© Copyright IBM Corporation 2004 June 2004 Copyright © IBM Corp. 2006 IBM Banking Industry The transition to active and predictive enterprise-wide risk

© Copyright IBM Corporation 2004June 2004

Copyright © IBM Corp. 2006

IBM Banking Industry

The transition to active and predictive enterprise-wide risk management, monitoring & control

Jonathan Rosenoer

© Copyright IBM Corporation 20052

Where there is no risk, there is no reward



Realized risk• ATM software error inflates 800 customer balances by sum of $763.9B• $4M sell order executed as $4B: all but $622M orders are cancelled; Dow falls 2%• Los Angeles County pension fund loses $1.2B over 20 yrs due to programming error• $125 million Mars orbiter lost because an engineering team used English units of measurement instead of metric system for key

spacecraft operation

• Half of Norway’s banks driven offline after organization running computer services wipes out data warehouse instead of initializing 280 new disks

• 22-state EFT/ATM network disabled when tropical storm floods main and backup power systems

• 28 hour mainframe failure causes bank to borrow $20B to manage sale of securities, at an interest cost of $4M• Volkswagen loses $260M due to computer-based foreign exchange fraud

• U.S. Treasury issues $160 million in securities to online purchaser before realizing he had no funds. The transaction was reversed and purchaser arrested after attempting to steal $1.3 billion more five days later.

• High tech crime team gains access to Sumitomo, London, computer systems and attempts to electronically transfer €317M to ten bank accounts around the world. Police subsequently warned financial institutions to be on alert for key-loggers.

• India BPO call center employees obtained PINs from 4 New York Citigroup account holders and used SWIFT to transfer more than $350K to their own accounts

• Vendor of computer database of 19 billion public records, including Social Security numbers and credit reports, discloses that personal data on about 145,000 people may have been stolen.

• Bank loses back-up tapes containing information on the customers and accounts of the U.S. government's SmartPay charge card program, which has more than 2.1 million members and annual transactions totaling more than $21 billion.

“Mathematically chaos is associated with a nonlinear relationship between inputs and outputs. Software is worse than chaotic; the output is not just nonlinear, it can actually be a discontinuous function because it is built on logic gates.”


Risk can have severe impacts if not properly managedCitigroup (3/2005)

- Federal Reserve bars major acquisitions until compliance problems are resolved.Adecco (1/2004)

- Shares close down 35% following announcement of "material weaknesses in internal controls in the company's North American operations"

Parmalat (12/2003)- Parmalat files for bankruptcy after Bank of America verifies forgery of a document purporting to

certify that €3.9bn of securities and cash were held in a company account. The company had a market value of €1.8bn before the crisis broke.

Food company (9/1999)- Reported 19% drop in 3rd quarter net earnings due to “computer problems” result in one day 8%

drop in stock price “Analysts didn't fully trust [company]'s ability to deliver [product] until the following fall, when

things had long been back to normal.” Leading e-auction site (6/1999)

- 22 hour site outage causes loss of $4 million in fees and $5 billion drop in market capitalizationWest coast bank (1996)

- Following hostile takeover of another bank, “[c]ustomers left in droves amid computer and processing snafus that included misplaced deposits.” News reports and analysts call merger a bust, and acquirer is acquired.

Review of 100 companies that disclosed internal control problems in 2004 shows most saw their stock prices fall around 5-10% immediately afterward.

Wall St.J., Nov. 3, 2004

Review of 100 companies that disclosed internal control problems in 2004 shows most saw their stock prices fall around 5-10% immediately afterward.

Wall St.J., Nov. 3, 2004

Poorly-governed firms have lower operating performance, lower valuations, and pay out less cash to their shareholders, while better-governed firms have higher operating performance, higher valuations, and pay out more cash to their shareholders.

Georgia State U., Corporate Governance and Firm Performance, Dec. 7, 2004

Poorly-governed firms have lower operating performance, lower valuations, and pay out less cash to their shareholders, while better-governed firms have higher operating performance, higher valuations, and pay out more cash to their shareholders.

