HEWLETT-PACKARD
Given this parlous
state of operational
risk management and
losses from it and the
focus we need to
place on the IT
infrastructure, it
seems that this
problem cannot be
solved by a single
action.
Looking at the content of loss databases
(historical or current) presents some other
problems. There may be too much data and
there may be many events that relate to a
single root cause.
Too much data is no better than no data; it is
just a different problem. With too much data,
prioritising and gaining management and
operational attention can be hard if not
impossible. With no data, there is a false sense
of well-being. Data should only be collected
when triggers indicate that a risk is out of
bounds. To do this, the whole operational risk
management system needs to be designed
correctly (which, if it was, would mean this
would not happen…)
Event correlation with large amounts of data is
a headache but it is often true that many events
come from a single root cause – the trick is
finding it.
What is the answer?
It has been estimated that the 20 largest banks
in the U.S. had operational risk losses in 2001
of US$ 2.5 billion and that barely twenty
percent of banks could be considered as
having operations under tight control. The
losses from security breaches are similarly high
in spite of huge spending on mitigation
solutions – the average amount admitted by
companies voluntarily responding to the
Computer Security Institute Review 2003 is
nearly one million dollars per year.
Given this parlous state of operational risk
management and losses from it and the focus
we need to place on the IT infrastructure, it
seems that this problem cannot be solved by a
single action. Indeed it will never be solved
completely to the point of having zero
operational loss. All we can do is reduce the
complexity of the equation by reducing the
number of variables requiring management
attention.
We need to recap on the reason for Basel 2 –
capital adequacy leading to trust. Part of the
trust issue is due diligence and part is external
trust. There will be banks that have higher
capital adequacy than required but that can’t
CONTACT INFORMATION
Contact Name
Mr. Alexander de Lange
Mr. Stuart Hotchkiss
E-mail
[email protected][email protected]
Website
www.hp.com
FEDERATION OF EURO-ASIAN STOCK EXCHANGES YEARBOOK 2003/2004
PAGE 12
be trusted. The regulator and business partners
are looking for the objective and subjective
elements that inspire trust. Having a good loss
database might not convince the regulator or
business partners that operations are under
control if, for example, the business continuity
plan can’t be demonstrated. Inspiring trust is
the key issue.
Reducing operational complexity would be nice
but is not an easy or short-term objective -
inspiring trust by being able to demonstrate
control is. There are control frameworks such
as ISO17799 (best practice for security),
BS7799 Part 2 (security management, including
operations) and COBIT (Control Objectives for
Information and related Technology) that can
provide the objective, externally verifiable and
comparable means of demonstrating that some
of the elements of operations are under control.
Complying with these not only reduces the
number of non-controlled variables but it also
inspires a culture in employees and
management that can itself provide benefits.
If we look at directors’ responsibilities in more
detail, it is a good starting point to use the
basic principles of operational control and to
ask what would convince the regulator that
compliance exists. BIS have published a
number of reports demonstrating the principles
and best practices of operational risk
management – if we look specifically at one
applied to e-banking:
Principle 1: The board should establish
effective management oversight over the risks
associated with banking activities including the
specific accountability, policies and controls to
manage these risks.
How can we demonstrate to a regulator that
this requirement is met? It can’t be met
objectively since the requirement is made
subjective by the word ‘effective’. If it were
shown to the regulator that best efforts had
been made to comply with an industry
standard control framework, this would help.
If not, then specific things could be shown,
for example, show that: