slide1 l.
Skip this Video
Download Presentation
- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (I

Loading in 2 Seconds...

play fullscreen
1 / 36

- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (I - PowerPoint PPT Presentation

  • Uploaded on

- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (ISDA). Who Needs Operational Risk?. David Gibbs MSc; Head of Operational Risk BFP. 19 TH April 2005. Presentation title and date. A Moment of Indulgence. David J Gibbs.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (I' - borka

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

- Professional Risk Managers’ International Association (PRMIA)- International Swaps & Derivatives Association (ISDA)

Who Needs Operational Risk?

David Gibbs MSc; Head of Operational Risk BFP

19TH April 2005

a moment of indulgence

Presentation title and date

A Moment of Indulgence
  • David J Gibbs.
  • David Gibbs MSc, is responsible the Risk & Governance of Barclays Financial Planning. Formerly Information Security Manager within BACS Ltd, one of the largest Clearing Houses in Europe. He has 20 years experience within major companies in the financial sector, including Head of Information Security & Business Continuity for International Financial Data Services UK Ltd, (an organisation jointly owned by State Street Bank and DST) and Head of Operational Risk & IT Security for Barclays Investment Management. He has developed and implemented Enterprise Security Infrastructures in the Bank Assurance and Investment Banking environment. These have been supported by Security Architectures and associated policies based on ISO 17799, together with Governance and Controls manuals and practices in compliance with Regulation and Legislation.
  • The challenges of embracing the e-commerce/ e -enabled world must be faced, as “Complacency is not an Option."
  • Risk Management is one of the key ingredients in binding together a business. It’s importance to us should not underestimated.
  • Great Disasters happen, not because people run risks, but because they don’t understand the risks.
  • Organisations are exposed to a wide range of Risks and the nature of those risks means, if they arise, they may give rise to unexpected losses in finance, reputation and brand value.
  • A sound system of internal control must be implemented and since profits are, in part, the reward for successful risk taking in business, the implementation of a robust Governance Framework is to help manage and control risk appropriately, rather than eliminate it.
why implement a governance framework

Asian Financial Crisis of 1997 Korea & Japan.

  • History of Corporate Fraud;
  • Maxwell, Marconi, Enron, Worldcom.
  • Parmalat; actual debt $18 billion (8 times what the company claimed when it went bust in December 03).
  • National Australia Bank (unauthorised trading by four currency option dealers could have cost the Bank as much as A$600million).
  • Adecco (Arguably the worlds biggest recruitment agency. Stock Market value halved after warnings that it’s 2003 figures would be delayed due to accounting irregularities).
  • (iii) Management Incompetence;
  • Equitable Life, Royal Dutch / Shell
  • Collateral Damage;
  • Citigroups’ $9.8 billion litigation reserve of Worldcom, Enron
Why implement a Governance Framework ?
key failures financial
Key Failures, financial;
  • Were not cynical !
  • Reflected systemic weaknesses.
  • Increasingly had worldwide impact.
  • Knock on effect on Pensions Funds and assets of Pensions.
operational risk example
Operational Risk Example??
  • It’s difficult to find anyone with the appropriate accountability.
  • The auditors cannot provide assurance on the legality and
  • regularity of the controls in 95% of the organisation.
  • No double entry accounting systems.
  • Computer systems for financial transactions lacked cohesiveness
  • security and trace ability.

Brand Value

Shareholder Value

Business Risk

Encourages Confidence

Company Integrity

Risks To The Organization

Understanding the

Business Complexity

Compliance, Credit, Environment,

Legal, Market , Product, Taxation,

Risk Appetite, Corporate Risk Profile

Operational Risk

Risk Framework

Audit & Compliance

Approved Functions

Governance & Control

Management Information

Roles & Responsibilities

Incident Management

Project & Change Control

Operational Risk (FSA Key Controls)

Complaints Handling

Data Protection

Information SecurityInfrastructure

Long Tail Risk

Succession Planning

Mission Critical Processes

Training & Competence

Money Laundering (KYC)

Business Continuity Planning

Target Operational


Business Model

Operating Model

Technical Model

HR Model

Business Strategic Plan

Budget Cycle

New Ventures




Service Level Agreements

Quality Assurance

Retail Price Index

Asset Management

Return On Investment

Key Performance Indicators

Key Risk Indicators


information systems
Information Systems

“We have entered a new paradigm in e-business, The same benefits of low cost and high speed we enjoyed in the 90s, are now being exploited by organised crime.

Costs to commit fraud is low and the pay-back can be massive. We must protect the consumer and preserve trust and the integrity in the on-line marketplace.”


“stealth” / advanced scanning techniques



packet spoofing


DDOS attacks





www attacks




back doors

disabling audits



exploiting known vulnerabilities



password cracking

self-replicating code

password guessing







Attack Sophistication v Intruder Knowledge

information security current picture challenges
Information Security Current Picture & Challenges
  • Emerging Technologies.
  • Fraud, Identity Theft, 419 Scams.
  • Sophistication of Attacks,(PHISHING) Tools and on-line help.
  • Money Laundering.
  • Deliberate Damage (Human Error !!).
  • Distributed Denial Of Service (DDOS) attacks.
  • Viruses ?
  • More focused Regulation and Legislation.
  • Terrorists / Disasters ?
emerging technologies
Emerging Technologies.
  • Wireless technologies
  • 3G Mobile
  • Increased bandwidth

Fraud, Identity Theft, 419 Scams.