Georgia State U., Corporate Governance and Firm Performance, Dec. 7, 2004


After 120 days, the decline in shareholder value ballooned to 12x the financial loss


Agenda

Risk and business Transitioning through risk-based supervision to ERM Operational Risk quantification and modeling Creating a Risk Early Warning / Command Control system


Industrial Age regulation has rusted and given way

Static focus Highly prescriptive and rules-based Compliance siloed; risks stand alone Compliance functions typically low level

and dispersed throughout organizations Focus on discrete violations and

correction Government relied upon to prevent and

absorb major risks

Inflexible and unable to keep up with increasing complexity driven by new technologies

Capital ratios less meaningful Incentives to “game the system” Unable to ensure safety and

soundness Interdependencies not adequately

assessed Lack of transparency / linkage

between standard core bank and external market impacts on core operations (e.g., asset backed securities, Credit Default Obligations)

Highly labor intensive and slow Metrics, data and accepted standards

lacking

Traditional systems failed to prevent Barings, BCCI, Enron, LTCM, Parmalat & WorldComTraditional systems failed to prevent Barings, BCCI, Enron, LTCM, Parmalat & WorldCom

Traditional Regulatory Regimes Shortcomings


Regulators are raising the bar with Risk Based Supervision

“A deluge of holistic regulatory mandates, including the USA PATRIOT Act, Basel II, and Sarbanes-Oxley, has reinforced the profile of [Enterprise Risk Management] and compliance both internally with financial services executives and externally with regulators, shareholders, auditors, customers, and solution providers.

In addition, a flurry of new accounting standards introduced by the Financial Accounting Standards Board (FASB) and other accounting bodies in Europe and the rest of the world are triggering major headaches in financial services firms’ financial control and IT departments.

What makes these regulatory mandates so complex is not just the necessary technology investment that must logically occur but also that they demand a transformation of the risk and compliance culture.

The holistic requirements of these new regulations demand involvement across many different business lines and product dimensions, which most firms aren’t organizationally or culturally set up to do.”

V. Garcia, The Avant-Garde of Enterprise Risk Management in Financial Services: From Vision to Value, TowerGroup, Aug. 2004

“Large banks assume varied and complex risks that warrant a risk-oriented supervisory approach. Under this approach, examiners do not attempt to restrict risk-taking but rather determine whether banks identify, understand, and control the risks they assume.”

Large Bank Supervision, Comptroller’s Handbook (May 2001)

“Large banks assume varied and complex risks that warrant a risk-oriented supervisory approach. Under this approach, examiners do not attempt to restrict risk-taking but rather determine whether banks identify, understand, and control the risks they assume.”

Large Bank Supervision, Comptroller’s Handbook (May 2001)


Information technology is a core regulatory focus

“Prior to the 1990s, the predominant threats to computer security of financial institutions (besides errors and omissions) were physical and environmental, including insider attacks, fire and water damage, theft, and physical damage. …

Recent advances in computer hardware, software, and communications technologies have made these infrastructures highly automated and capable. While technological advances have promoted greater efficiency and improved service, they have also made these infrastructures potentially more vulnerable to disruption or incapacitation by a wide range of physical or computer-based (cyber) threats. The infrastructures are much more interdependent than in the past, with the result that the debilitation or destruction of one could have cascading destructive effects on others. Electronic transactions within the financial services infrastructure underpin the entire national economy, as well as the operations of the other infrastructure sectors.”

OCC 99-9 (March 9, 1999)


The result: an interlocking system of risk management

Control evaluation

(SOX)

Operational Risk(Basel II)

Security

Outsourcing

Privacy

Business Continuity Planning

Active risk assessment & management


SOX: ensure strong internal controls and improve disclosure

Section 302: CEO and CFO personally certify accuracy of financial statements and efficacy of internal disclosure controls

Section 404: Annual assessment of effectiveness of internal controls in financial reporting and attestation from external auditors that controls are effective

Section 409: Disclosure of material events: public companies obliged to disclose "on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer”

Related: - Federal Deposit Insurance Corporation Improvement Act (FDICIA)

FDICIA 112 requires that management report annually on the quality of internal controls and that the outside auditors attest to that control evaluation.

