HEWLETT-PACKARD
• Operational risk assessment workshops and
mitigation strategies for IT risks have been
held with all stakeholders concerned Security
Awareness and training has been done for
Senior Operational Management
• Organisational risk analysis has taken place
• Policy development has been done and is in
place
• For major risks, there are mitigation plans,
key risk indicators and auditable proof that the
plans have worked
• Show that the Business Continuity plan is
up to date and worked at the last rehearsal
• Security architecture and IT architecture
development work has been done and signed
off by the Board
• Security audit of existing and proposed
solutions is regularly executed
• Demonstrate use of ITSM (IT Service
Management) for data centre processes
For each principle of operational risk
management, there are actions that
management can use to prove best effort and
compliance.
The most basic point to demonstrate is that
operational risk assessment is done and done
regularly and that for each important risk
(defined as those risks for which the bank has
no appetite..), a mitigation plan is in place, key
risk indicators are known, accepted and tracked
and demonstrable proof is kept of the success
of the mitigation plans. In this process, it is
clear that for the overwhelming majority of
operational risk, there is no quantitative data
either for the impact or the probability of
occurrence. The only method that can be used
is a qualitative judgment method. The best way
to do this is to involve many stakeholders in the
judgement process – this not only provides
many points of view but also can solve the
problem of risk appetite. As an example of this
problem, if a person is asked if they accept a
risk, they usually refuse – it is only when they
are persuaded that the damage is minor that
they might accept. For this reason, involving
business and senior management in the risk
qualification process is critical.
CONCLUSION
Whilst the accords propose that full operational
risk management be implemented, there
appears to be a greater focus on the loss
database area than on the organisational and
root cause issues, to the point that presentation
of a good loss database would seem to be
enough to persuade the regulator. If there is to
be any comparability between compliance in
different organisations under different
regulators, it is important to separate
operational risk mitigation and control from
compliance to Basel 2 for capital adequacy
reporting. The actions required for each are
different (though they overlap) and the people
required for each are different. Having two
separate teams to address each issue is
probably a good idea.
Complying with the requirements of Basel 2
for the purposes of convincing the regulatory
authorities that capital adequacy provisions
are met places more focus on:
• Gathering data and refining its quality
• Managing the data volume (less is more…)
• Assessing the indicators
• Calculating capital adequacy as a
percentage of the sum of the risks for a period
• Gaining regulator agreement on the figure
• Storing data in a secure and available way
• Refining operations to ensure that data is
captured in the future
• Reporting internally and externally
whereas controlling operational risk should
focus mainly on:
• Identifying risks
• Prioritizing risks
• Determining impacts quantitatively and
qualitatively
• Determining probabilities
• Putting mitigation plans in place
• Putting controls in place
• Tracking and auditing controls
• Performing regular risk re-assessments and
change control
• Reporting directly or indirectly via
certification
It would seem to make sense that the accords
be very prescriptive on the control side rather
than advising subjective compliance to
principles. The Basel Accords should be used
as an opportunity for a fundamental
reassessment of the whole operational
infrastructure and control framework otherwise
the statistics for operational losses will continue
to worsen.
HP’s suggestion to banks is to avoid an
either/or decision about the way forward. Now
that the momentum is there to view operational
risk as an important parameter of business
success, banks should not stop with a
formalized documentation of their current risk
situation, but use this opportunity and also
mitigate the identified risks in a proactive way.
HP’s portfolio of services and solutions is
created to accompany banks on both routes -
Basel 2 compliance and mastering operational
risk.
by Stuart Hotchkiss, Lead Security Consultant FSI,
HPS Consulting & Integration
contribution by Alexander de Lange, HP Director
International Sales-Capital Markets-CEEMEA.
FEDERATION OF EURO-ASIAN STOCK EXCHANGES YEARBOOK 2003/2004
PAGE 13