Government figures financial fraud in the UK equates to £800 per minute.- Card fraud over the past 5 years has increased by 30% year on year, APACS figures quoted UK card fraud £402.4 million card fraud for 2003. - 419 reported one fifth of some West African countries revenue. - ATM envelope, ATM investment, and Salami scams. - Currently over 40,000 people are subject to identity theft, the fastest growing fraud.

sophistication of attacks phishing tools and on line help
Sophistication of Attacks,(PHISHING) Tools and on-line help.
  • October 2003 Halifax Bank (UK) the unprecedented step of closing down its online banking service affecting 1.5 million customers.
  • APACS reported that in the region of 2,000 UK online account holders were taken in by Phishing attacks in2004. Loss in the region of £4.5m in total.
  • 4%-5% account holders respond.
money laundering
Money Laundering.
  • Not only UK banks but globally Money Laundering is rife.
  • Home office believes that around £18 billion is Money Laundered through the UK every year.
  • It is estimated that Worldwide, between £??? and £??? billion is Laundered
anti money laundering challenges
Anti Money Laundering Challenges ?
  • Alignment of Small Businesses to comply with the Money Laundering Legislation.
  • Accepting the corporate responsibility to fight crime.
  • Robustness of controls in large Financial Organisations.
  • Presence of underground Banking (Hawala &Hundi)
  • Arguably,”One of the safest methods for Money Launderers to transfer money”.
  • Getting the balance between the privacy of individual’s rights, versus the need to protect our society against criminals and terrorists.
  • Identity Theft
deliberate damage human error
Deliberate Damage (Human Error).
  • - Downsizing & Outsourcing people feel unwanted.
  • - Over 60% incidents caused internally.

- Thorn UK, stressed – out computer man is jailed over £500k sabotage.

- Daily Mail, man arrested 6 hours before the deadline to Crash the newspaper systems. Demand for £600k, could have cost the Newspaper £13.9m.

- Arab Emirates, hacker shut down the entire country’s Internet Network. Claim for compensation in the region of £650k.

  • Root Key, where did it go ?
distributed denial of service ddos attacks
Distributed Denial Of Service (DDOS) attacks.
  • - DDOS attacks have recently emerged as one of the most news-worthy, if not the greatest weakness of the Internet.
  • DDOS attacks swamp their victims Internet connectivity and by doing so render useless any on-site security barriers.
  • (Even when on-site solutions are effective in preventing any actual breach of the security wall provided by Firewalls and Intrusion Detection Systems).
denial of service business attacks
Denial of Service (Business) Attacks.

The controller machine never connects directly to the Zombie machines, additionally protection is provided by the use of encrypted/obsucated communication channels between the controller and the Handlers. Simliar levels of protection are applied between the handler and the zombie agent. This gives the controller a safe location to launch attacks on targets, without the victims being able to determine where the attacker is located.

case studies
Case Studies;
  • Yahoo; The site was taken down for several hours during 2000 by exploiting a weakness in the router software, generating lots of traffic by attack amplification. The attacker compromised a large number of systems on the Internet.
  • WorldPay; The online payment provider suffered from the effects of a sustained DDOS attack during November 2003. The attack, which limited the available bandwidth for genuine users, lasted for 3 days.
  • WorldPay, were also “hit” early in 2004 where there was an outage for several hours.
  • Online Gambling Sites; Are being targeted by organised criminals, who are Blackmailing organisations with the threat of DDOS attacks, if they refuse to pay the money requested.
  • Hackers have created over 70,000 viruses.
  • 1 in 12 e-mails contain a virus.
  • 1 in 4 e-mails are Spam.
  • February, March 2004 Estimated that more than 72 million working days have been lost world wide because of viruses
  • Variants of My DOOM, BAGLE & NETSKY Bugs are costing billions of pounds (Melissa caused over £80 million world wide alone)
  • Estimate that Net Sky has caused more than £20 million in losses worldwide this year alone.
more focused governance legislation and regulation
More Focused Governance Legislation and Regulation
  • UK Combined Cadbury & Greenbury Code 1998.
  • UK Turnbull Report 1999.
  • FSA
  • Basel II
  • Organisation Economic Cooperation & Development (OECD) Principles of Corporate Governance (1999/2004)
  • Sarbanes Oxley (2002) made Corporate Governance a legal requirement
  • HIPPA, Glam Leach Bliley, Patriot Act.
  • UK & EU Directives .
terrorists disasters
Terrorists & Disasters
  • Nine / Eleven world wake up call and “watershed”for us all.

Baltic Exchange Bomb London

Docklands Bomb

Twin Towers

Bali Night Club Bombing

Madrid, March 11th Personal Impact & £24b loss.