Sec. 39 of the FDI Act: “An institution should have internal controls and information systems that are appropriate to the size of the institution and the nature, scope and risk of its activities….” (12 CFR Part 208 App. D-1)

- COBIT: Control Objectives for Information and related Technology- COSO Enterprise Risk Management Framework

Sarbanes-Oxley (SOX)

"What were the underlying deficiencies in the internal control processes of these companies [Enron, Worldcom, and HealthSouth] that rendered their governance practices ineffective?"

FRB Governor Susan Schmidt Bies, May 7, 2003

"What were the underlying deficiencies in the internal control processes of these companies [Enron, Worldcom, and HealthSouth] that rendered their governance practices ineffective?"

FRB Governor Susan Schmidt Bies, May 7, 2003


The leading market response provides no metrics, benchmarks, best practices, KRIs, predictive power, or active risk assessment or management capabilities

Control Activities

Policies/procedures that ensure management directives are carried out.

Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

Monitoring

Assessment of a control system’s performance over time.

Combination of ongoing and separate evaluation.

Management and supervisory activities.

Internal audit activities.

Control Environment

Sets tone of organization- influencing control awareness of its people.

Factors include integrity, ethical values, competence, authority, responsibility.

Foundation for all components of control.

Information and Communication

Pertinent information identified, captured and communicated in a timely manner.

Access to internal and externally generated information.

Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for

management action.

Risk Assessment

Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.

All five components must be in place for a control to be effective.

“[T]he COSO approach to risk assessment will tell you your risk is very high in areas where you have no risk, and will also tell you that you have moderate risk in the very area your risk is of the highest order. Simply stated, COSO produces both false positives and false negatives.”

A. Samad-Khan, “Why COSO is flawed,” Operational Risk, Jan. 2005

The COSO Framework


SOX: the path to ERM is under construction

Source: COSO Enterprise Risk Management Framework Exposure Draft


OpRisk: assess and manage

Basel II / ANPR 7/03- Pillar 1: minimum regulatory capital charge for Operational Risk- Pillar 2: under supervisory review process, covered bank to establish systems to identify, measure, monitor and control the risks it faces

and maintain capital accordingly Advanced Measurement Approach

- Collect historical internal loss data (minimum 5yr. period)- Report loss data to regulators, including data on:

Internal fraud- Unauthorized activity- Theft & fraud

Clients, products and business practices- Money laundering

External fraud- Systems security

Hacking damage Theft of information

Business disruption & system failure Execution, delivery & process management

- Transaction capture, execution & maintenance- Vendors and suppliers

Outsourcing Vendor disputes

Related: - Supervised Investment Bank Holding Companies (Proposed Rule)

Risk reports (monthly and other) to be filed with SEC- OCC 98-3 Technology Risk Management

When contemplating and implementing uses of technology, bank management should engage in a rigorous analytic process to identify and quantify risks, to the extent possible, and to establish risk controls to manage risk exposures.

- EU CAD3 is a new Capital Adequacy Directive, CAD3, that will overwrite the existing rules and to extend the Basel scope to all credit institutions and investment firms.

OpRisk


Business Continuity Planning: process orientation

FFIEC, Business Continuity Planning Booklet (3/03)- Financial institutions encouraged to adopt a process-oriented approach to business continuity planning that

involves: 1. Business impact analysis (BIA); 2. Risk assessment; 3. Risk management; and 4. Risk monitoring.

Interagency White Paper on Sound Practices to Strengthen the Resilience of the U. S. Financial System (April 11, 2003)- Geographic diversity

“The agencies expect that, as technology and business processes supporting back-up arrangements continue to improve and become increasingly cost effective, firms will take advantage of these developments to increase the geographic diversification of their back-up sites.

“Core clearing and settlement organizations should continue their accelerated efforts to develop, approve, and implement plans that substantially achieve the sound practices by the end of 2004.”- “Plans should provide for back-up facilities that are well outside of the current synchronous range that can meet the within-

the-business-day recovery targets.”- Recovery time objectives

Core clearing and settlement organizations to recover and resume within the business day- Overall goal of 2 hours after the event

Firms that play a significant role in financial markets to recover within the business day- Overall goal of 4 hours after the event

Related- NASD Rule 3500 Series: requires members to establish emergency preparedness plans and procedures

BCP


Outsourcing: equivalent controls

FFIEC, Outsourcing Technology Services (IT Examination Handbook June 2004) - Management is responsible for managing risk in all outsourcing relationships- Outsourced relationships should be subject to the same risk management, security, privacy, and other policies that would

be expected if the financial institution were conducting the activities in-house.- Management should consider SLAs to address the following issues:

Availability and timeliness of services; Confidentiality and integrity of data; Change control; Security standards compliance, including vulnerability and penetration management; Business continuity compliance; and Help desk support.

