CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Tactics

Operational Risk and Information Security

From the Editors of ITSC

Basel II, which financial institutions need to comply with by the end of 2006, proposes methodologies for banks to calculate more accurately the capital provisions they should make against credit, commercial, and operational risk. In the words of the Basel Committee on Banking Supervision, "an improved capital adequacy framework is intended to foster a strong emphasis on risk management and to encourage ongoing improvements in banks' risk assessment capabilities."

Risk, of course, is not new to banking. Indeed, it may be said to underlie the entire banking business. Banks have succeeded by assessing and managing credit risk for centuries. What is new, however, is that Basel II explicitly factors operational risk into the calculation of total capital requirements. And it does so with a very important twist: The more effective a bank's operational risk management effort is, the less money it needs to set aside in reserve. That's a powerful, bottom-line incentive to  correctly handle operational risk management.

Basel II defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events." One need look no further than recent virus and worm infections to see examples of the operational impacts of failed or insufficient information security controls. And those impacts were relatively mild compared to what they could have been. This positions information security controls as one of the foundation stones of operational risk management.

Basel II proposes three techniques for calculating the amount of capital that a bank must place in reserve as a buffer against operational risk:

Basic Indicator Approach Like the earlier Basel I Accord of 1988, Basel II allows a bank to use a single indicator (such as 20 percent of its average annual gross income) to determine its capital charge. There are no qualifying criteria associated with this approach, and little change to current practices is called for. In general, only small banks are expected to use this basic approach.

Standardized Approach A bank that follows this approach must calculate a capital requirement using a risk indicator (such as annual average assets or gross income) for each one of its business lines. The savings in reserve charges, compared with the Basic Indicator Approach's across-the-board 20 percent figure, could be large. (And the incentive for banks to move from the Basic Indicator Approach to the Standardized Approach couldn't be clearer.) As a condition for using this approach, banks must meet the following criteria:

  • Demonstrate that an operational risk management system is in place.

  • Systematically track relevant operational risk data including material losses by business line.

  • Regularly report operational risk exposures, including material operational losses, to business unit management, senior management, and the board of directors.

  • Have a process in place for ensuring compliance with a documented set of internal policies, controls, and procedures concerning the operational risk management system.

  • Subject their operational risk management processes and assessment systems to validation and regular independent review.

Advanced Measurement Approaches (AMA) Of the three approaches available for calculating operational risk, the AMA is likely to have the most appeal because of its flexibility and the amount of self-discipline it provides. In the words of the Basel Committee, "in the AMA, banks may use their own method for assessing their exposure to operational risk, so long as it is sufficiently comprehensive and systematic." As Aberdeen Group has observed, "Moving beyond the averaging of the other methods, the bank is allowed to collect the history of its losses, analyze it, and use multiple risk factors to derive a probability of loss."

Use of the AMA is subject to supervisory approval, and banks need to classify transaction incidents according to their impact on business. Recognizing the rapid evolution in operational risk management practices, however, the Basel Committee has stated it "is prepared to provide banks with an unprecedented amount of flexibility to develop an approach to calculate operational risk capital that they believe is consistent with their mix of activities and underlying risks."

In general, banks must first integrate an internal risk measurement methodology directly into their day-to-day operational procedures and major decision-making processes. But the bottom line here is clear: With the AMA, banks can use their own internal loss data to demonstrate to regulators that they should qualify for reduced capital reserves. While many of the details surrounding the AMA are still being worked out, you can count on this to be an area of paramount interest to upper management.

Information security and operational risk

Information security is underappreciated as an operational risk management tool. At the same time, Basel II represents a real opportunity for information security to help financial institutions reduce their operational risk -- and thereby positively impact their bottom line.

Information is critical to the operation of every financial institution.

  • If the confidentiality of sensitive or private information is compromised, lawsuits or regulatory sanctions may result in penalties, and violated trust may result in customer flight.

  • If the integrity of critical information is corrupted, errors in processing may occur with similar negative consequences.

  • If critical information is not available where and when it is needed, important processes may fail completely with similar results.

In all three of the above areas of compromise, recovery costs alone can be major, while the business impacts can range from the annoying to the catastrophic. Managing the security of financial information, particularly when it's in electronic form, must therefore be a central goal in the management of operational risk.

In the context of the Standardized Approach for calculating capital requirements, the bar is set high with respect to the information security program. As we have seen, the bank must demonstrate that a system of information protection controls is in place; systematically track operational losses by business line (and presumably by root cause); and have a process in place for ensuring compliance with a documented set of internal policies, controls, and procedures concerning intended information security controls.

While these are non-trivial challenges for any institution not already doing them, the degree of risk mitigation (and therefore loss reduction) from such a formal, well-organized information security program will be significant.

Arguably the biggest challenge to the information security profession comes under the banner of the AMA. Quantifying all the important dimensions of information risk management is today a largely unsolved problem. But if it can be done, then such a quantitative model will form the basis for highly confident prioritization of security spending on a risk-adjusted basis. Further, it will support very systematic and precise information risk management, which is exactly what Basel II seeks to reward with the lowest capital reserve requirements. That's strong motivation, indeed, to develop such a model.

Creating a 'risk culture'

Central to Basel II compliance -- and to a bank's ability to ultimately drive down its capital requirements -- is the need to create what can be called a "risk culture," one that recognizes there are many consequences for failing to handle information correctly. To this end, the Basel Committee has issued a set of 10 principles aimed at helping financial institutions develop "an appropriate risk management environment."

Fortunately for financial institutions, these principles weren't created in a vacuum. There are clear points of reference between them and international standards and guidelines already in place. Indeed, many of Basel II's operational risk principles can be met through use of the international standard on information security management systems (ISO/IEC 17799), published in December 2000, and the Organization for Economic Cooperation and Development's (OECD) Guidelines on Information Security, published in August 2002.

By assiduously promoting and documenting a risk culture, information security will also help financial institutions navigate today's increasingly volatile environment, in which new and highly complex products proliferate, e-banking transactions are on the rise, and globally integrated systems are in demand. In this environment, banks will face a choice: they must either set aside a large capital reserve associated with operational risk or else demonstrate their ability to measure, monitor, quantify, and mitigate risk themselves. Basel II is unambiguous here: institutions are expected to develop a framework that measures and quantifies operational risk for regulatory capital purposes. And that measurement must include information risk elements as explicit variables.

Moreover, as a wide range of recent legislation shows -- from the Gramm-Leach-Bliley Act to California's Security Breach Information Act to the Sarbanes-Oxley Act -- risk management is steadily gaining in importance, and many industry observers expect that it will become a legal or accounting standards requirement in most countries. It should also be noted here that Basel II doesn't require companies to start from scratch; rather, they can leverage the good work that they have already done with regard to these other regulations.

What this all means for information security professionals is: be prepared. Information security controls are a fundamental part of that process.

Conclusion

While implementation of Basel II is several years away, financial institutions need to proactively plan for it now. According to Gartner, "no matter what the New Accord's final form, institutions that establish responsive, integrated risk management capabilities will achieve a lower cost of capital than less-savvy competitors through increased customer retention, reduction in working capital, and improved credit ratings."

In many ways, Basel II is a wake-up call to financial institutions to come face to face with risk on an enterprise-wide basis. Those that take control of that risk through sound information security controls stand a good chance of significantly reducing their capital reserves -- and prospering in the volatile years ahead.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"Basel II represents a real opportunity for information security to help financial institutions reduce their operational risk."
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


CIO Interview: CIO of Port of Portland, Michelle Gaines
Playtime: 7 min 59 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service