360 likes | 667 Views
- Professional Risk Managers’ International Association (PRMIA) - International Swaps & Derivatives Association (ISDA). Who Needs Operational Risk?. David Gibbs MSc; Head of Operational Risk BFP. 19 TH April 2005. Presentation title and date. A Moment of Indulgence. David J Gibbs.
E N D
- Professional Risk Managers’ International Association (PRMIA)- International Swaps & Derivatives Association (ISDA) Who Needs Operational Risk? David Gibbs MSc; Head of Operational Risk BFP 19TH April 2005
Presentation title and date A Moment of Indulgence • David J Gibbs. • David Gibbs MSc, is responsible the Risk & Governance of Barclays Financial Planning. Formerly Information Security Manager within BACS Ltd, one of the largest Clearing Houses in Europe. He has 20 years experience within major companies in the financial sector, including Head of Information Security & Business Continuity for International Financial Data Services UK Ltd, (an organisation jointly owned by State Street Bank and DST) and Head of Operational Risk & IT Security for Barclays Investment Management. He has developed and implemented Enterprise Security Infrastructures in the Bank Assurance and Investment Banking environment. These have been supported by Security Architectures and associated policies based on ISO 17799, together with Governance and Controls manuals and practices in compliance with Regulation and Legislation. • The challenges of embracing the e-commerce/ e -enabled world must be faced, as “Complacency is not an Option."
Statement! • Risk Management is one of the key ingredients in binding together a business. It’s importance to us should not underestimated. • Great Disasters happen, not because people run risks, but because they don’t understand the risks.
Introduction; • Organisations are exposed to a wide range of Risks and the nature of those risks means, if they arise, they may give rise to unexpected losses in finance, reputation and brand value. • A sound system of internal control must be implemented and since profits are, in part, the reward for successful risk taking in business, the implementation of a robust Governance Framework is to help manage and control risk appropriately, rather than eliminate it.
Asian Financial Crisis of 1997 Korea & Japan. • History of Corporate Fraud; • Maxwell, Marconi, Enron, Worldcom. • Parmalat; actual debt $18 billion (8 times what the company claimed when it went bust in December 03). • National Australia Bank (unauthorised trading by four currency option dealers could have cost the Bank as much as A$600million). • Adecco (Arguably the worlds biggest recruitment agency. Stock Market value halved after warnings that it’s 2003 figures would be delayed due to accounting irregularities). • (iii) Management Incompetence; • Equitable Life, Royal Dutch / Shell • Collateral Damage; • Citigroups’ $9.8 billion litigation reserve of Worldcom, Enron Why implement a Governance Framework ?
Key Failures, financial; • Were not cynical ! • Reflected systemic weaknesses. • Increasingly had worldwide impact. • Knock on effect on Pensions Funds and assets of Pensions.
Operational Risk Example?? • It’s difficult to find anyone with the appropriate accountability. • The auditors cannot provide assurance on the legality and • regularity of the controls in 95% of the organisation. • No double entry accounting systems. • Computer systems for financial transactions lacked cohesiveness • security and trace ability.
Brand Value Shareholder Value Business Risk Encourages Confidence Company Integrity Risks To The Organization Understanding the Business Complexity Compliance, Credit, Environment, Legal, Market , Product, Taxation, Risk Appetite, Corporate Risk Profile Operational Risk Risk Framework Audit & Compliance Approved Functions Governance & Control Management Information Roles & Responsibilities Incident Management Project & Change Control Operational Risk (FSA Key Controls) Complaints Handling Data Protection Information SecurityInfrastructure Long Tail Risk Succession Planning Mission Critical Processes Training & Competence Money Laundering (KYC) Business Continuity Planning Target Operational Strategy Business Model Operating Model Technical Model HR Model Business Strategic Plan Budget Cycle New Ventures Performance Metrics Contracts Service Level Agreements Quality Assurance Retail Price Index Asset Management Return On Investment Key Performance Indicators Key Risk Indicators Complaints
Information Systems “We have entered a new paradigm in e-business, The same benefits of low cost and high speed we enjoyed in the 90s, are now being exploited by organised crime. Costs to commit fraud is low and the pay-back can be massive. We must protect the consumer and preserve trust and the integrity in the on-line marketplace.”
“stealth” / advanced scanning techniques Tools High packet spoofing DoS DDOS attacks sniffers Intruder Knowledge sweepers www attacks GUI automated probes/scans back doors disabling audits burglaries Attackers exploiting known vulnerabilities Attack Sophistication password cracking self-replicating code password guessing Low 1980 1985 1990 1995 2000 Attack Sophistication v Intruder Knowledge
Information Security Current Picture & Challenges • Emerging Technologies. • Fraud, Identity Theft, 419 Scams. • Sophistication of Attacks,(PHISHING) Tools and on-line help. • Money Laundering. • Deliberate Damage (Human Error !!). • Distributed Denial Of Service (DDOS) attacks. • Viruses ? • More focused Regulation and Legislation. • Terrorists / Disasters ?