- To help ensure financial institutions operate in a safe and sound manner, the services performed by technology service providers are subject to regulation and examination.

The federal financial regulators have the statutory authority to supervise all of the activities and records of the financial institution whether performed or maintained by the institution or by a third party on or off of the premises of the financial institution.

FFIEC, Supervision of Technology Service Providers (IT Examination Handbook March 2003)- Examiners should consider the following factors in evaluating the quality of transaction/operational risk:

The quality of the Technology Service Provider (TSP) policies; The adequacy of the TSP’s control and operational processes; The extent of the TSP’s technical and managerial expertise; Directorate oversight; and The timeliness and completeness of management information systems that are used to measure performance, make

decisions about risk, and assess the effectiveness of processes

Outsourcing


Outsourcing: equivalent controls, cont.

Bank Service Company Act, Section 7(c)(2)- Any FDIC-supervised institution that has services performed by a third party "shall notify such agency of the

existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first."

Related: - Basel Comm. (Joint Forum), Outsourcing in Financial Services, February 2005- FDIC, Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks,

June 2004- Committee of European Banking Supervisors, Consultation Paper on High Level Principles on Outsourcing, CP

02, April 2004- Monetary Authority of Singapore, Public Consultation: Guidelines on Outsourcing, P002 - 2004, March 2004- OCC Bulletin 2002-16, Bank Use of Foreign-Based Third-Party Service Providers (May 2002)- §25a (2) of the KWG (German Banking Act) and associated circular 11/2001

Outsourcing


Security: AML and Anti-Terrorist Financing

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (US PATRIOT) Act of 2001. - Adoption of regulations setting forth minimum standards for “financial institutions” regarding the

identification and verification of customers in connection with the opening of accounts. (Section 326)

- The establishment of anti-money laundering programs by “financial institutions” by April 24, 2002, unless exempted by the Secretary of the Treasury. At a minimum, these programs are to include: 1. The development of internal policies, procedures and controls; 2. The designation of a compliance officer; 3. An ongoing employee training program; and 4. An independent audit function to test programs. (Section 352)

- Regulations requiring SEC-registered brokers and dealers to submit suspicious activity reports. (Section 356(a)).

Related: - Money Laundering Control Act and the Bank Secrecy Act (BSA) - 1996 Antiterrorism and Effective Death Penalty Act- Executive Order 13224

Security


Security: General

12 CFR part 21- Within 30 days after the opening of a new bank, the Bank's board of directors shall designate a security officer

OCC Alert 2000-1, Internet Security: Distributed Denial of Service Attacks- Management can reduce a bank’s risk exposure by adopting and regularly reviewing its risk assessment plan,

risk mitigation controls, intrusion response policies and procedures, and testing processes. OCC Bulletin 2000-14, Infrastructure Risks – Intrusion Threats

- The OCC encourages management to participate in information-sharing mechanisms as part of an effort to detect and respond to intrusions and vulnerabilities.

- National banks are required to report intrusions and other computer crimes to the OCC and law enforcement by filing a Suspicious Activity Report (SAR) form and submitting it to the Financial Crimes Enforcement Network (FinCEN), in accordance with 12 USC 21.11.

- The first step in managing the risks of intrusions is to assess the effects that intrusions could have on the institution. Effects may include direct dollar loss, damaged reputation, improper disclosure, lawsuits, or regulatory sanctions.

OCC 99-9, Infrastructure Threats from Cyber-Terrorists- Any intrusion, attempted intrusion, or suspicious activity should be immediately reported to a central source

(compliance officer, auditor, etc.) for disposition regarding the action the bank should take, and whether a Suspicious Activity Report should be filed.

