contain a virus.

  • 1 in 4 e-mails are Spam.

  • February, March 2004 Estimated that more than 72 million working days have been lost world wide because of viruses

  • Variants of My DOOM, BAGLE & NETSKY Bugs are costing billions of pounds (Melissa caused over £80 million world wide alone)

  • Estimate that Net Sky has caused more than £20 million in losses worldwide this year alone.


More focused governance legislation and regulation l.jpg

More Focused Governance Legislation and Regulation

  • UK Combined Cadbury & Greenbury Code 1998.

  • UK Turnbull Report 1999.

  • FSA

  • Basel II

  • Organisation Economic Cooperation & Development (OECD) Principles of Corporate Governance (1999/2004)

  • Sarbanes Oxley (2002) made Corporate Governance a legal requirement

  • HIPPA, Glam Leach Bliley, Patriot Act.

  • UK & EU Directives .


Terrorists disasters l.jpg

Terrorists & Disasters

  • Nine / Eleven world wake up call and “watershed”for us all.

    Baltic Exchange Bomb London

    Docklands Bomb

    Twin Towers

    Bali Night Club Bombing

    Madrid, March 11th Personal Impact & £24b loss.

    Russia (School)

    Jakarta

    Where Next ???????


Terrorists disasters27 l.jpg

  • Terrorism; Every 3 months from Nine / Eleven a small / medium size bombing has occurred.

  • Since 9 / 11 over 100 plots have been disrupted.

  • Last week in March 2004 an associated group of Al K, were prevented from delivering 20tons of chemicals in the Middle East. The target was the American Embassy and the Palace. (80,000 people could have been maimed / killed.

  • The Gravity of terrorism was always in the Middle East.

  • In Asia there are 30 / 40 Islam terrorists groups.

  • The lifeblood of terrorist attacks is Money, most of which is transferred through traditional banking systems

  • Source; Proffessor Rohan Gunaratna

Terrorists & Disasters


Meeting the challenges l.jpg

Meeting the Challenges;

  • There is need to fully understand an organisation’s risks and vulnerabilities.

  • Knowing the drivers for change, both the external & internal influences.

  • Develop a Corporate Risk profile.

  • Implement a strong Governance and Controls infrastructure.

  • Monitor and maintain the Security and Risk profile to meet new challenges.

  • Take a corporate (holistic) approach to address the challenges. (One size does not fit all).


Modular approach covering the end to end value chain l.jpg

Modular Approach, covering the End To End Value Chain

Business Complexity

Governance & Control

Architecture Implementation Modules

Preventative & Monitoring Tools

Web Based Security / Infrastructure

Public Key Infrastructure (PKI)

Operational Procedures, Topologies/Designs


Slide30 l.jpg

New

Technology

Legislation

Regulation

Changes in Business Model

Sophistication of Attacks.

Drivers for

Change

Information Security

Governance

Information

Security

Technical Architecture

Methodology

Best Practice &

Guidelines

Information Security

Policies

(ISO 17799)

Governance

Manual

Governance

Roles & Responsibilities

Security Reviews

Penetration Testing

(External & Internal)

Corporate Risk Profile (CORSICA/RMSAP) Basel II Requirements

Risk Assessments

Audit & Review

Audit

(External & Group)

Data Classification

Dispensation Against Policy

Development Methodology

Controls

Executive Reporting

Monitoring

(Security Control Checklists)

Corporate Security Profile

Outsourcing Guidelines

Day to day

Incident

Management

Business as Usual

Monitoring and Tracking

Internet/E-mail/Telephony

Support

(Member Banks)

Research

Investigation

Legislative Awareness

Technology and

Product review

Client Alignment

(Third Party Reviews)

Security

Awareness

Your Responsibilities Booklet

Induction

Best Practice Handouts (AUP)

Staff Handbook

Continuity

Governance

Business Continuity

Business Impact Analysis

Planning/Road Map


Essentials a control model key requirements l.jpg

Essentials; A Control Model, Key Requirements;

  • Understanding Business Complexity and Risk.

  • Strong Governance & Controls Infrastructure.

  • End-to –End Security Architecture.

  • Deployment of Strategic Preventative and Monitoring Tools.

  • . Sound Controls supported by up to date Policies and Procedures.

  • Developing a Corporate Culture, where Risk and Security awareness is an integral pat of the day to day activity.

  • Audit, Audit, Audit.


Slide32 l.jpg

External Drivers For Change

Operational Strategy

Internal Drivers

  • New Legislation and Regulation.

  • Changes To the Business Model.

  • Outsourcing.

  • New Ventures.

  • New Exposures (Sophistication of Attacks).

  • Failing to meet Performance Metrics.

  • Changes in Key Indicators (e.g.Complaints).

  • Target Business Model.

  • Target Operating Model.

  • Target Technical Model.

  • Target HR Model (Organisation

  • & People).

  • Strategic Plan

  • Budget Cycle

  • Budget Review

Risk Management

  • Business Mangnt

  • Actuarial

  • Internal Audit

  • Compliance

  • IT Security

  • Business Continuity

  • Operational Risk

  • Finance

  • Legal

  • Policies& Procedures

  • Risk Appetite.

  • Corporate Risk Profile.

  • Risk Management Methodology.

  • Risk Management Committee.

  • Legal Department.

  • Performance Metrics.

  • Contracts .

  • Service Level Agreements..

Change Control Process

Internal Governance

  • Executive Co

  • Board

  • Asset Management.

  • Quality Assurance.

  • Change Capital Adequacy.

  • Change Management.

  • Release Management.

  • Change Reporting.

  • Development Methodology

  • Remedial Action Plan.

  • Corporate Risk Log.

  • Monitoring.

  • Risk Reporting.

External Governance

  • Shareholders

  • FSA Reviews.

  • External Auditors.

  • Peer Reviews.

  • SAS 70 FRAG 21.

  • Technical Reviews (Consultants Pen Tests).

Model Organisational Control Overview;


Operational risk summary l.jpg

Operational Risk; Summary

  • The control environment of organisations should be based on four key elements;

  • Commitment from senior management and all employees to a control ethic based on competence and integrity.

  • Identification and evaluation of risks and control objectives.

  • Control and information procedures that identify and capture relevant and reliable data to monitor risks within pre-determined limits.

  • Formal procedures for monitoring, reporting, escalation and remedial follow up actions.


Operational risk l.jpg

Operational Risk.

Operational Risk is not just about Capital Requirements.

IT’s A LOT MORE THAN THAT!


A last thought l.jpg

A Last Thought!

“Life is a balance between Risks and Benefits.”

RB


Thank you l.jpg

Thank you.

Questions ?

David Gibbs MSc.


  • Login