Russia (School)


Where Next ???????

terrorists disasters27

Terrorism; Every 3 months from Nine / Eleven a small / medium size bombing has occurred.

  • Since 9 / 11 over 100 plots have been disrupted.
  • Last week in March 2004 an associated group of Al K, were prevented from delivering 20tons of chemicals in the Middle East. The target was the American Embassy and the Palace. (80,000 people could have been maimed / killed.
  • The Gravity of terrorism was always in the Middle East.
  • In Asia there are 30 / 40 Islam terrorists groups.
  • The lifeblood of terrorist attacks is Money, most of which is transferred through traditional banking systems
  • Source; Proffessor Rohan Gunaratna
Terrorists & Disasters
meeting the challenges
Meeting the Challenges;
  • There is need to fully understand an organisation’s risks and vulnerabilities.
  • Knowing the drivers for change, both the external & internal influences.
  • Develop a Corporate Risk profile.
  • Implement a strong Governance and Controls infrastructure.
  • Monitor and maintain the Security and Risk profile to meet new challenges.
  • Take a corporate (holistic) approach to address the challenges. (One size does not fit all).
modular approach covering the end to end value chain
Modular Approach, covering the End To End Value Chain

Business Complexity

Governance & Control

Architecture Implementation Modules

Preventative & Monitoring Tools

Web Based Security / Infrastructure

Public Key Infrastructure (PKI)

Operational Procedures, Topologies/Designs






Changes in Business Model

Sophistication of Attacks.

Drivers for


Information Security




Technical Architecture


Best Practice &


Information Security


(ISO 17799)




Roles & Responsibilities

Security Reviews

Penetration Testing

(External & Internal)

Corporate Risk Profile (CORSICA/RMSAP) Basel II Requirements

Risk Assessments

Audit & Review


(External & Group)

Data Classification

Dispensation Against Policy

Development Methodology


Executive Reporting


(Security Control Checklists)

Corporate Security Profile

Outsourcing Guidelines

Day to day



Business as Usual

Monitoring and Tracking



(Member Banks)



Legislative Awareness

Technology and

Product review

Client Alignment

(Third Party Reviews)



Your Responsibilities Booklet


Best Practice Handouts (AUP)

Staff Handbook



Business Continuity

Business Impact Analysis

Planning/Road Map

essentials a control model key requirements
Essentials; A Control Model, Key Requirements;
  • Understanding Business Complexity and Risk.
  • Strong Governance & Controls Infrastructure.
  • End-to –End Security Architecture.
  • Deployment of Strategic Preventative and Monitoring Tools.
  • . Sound Controls supported by up to date Policies and Procedures.
  • Developing a Corporate Culture, where Risk and Security awareness is an integral pat of the day to day activity.
  • Audit, Audit, Audit.

External Drivers For Change

Operational Strategy

Internal Drivers

  • New Legislation and Regulation.
  • Changes To the Business Model.
  • Outsourcing.
  • New Ventures.
  • New Exposures (Sophistication of Attacks).
  • Failing to meet Performance Metrics.
  • Changes in Key Indicators (e.g.Complaints).
  • Target Business Model.
  • Target Operating Model.
  • Target Technical Model.
  • Target HR Model (Organisation
  • & People).
  • Strategic Plan
  • Budget Cycle
  • Budget Review

Risk Management

  • Business Mangnt
  • Actuarial
  • Internal Audit
  • Compliance
  • IT Security
  • Business Continuity
  • Operational Risk
  • Finance
  • Legal
  • Policies& Procedures
  • Risk Appetite.
  • Corporate Risk Profile.
  • Risk Management Methodology.
  • Risk Management Committee.
  • Legal Department.
  • Performance Metrics.
  • Contracts .
  • Service Level Agreements..

Change Control Process

Internal Governance

  • Executive Co
  • Board
  • Asset Management.
  • Quality Assurance.
  • Change Capital Adequacy.
  • Change Management.
  • Release Management.
  • Change Reporting.
  • Development Methodology
  • Remedial Action Plan.
  • Corporate Risk Log.
  • Monitoring.
  • Risk Reporting.

External Governance

  • Shareholders
  • FSA Reviews.
  • External Auditors.
  • Peer Reviews.
  • SAS 70 FRAG 21.
  • Technical Reviews (Consultants Pen Tests).

Model Organisational Control Overview;

operational risk summary
Operational Risk; Summary
  • The control environment of organisations should be based on four key elements;
  • Commitment from senior management and all employees to a control ethic based on competence and integrity.
  • Identification and evaluation of risks and control objectives.
  • Control and information procedures that identify and capture relevant and reliable data to monitor risks within pre-determined limits.
  • Formal procedures for monitoring, reporting, escalation and remedial follow up actions.
operational risk
Operational Risk.

Operational Risk is not just about Capital Requirements.


a last thought
A Last Thought!

“Life is a balance between Risks and Benefits.”


thank you
Thank you.

Questions ?

David Gibbs MSc.