Emerging Technologies. • Wireless technologies • 3G Mobile • Increased bandwidth
Fraud, Identity Theft, 419 Scams. Government figures financial fraud in the UK equates to £800 per minute.- Card fraud over the past 5 years has increased by 30% year on year, APACS figures quoted UK card fraud £402.4 million card fraud for 2003. - 419 reported one fifth of some West African countries revenue. - ATM envelope, ATM investment, and Salami scams. - Currently over 40,000 people are subject to identity theft, the fastest growing fraud.
Sophistication of Attacks,(PHISHING) Tools and on-line help. • October 2003 Halifax Bank (UK) the unprecedented step of closing down its online banking service affecting 1.5 million customers. • APACS reported that in the region of 2,000 UK online account holders were taken in by Phishing attacks in2004. Loss in the region of £4.5m in total. • 4%-5% account holders respond.
Money Laundering. • Not only UK banks but globally Money Laundering is rife. • Home office believes that around £18 billion is Money Laundered through the UK every year. • It is estimated that Worldwide, between £??? and £??? billion is Laundered
Anti Money Laundering Challenges ? • Alignment of Small Businesses to comply with the Money Laundering Legislation. • Accepting the corporate responsibility to fight crime. • Robustness of controls in large Financial Organisations. • Presence of underground Banking (Hawala &Hundi) • Arguably,”One of the safest methods for Money Launderers to transfer money”. • Getting the balance between the privacy of individual’s rights, versus the need to protect our society against criminals and terrorists. • Identity Theft
Deliberate Damage (Human Error). • - Downsizing & Outsourcing people feel unwanted. • - Over 60% incidents caused internally. - Thorn UK, stressed – out computer man is jailed over £500k sabotage. - Daily Mail, man arrested 6 hours before the deadline to Crash the newspaper systems. Demand for £600k, could have cost the Newspaper £13.9m. - Arab Emirates, hacker shut down the entire country’s Internet Network. Claim for compensation in the region of £650k. • Root Key, where did it go ?
Distributed Denial Of Service (DDOS) attacks. • - DDOS attacks have recently emerged as one of the most news-worthy, if not the greatest weakness of the Internet. • DDOS attacks swamp their victims Internet connectivity and by doing so render useless any on-site security barriers. • (Even when on-site solutions are effective in preventing any actual breach of the security wall provided by Firewalls and Intrusion Detection Systems).
Denial of Service (Business) Attacks. The controller machine never connects directly to the Zombie machines, additionally protection is provided by the use of encrypted/obsucated communication channels between the controller and the Handlers. Simliar levels of protection are applied between the handler and the zombie agent. This gives the controller a safe location to launch attacks on targets, without the victims being able to determine where the attacker is located.
Case Studies; • Yahoo; The site was taken down for several hours during 2000 by exploiting a weakness in the router software, generating lots of traffic by attack amplification. The attacker compromised a large number of systems on the Internet. • WorldPay; The online payment provider suffered from the effects of a sustained DDOS attack during November 2003. The attack, which limited the available bandwidth for genuine users, lasted for 3 days. • WorldPay, were also “hit” early in 2004 where there was an outage for several hours. • Online Gambling Sites; Are being targeted by organised criminals, who are Blackmailing organisations with the threat of DDOS attacks, if they refuse to pay the money requested.
Viruses • Hackers have created over 70,000 viruses. • 1 in 12 e-mails contain a virus. • 1 in 4 e-mails are Spam. • February, March 2004 Estimated that more than 72 million working days have been lost world wide because of viruses • Variants of My DOOM, BAGLE & NETSKY Bugs are costing billions of pounds (Melissa caused over £80 million world wide alone) • Estimate that Net Sky has caused more than £20 million in losses worldwide this year alone.
More Focused Governance Legislation and Regulation • UK Combined Cadbury & Greenbury Code 1998. • UK Turnbull Report 1999. • FSA • Basel II • Organisation Economic Cooperation & Development (OECD) Principles of Corporate Governance (1999/2004) • Sarbanes Oxley (2002) made Corporate Governance a legal requirement • HIPPA, Glam Leach Bliley, Patriot Act. • UK & EU Directives .
Terrorists & Disasters • Nine / Eleven world wake up call and “watershed”for us all. Baltic Exchange Bomb London Docklands Bomb Twin Towers Bali Night Club Bombing Madrid, March 11th Personal Impact & £24b loss. Russia (School) Jakarta Where Next ???????
Terrorism; Every 3 months from Nine / Eleven a small / medium size bombing has occurred. • Since 9 / 11 over 100 plots have been disrupted. • Last week in March 2004 an associated group of Al K, were prevented from delivering 20tons of chemicals in the Middle East. The target was the American Embassy and the Palace. (80,000 people could have been maimed / killed. • The Gravity of terrorism was always in the Middle East. • In Asia there are 30 / 40 Islam terrorists groups. • The lifeblood of terrorist attacks is Money, most of which is transferred through traditional banking systems • Source; Proffessor Rohan Gunaratna Terrorists & Disasters
Meeting the Challenges; • There is need to fully understand an organisation’s risks and vulnerabilities. • Knowing the drivers for change, both the external & internal influences. • Develop a Corporate Risk profile. • Implement a strong Governance and Controls infrastructure. • Monitor and maintain the Security and Risk profile to meet new challenges. • Take a corporate (holistic) approach to address the challenges. (One size does not fit all).
Modular Approach, covering the End To End Value Chain Business Complexity Governance & Control Architecture Implementation Modules Preventative & Monitoring Tools Web Based Security / Infrastructure Public Key Infrastructure (PKI) Operational Procedures, Topologies/Designs
New Technology Legislation Regulation Changes in Business Model Sophistication of Attacks. Drivers for Change Information Security Governance Information Security Technical Architecture Methodology Best Practice & Guidelines Information Security Policies (ISO 17799) Governance Manual Governance Roles & Responsibilities Security Reviews Penetration Testing (External & Internal) Corporate Risk Profile (CORSICA/RMSAP) Basel II Requirements Risk Assessments Audit & Review Audit (External & Group) Data Classification Dispensation Against Policy Development Methodology Controls Executive Reporting Monitoring (Security Control Checklists) Corporate Security Profile Outsourcing Guidelines Day to day Incident Management Business as Usual Monitoring and Tracking Internet/E-mail/Telephony Support (Member Banks) Research Investigation Legislative Awareness Technology and Product review Client Alignment (Third Party Reviews) Security Awareness Your Responsibilities Booklet Induction Best Practice Handouts (AUP) Staff Handbook Continuity Governance Business Continuity Business Impact Analysis Planning/Road Map
Essentials; A Control Model, Key Requirements; • Understanding Business Complexity and Risk. • Strong Governance & Controls Infrastructure. • End-to –End Security Architecture. • Deployment of Strategic Preventative and Monitoring Tools. • . Sound Controls supported by up to date Policies and Procedures. • Developing a Corporate Culture, where Risk and Security awareness is an integral pat of the day to day activity. • Audit, Audit, Audit.
External Drivers For Change Operational Strategy Internal Drivers • New Legislation and Regulation. • Changes To the Business Model. • Outsourcing. • New Ventures. • New Exposures (Sophistication of Attacks). • Failing to meet Performance Metrics. • Changes in Key Indicators (e.g.Complaints). • Target Business Model. • Target Operating Model. • Target Technical Model. • Target HR Model (Organisation • & People). • Strategic Plan • Budget Cycle • Budget Review Risk Management • Business Mangnt • Actuarial • Internal Audit • Compliance • IT Security • Business Continuity • Operational Risk • Finance • Legal • Policies& Procedures • Risk Appetite. • Corporate Risk Profile. • Risk Management Methodology. • Risk Management Committee. • Legal Department. • Performance Metrics. • Contracts . • Service Level Agreements.. Change Control Process Internal Governance • Executive Co • Board • Asset Management. • Quality Assurance. • Change Capital Adequacy. • Change Management. • Release Management. • Change Reporting. • Development Methodology • Remedial Action Plan. • Corporate Risk Log. • Monitoring. • Risk Reporting. External Governance • Shareholders • FSA Reviews. • External Auditors. • Peer Reviews. • SAS 70 FRAG 21. • Technical Reviews (Consultants Pen Tests). Model Organisational Control Overview;
Operational Risk; Summary • The control environment of organisations should be based on four key elements; • Commitment from senior management and all employees to a control ethic based on competence and integrity. • Identification and evaluation of risks and control objectives. • Control and information procedures that identify and capture relevant and reliable data to monitor risks within pre-determined limits. • Formal procedures for monitoring, reporting, escalation and remedial follow up actions.
Operational Risk. Operational Risk is not just about Capital Requirements. IT’s A LOT MORE THAN THAT!
A Last Thought! “Life is a balance between Risks and Benefits.” RB
Thank you. Questions ? David Gibbs MSc.