Related: - OCC Bulletin 98-38, Technology Risk Management: PC Banking- FFIEC, E-Banking (IT Examination Handbook August 2003)- ISO 17799; NIST 800-30; British Standard BS7799-2

Security


Privacy

GLBA- § 501(a): Each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and

to protect the security and confidentiality of those customers' nonpublic personal information

Interagency Safeguards for Protecting Customer Information (21 CFR part 30 et al, Implementing GLBA):- A financial institution is required to take appropriate steps to protect customer information provided to a service provider.- When outsourcing is used, the financial institution continues to bear responsibility for safeguarding customer

information

Federal Banking Agencies (FBAs) guidelines implementing § 501(b) (12 CFR 364.101, App. B ¶ III.D.)- Each financial institution shall:

(1) exercise appropriate due diligence in selecting service providers; (2) require them by contract to implement appropriate measures designed to meet the objectives of the Guidelines; and (3) where indicated based upon the institution's risk assessment, monitor the service providers to confirm that they implement the

procedures required by the Guidelines.

Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks (FDIC)- "For each form of offshoring (captive, joint venture, direct third party, and indirect third party) nothing precludes the

offshore transfer of customer data by a financial institution or one of its service providers.“

Related:- California Security Breach Law (aka Bill 1386)

Notify CA resident of any security breach, or use encryption

- Fair and Accurate Credit Transactions Act of 2003

Privacy


What is needed:

Governance: commitment and oversight Organization, management and accountability Threat analysis, risk assessment and control evaluation Process mapping KRI identification Workflow Risk data management Common risk language Risk quantification Transparency Active risk monitoring and management Change management Record retention Testing and improvement Business continuity (vs. disaster recovery) Education and training Compliance reporting New technology for improved controls Risk management maturity process

“A unified view of risk is needed.”


“A unified view of risk is needed.”



Resiliency

The ability of an enterprise to sense and respondsense and respond

to any internal or external adverse, fast changing or unexpected condition, as well as opportunities,

in order to maintain continuous business operations,

be a more trusted partner, and enable growth.


Why hasn’t this been done before?

$1

$10

$100

$1,000

1994 1996 1998 2000 2002 20040.1

1

10

100

Aggregate Cost ($/GB) Aggregate Avg. Capacity (GB)

Source: IDB PLD2004.3Q.1

Increased connectivityData can be routed across heterogeneous applications and platforms

Source: IDB PLD2004.3Q.1

Increased storage capacityEvent and audit records can be collected for analysis

Increased computing powerProcessing power is no longer a barrier


Monitoring mortgage processing for transaction health (not simply IT performance issues), business impact, and applying best solutions

Business Process

IT Systems Topology

Customer

Loan Processing

Credit Approval

Property Appraisals

Loan Underwriting

Save Loan in Database and create Customer record in

Siebel

Send Processing Results to user

Get Loan Status and options

Retrieve Property Appraisal

Retrieve Credit Report

Place Loan in QueueGet Loan from

Queue

Submit Loan Application

Select loan program

Process Loan Underwriting

Approval

Save Selected Loan in Database

Determine Applicant Payment History

Determine Credit Risk

Illustration


Monitoring mortgage processing for transaction health (not simply IT performance issues), business impact, and applying best solutions

Impacted Impacted Business AreaBusiness Area

Channel SLA Channel SLA Impact Impact

AnalysisAnalysisProfit/Loss Profit/Loss Inventory Inventory

ImpactImpact

Magnitude of Magnitude of ImpactImpact

Customer Customer Impact AnalysisImpact Analysis

Advanced Business Transaction Monitoring software feeds runtime event data on in-flight transactions to analysis/correlation system and policy-based rules engine, which invokes best practice solution, autonomics, and other proactive failure management (e.g., prioritizing and redirecting high value transactions)

Illustration


Thank You!

ibm.com/industries/financialservices

Global Risk OfficerGlobal Banking Risk & Compliance Solutions ExecutiveJonathan Rosenoer – 415.762.2798 - [email protected]

IBM Financial Services Sector

Documents

© Copyright IBM Corporation 2004 June 2004 Copyright © IBM Corp. 2006 IBM Banking Industry The transition to active and predictive enterprise-wide risk