IT Operational Risks- BaselII

8/2/2019 IT Operational Risks- BaselII

1/10

Date: Col lege of Agr icu l t ur a l Bank ing, RBI , PUNE

Programme on Designing

I nformat ion Systems forBusiness & Basel I I

June 18 21, 2007

Programme on DesigningProgramme on Designing

I nformat ion Systems forI nformat ion Systems forBusiness & Basel I IBusiness & Basel I I

June 18June 18

21, 200721, 2007

IT Risk Management for Basel II

V G SekarDGM & Member of Faculty

CAB, RBI


2/10


Operational Risk: An introOperational Risk: An intro

Basel II definition of Operational Risk: Risk of loss resultingfrom inadequate or failed internal processes, people andsystems or from external events.

The definition includes legal risk, but excludes strategic andreputational risk.

To assess the amount of operational risks, the banks may usevarious alternative approaches: BIA, STA & AMA


3/10


Operational Risk Management FrameworkOperational Risk Management Framework

Risk

Strategy

OrganisationalStructure

Reporting

Information Technology

BuildingBlocks

Definitions Loss Data Risk Assessment

Key Risk Indicators

MitigationCapital Modelling


4/10


ITIT--related Risks Identified by Basel IIrelated Risks Identified by Basel II

IT

RISKS

Potential to transform risks from manual processingerrors to system failure risks

Growth of e-commerce brings with it potential risks

Viability issues of new or newly integrated systems

Need for continual maintenance of high-gradeinternal controls and back-up systems


5/10


Operational Risk EventsOperational Risk Events


6/10


Operational Risk EventsOperational Risk Events


7/10


IT should identify acceptable limits of risk anddevelop metrics to measure performance

against these profiles.

Regularly monitor operational risk profiles and

material exposure to losses.

IT risk assessment results should be integrated

with other risk assessments and incorporatedinto the GRC framework.

Identify and assess operational risk.

IT should use GRC frameworks (e.g., COSO) tointegrate IT-specific risk within the overallcorporate risk mgmt process.

Develop policies, processes and procedures for

managing operational risk.

The internal IT audit function should beadequately skilled and staffed in line with the IT

risk profile.

The operational risk management framework issubject to effective and comprehensive internal

audit.

IT is a critical component of operational risk.There is a need for an operational risk mgtframework.

Guiding Principles for IT Risk ManagementGuiding Principles for IT Risk Management

under Basel IIunder Basel II


8/10


Guiding Principles for IT Risk Management underGuiding Principles for IT Risk Management under

Basel IIBasel II

IT should identify all relevant risks thatconstitute a material operational risk in thesense of disclosure as defined by seniormanagement, escalate where necessary toappropriate stakeholders and take corrective

action.

Provide sufficient public disclosure.

IT should document the IT risk profile for thesupervisory review process & external audit ofIT-related risk management.

Conduct regular independent evaluation of abanks policies, procedures and practicesrelated to operational risk.

IT continuity plans and incident responsemanagement.

Have contingency and business continuityplans.

IT risk policy and subsidiary procedures.Have policies, processes and procedures to

control and/or mitigate material operationalrisks.


9/10


Acknowledgements & Further ReferencesAcknowledgements & Further References

www.bis.org

www.isaca.org

www.coso.org

www.kriex.org


10/10


THANK YOUTHANK YOU

Documents

IT Operational Risks- BaselII