Could you please explain how IT risk fits into the operational risk?

There are a few ways to answer this question really. Regulatory-wise, information technology risk is at the very heart of Operational Risk: IT or “system” is a core component of the Basel definition of Operational Risk and is also captured under the Basel event-type categories.

But what is more important is that IT is a main source for operational risks and one of the main root-causes not just for operational losses but also for credit and market losses in many cases. At a time when Banking is turning to cloud computing, digitisation and mobile channels of serving customers, IT is becoming the number one risk to include in your operational risk register and taxonomy.

Operational risk management, when implemented correctly, provides a well-defined and all-rounded set of governance processes and tools for managing risks of an operational nature; those same tools should apply to managing IT risk. It would be a mistake to try to create separate tools and taxonomies to deal with IT risk as a distinct and isolated risk area. Reuse of the operational risk framework is a common sense approach that Banks should take when managing their IT risks. What operational risk management functions need to ensure then, is that they have sufficient skills and expertise to understand information technology risks and keep track of risk resulting from emerging technologies.

Managing IT risks is sometimes confused with the management of information security risks. What is fundamental to understand is that the IT risk landscape is more than that; it also includes the business risk of using IT. For example, the use of IT or the lack therein (i.e. lack of automation), is directly related to the aspect of ineffective business process and inefficiency in customer service, which is often a neglected but fundamental component of operational risk management. Other key risks directly affecting the business value derived from IT or adversely affecting the achievement of business objectives, include: Project delivery failures, misalignment between business objectives and IT expenditure, obsolete or inflexible systems, problems with the IT service delivery, insufficient IT recovery mechanisms, non-compliance with IT regulatory requirements and mis-management of IT vendor relationships.

Please define the three lines of defence model and the importance of each line?

The three lines of defence is a very basic and powerful statement of good risk governance, risk ownership, accountability and independence. It’s about engaging the front-line people, the business owners, to also take ownership of their risks, while also identifying the need to have a separate risk management function and an independent audit function. Basic principles really, yet applying them is not such an easy task, especially as far as the 1st and 2nd lines go.

Interpretation and implementation of the 3-lines of defence will vary between financial institutions and this is acknowledged by the Basel Committee on the 2011 “Principles for the sound management of operational risk”. For example, does the Financial Control, Procurement, Legal or the Organisation department, sit within the 1st or the 2nd line of defence? Do people who carry out the reconciliations or valuations form part of the 2nd line of defence?

We should try and simplify things really: The 1st line of defence is in my view everyone in the organisation other than control functions: i.e risk management, information security and compliance, and of course internal audit. The 1st line is “the business” and I am including here the front-line people, the people at the backoffice and operations but also the people who design the processes, as well as those who build and deploy the systems. These are the people who are primarily responsible to manage risks since they are the ones directly involved with the processes, systems and data that generate those risks or that are affected by the risks. They should be able to comprehend the business impact of risks better than anyone else and since they are also the experts regarding their systems, processes and data, they are best placed to suggest and design effective mitigating controls.

The 3rd line of defence is of course the audit function whose independence is their most important characteristic. This is the function to review how well the 1st and 2nd lines are applying good risk management principles and also independently verify the maturity of controls.

I left the 2nd line of defence for last because in my view this is where the challenge of implementing the model well lies. The risk people need to design the appropriate tools to enable practical application of the concepts by the business people, whose priorities are inherently elsewhere. They need to convince business people and the executive management of the importance of good governance and act as the moderator when things derail. At the same time, they have a huge challenge – often viewed as one of the fundamental problems of the 3-lines of defence model – to engage with the 1st line of defence but at the same time not to the degree of being too embedded with the business or doing too much for them. That would bear the risk (no pun intended) of crossing the line of independence and start adopting views that are typically those of the risk taking units. On the other hand, risk people should not be too far removed from the 1st line and too close to the 3rd line, because that would be limiting their value.

How can the defence model increase/optimise risk culture within an organisation?

We need to be careful to acknowledge that the 3-lines of defence model is just that: a model; we shouldn’t spend too much time formalizing the duties of each line, specifying what function goes where, making it too prescriptive and drawing fancy organisational diagrams. We shouldn’t for example attempt to build an army of people at the first line of defence to carry out risk identification and mitigation or separating those who do reconciliations or valuing securities from the rest of the department personnel who naturally will sit in the 1st line. If we do that we are missing the point and are just creating another meaningless layer of defence with the end result being that we end up having too many layers (not just three!).

We need to also acknowledge that the first line, i.e. the business, will always have a fundamental/ inherent conflict in that they are typically rewarded for taking risks and making profit, not managing the risks. But then again good risk management is not about eliminating the very risks that drive profit but rather finding ways to balance and manage them. Once we accept that, we can capitalize on it and make sure that through the 3-lines of defence concept we embed the right culture so that risk management becomes part of the everyday tasks of everyone in the organisation.

At the end of the day the business must understand that we are talking about their processes, their systems, their customer data and their enterprise information – the very ones that drive their business and profits. They should be the first to worry that risks they are facing are disproportionate to the profits they are making and they thus need to own the risk. They are after all – or they need to be – the ones who should sign the cheques to pay for the losses and to fix things. This is at the heart of the lines of defence model and the key driver to change the risk culture of the organisation.

One of the key aspects of success that’s often neglected, is to engage senior management and make them both pay attention and properly understand the use of tools that support the 3-lines of defence model such as the risk control self-assessments (RCSAs), the incident recording and analysis and the KRI monitoring.

What are the elements to consider when evaluating and responding to cyber risks?

According to an increasing number of analysts and industry reports, this is the one type of IT risk that could cause a bank to fail. While that view might not be shared by all practitioners, cyber risk is acknowledged as a major threat to Banking institutions. It is clear to me that cyber risk is one of the key risks along-side conduct-related risks, that should be part of the operational risk adverse scenario analysis captured under a financial institution’s ICAAP.

Banks need to consider how to build a multi-level defence model against cyber risks in order to effectively manage them; technical / infrastructure perimeter controls are just not enough. Cyber criminals are targeting human vulnerabilities maybe more so than they are targeting technical ones and although millions are being spend on technology controls, often very little is spent on awareness training and cultural changes. In fact, when talking about cyber risk, we should not just think of hacking of the Bank’s computer systems; human error, lapse of judgement or misguided employees could often be the single biggest cause of cyber security breaches. A strong continuous education and awareness program would be a key element to consider when assessing your response to cyber risks.

Application of your already established operational risk management frameworks is also key to ensuring a consistent approach to addressing cyber risks and within that scope, strong collaboration between operational risk management and information security people is also warranted; for example, traditional operational risk tools such as the RCSA could be leveraged to become CRCSAs (Cyber risk control self-assessments) in order to dig deeper into the business vulnerabilities with a focus on cyber risk, identify their likelihood and potential impacts.

Talking about the impact of cyber attacks, a common challenge faced by financial institutions is the lack of incident response plans and appropriate response structures or untested such mechanisms, to respond to and contain the damage of a successful cyber attack. Banks need a flexible and tested incident and crisis management plan to react quickly to cyber incidents. Such plans as well as the banks’ overall business continuity plans, need to become simpler and shorter to enable their rapid implementation if needed. Otherwise they just become bibles that take space on shelves and collect dust. As part of these response plans organisations need to maintain appropriate communications plans to manage reputational risks and inform their customers swiftly and with transparency; this could often be the factor that separates a successful from an unsuccessful response to an incident.

Technology controls should also focus on containment and not just prevention; if an attacker does get in, how do we keep them from digging deeper through our systems to obtain more information?

The nature and potential scale of a cyber risk impact is leading many institutions to establish appropriate risk transfer mechanisms in the form of a cyber liability insurance that would complement their existing bankers’ blanket bond, computer crime, civil liability and D&O insurance policies. Cyber insurance usually covers the cost of post-breach response of the institution such as IT forensics, legal costs, data restoration, public relations and customer notifications.

Linked to the 3-lines of defence model, this is a practical example of where you want your front line units involved to take ownership and accountability. Know your Customer, Know your Supplier & Know your Collaborators controls are key to cyber fraud attacks as well and need to be enhanced so that the Banks actually know who they are dealing with and not just tick the boxes.

Finally, you need your Board of Directors to understand IT and Cyber risks, ask the right questions and set the appropriate direction and priority.

What would you like to achieve by attending the 4th Edition IT Risk Management in the Financial Sector?

This is a good opportunity to discuss practical approaches and methods for understanding and managing the ever demanding area of IT risk. We are leaving in the era of fintech, cloud computing, big data, agile computing, banking channel digitization and mobile banking; in the era of PSD2 with all its changes pointing to a very different and very challenging digital banking model. This is probably the first time in the history of banking when regulatory guidance is lacking behind new technological trends that financial institutions are eager or pushed to deploy in order to stay competitive.

It is thus not just “nice to have”, but rather it is required to follow trends on managing IT risk and on how to best integrate IT risk management to your existing risk management practices. I am looking forward to the insights that industry leaders have to share on this.

SUBMIT

Request a Brochure

Learn, explore and unleash your inner chef.

For more information, contact:
Melini Hadjitheori
melinih@marcusveanscy.com

As cyber risk is ever-evolving and ever-changing, this is a major issue as the technologies and implementation of defence barriers that allow for the transition of safer and securer networks need to be revised. By integrating the new technologies with the correct risk measures, the task of decoding the regulations set by prudential authorities should be simpler and will enable institutions to decide which defences suit best. In a world where technology is fast paced and becoming the central hub of all institutions and industries, the importance of implementing robust risk management strategies and frameworks enables financials to understand what the controls are and what the best way to execute them is.

Ahead of the 4th Edition IT Risk Management in the Financial Sector, we spoke with Dr. Nicodemos Damianou, Manager of Group Operational Risk and Data Governance at the Bank of Cyprus about the relationship between IT Risk and Operational Risk, the three lines of defence model and cyber risks.

Key Topics:

Build a robust risk management model for IT risk in line with the best in the industry
Understand what the latest expectations and requirements are from regulators across Europe
Manage the technology risk stemming from major change projects within financial institutions
Gain awareness of the latest cyber risk threats and what can be done to prevent these

About the conference:

This marcus evans event will provide IT risk professionals with the information on the models being used by their peers to best manage IT risk and ensure forward looking risk management methodologies, in addition to spotlighting current challenges like cyber risk and increased regulatory engagement. The 4th Edition IT Risk Management in the Financial Sector will take place from the 20th to 21st of February 2017 at the Hilton Canary Wharf, London, United Kingdom.

Previous Attendees Include

Aldemore
Bank of England
Barclays
BlackRock
Citi
Commerzbank AG
Credit Suisse
Danske Bank
European Commission
FCA
Financial Conduct Authority
Nordea
PWC
State Street
The Goldman Sachs Group
UniCredit S.P.A.

About the speaker:

Nicodemos Damianou works for the Bank of Cyprus as Manager of Group Operational Risk and Data Governance, where he is responsible to develop and maintain the operational risk management framework and establish the needed tools and mechanisms to enable effective management of operational risks across the business units of the organisation. He is also responsible to maintain the framework for managing fraud risks, maintain the business resiliency and insurance mitigation capabilities of the Bank and also manage reputational and conduct risks. He is leading the data governance practice of the Bank, to ensure that the bank units manage their data and cater for their data quality within established governance processes. Nicodemos has extensive experience with internal control systems including 12 years combined experience in internal audit and information technology audit, and has a strong background in information security. He holds a ScB from Brown University, Providence RI (USA), a PhD in the area of information security management from Imperial College London and an MBA from the University of Cyprus. He is certified in risk and information systems control (CRISC) and a member of the ISACA.

CYBER RISKS & BEST PRACTICES OF DEFENCE INTEGRATION

An interview with the Manager of Group Operational Risk and Data Governance at the Bank of Cyprus

Nicodemos Damianou, Manager of Group Operational Risk and Data Governance, Bank of Cyprus

Expert Speaker Panel includes:

Russell Day
EMEA Head of IT Audit
Goldman Sachs
Thomas Lawson
Global Head of Information
Risk Management
Barclays Wealth
Amy-Anne Lea
Head of EMEA Operations
and Technology Risk
Citi
Johan Kestens
CIO
ING
Nassos Oikonomopoulos
Head of EMEA IT Risk

and Compliance Advisory

State Street
Priyesh Prasad

Director, IT Risk Management

BNY Mellon
Nikodemos Damianou

Manager Operational Risk

and Data Governance

Bank of Cyprus
Luis Bernardi

Senior IT Audit Manager

Willis Gras Savoye France

Learn from practical case studies:

Goldman Sachs discuss the importance of the third line of defence and what integration means for IT Risk management
ING reconsider the option of outsourcing as well as the impacts on data protection
HSBC and State Street establish the importance of different methods of integrating first and second lines of defence
Barclays Wealth assess how banks can operate the same way globally and correctly without local restraints