cyber risk fheili.mohammad

Mohammad Fheili – [email protected]

A Qualitative Assessment of Risks in Electronic Banking…

The Cyber Challenge!


Mohammad Fheili “Over 30 years of Experience in Banking. [email protected] (961) 3 337175 Risk & Capacity Building Specialist. Trainer in Risk & Compliance University Lecturer: Economics, Risk, and Banking

Operations Currently serves in the capacity of an Executive (AGM) at

JTB Bank in Lebanon. Served as:

• An Economist at ABL, • Senior Manager at BankMed • Senior Manager & Chief Risk Officer at Group

Fransabank Mohammad received his college education

(undergraduate & graduate) at Louisiana State University (LSU), and has been teaching Economics and Finance for over 25 continuous years at reputable universities in the USA (LSU) and Lebanon (LAU).

Finally, Mohammad published over 25 articles, of those many are in refereed Journals (e.g., Journal of Money Laundering & Control; Journal of Operational Risk; Journal of Law & Economics; etc.) and Bulletins.”

mailto:[email protected]


If You’re Convinced that we have been evolving in that fashion, then the extreme majority of anticipated and undertaken projects is about “AUTOMATION”, or IT in General. Increasing Demands for Certain Skills. The Absence of Such Technical Skills reflects Negatively on the Success of the Majority of Undertaken Projects, and introduces an element of Risk in Planned Projects..


Banking (& Business Transactions) …. got complicated

Complexity Human Induced


Human Induced Complexity in

the Game: Instant Replay!


Traditional Banking

Modern Banking

People Come First

Data Come First

The Age of Instant Interconnectivity…a human induced complexity in

Banking


Survey Says!


Mobile Internet

Automation of Knowledge Work

Internet of Things

Cloud Technology

Advanced Robotics

Increasingly inexpensive and capable mobile computing devices and Internet connectivity.

Intelligent software systems that can perform knowledge work tasks involving unstructured command and subtle judgments.

Networks of low-cost sensors and actuators for data collection, monitoring, decision making, and process optimization.

Use of computer hardware and software resources delivered over a network or the Internet, often as a service.

Increasingly capable robots with enhanced senses, dexterity, and intelligence used to automate tasks or augment humans.

Disruptive Technological Change

Autonomous Vehicles Vehicles that can navigate and operate with reduced or no human intervention.


SmartPhone 2016

Super Computer 1975


Next Generation Genomics

Energy Storage

3D Printing

Advanced Materials

Advanced Oil & Gas Exploration & Recovery

Renewable Energy

Fast, low-cost gene sequencing, advanced big data analytics, and synthetic biology (“writing” DNA)

Devices or systems that store energy for later use, including batteries.

Additive manufacturing techniques to create objects by printing layers of material based on digital models.

Materials designed to have superior characteristics (e.g., strength, weight, conductivity) or functionality.

Exploration and recovery techniques that make extraction of unconventional oil & gas economical.

Generation of electricity from renewable sources with reduced harmful climate impact..

Disruptive Technological Change … Continues


√√


√

√√


Rising Cyber-Risks


In 2015, 38% more security incidents were detected than in 2014.

Theft of “hard” intellectual property increased 56% in 2015.

While staff remains the most cited source of compromise, incidents attributed to business partners climbed 22%.

Source: Global State of Information Security Survey, March 2016


Suppliers / Partners

35% 34%

30% 29%

18%22%

15%

19%

13%

16%

20152014Current

EmployeesFormer

EmployeesCurrent Service

Providers/Consultants/Contractors

Former Service Providers/Consultants/Contractors

Sources of Security IncidentsSource: Global State of Information Security Survey, March 2016


Implicate the Employee Or Eradicate the Business


Abilities

Knowledge

(Knowledge + Skills)X(Attitude) = Abilities

Formal + Self-Acquired

To Perform & Excel And Grow

SkillsTechnical +

Soft

Human Capital Accumulation = ∑Abilities

The NOT so visible Argument that we

often forget


Skill Marketability

Loyalty To The Organization

Loyalty To One’s Profession

Skill Marketability Reflects Favorably On The Career And The Salary Of The Individual

Loyalty To The Organization May Help The Individual Sustain A Company-Specific Employment

Loyalty To One’s Profession Exerts The Necessary Pressure On Knowledge And Skill Build-Up (Benefiting Both The Individual & The Organization)


Enterprise Service General Ledger

Clients & Settlement P & L Risk

Reporting

Core Analytical

Engine

Model Risk M

anagement

Other Models

Predictive Models

Regulatory Models

Asset-Liability Management

Models

Risk Models

Business Strategy Analysis

Valuation Models

Pricing Models

Exposure Measurements

B ACD

These Risks could Exist Inside each

Module and in the Interface between

Two or More Modules

Interface Between Two Modules


Model Risk M

anagement

The Financial Models & Model Risk Management (MRM)


Sources of Operational Risks (Ref: Basel ii)

PRIMARY SECONDARY

PEOPLE

Employee Fraud / Malice (Criminal)

PROCESSES

Payment / settlement / delivery risk

SYSTEMS

Technology investment risk

EXTERNAL

Legal / Regulatory Risk / Public Liability

Unauthorized activity / Employee misdeed (Willful) Employment LawWorkforce disruption Loss or lack of key personnel

Documentation or contract riskValuation / Pricing Internal / External reporting and complianceProject risk / Change management Selling Risks

System development and implementationSystems failuresSystems security breachSystems capacity

Criminal Activities Out-sourcing / Supplier RiskIn-sourcing RisksDisaster and Infrastructural utilities FailuresPolitical and Government Risks


have led to:• Increased Usage of Impersonal Electronic Services: Low Cost Electronic

Services; Widespread and Diffused Customer Base. This, in turn led to:Lower Customer Intimacy.Reduced Switching Costs Between Different Banks (Customers

these days are constantly shopping for the better deal)Increased Chances of Fraud and Credit RiskIncreased the Demand for Transparency

• Less Time to Know and Influence Customers. Research shows that Customer Interest peaks and falls rapidly

especially in response to a Promotional Event.This makes it absolutely necessary for banks to optimally leverage

all available customer touch points so as to be able to influence the customer (e.g., You find ads and offers on ATM receipts).


Information Technology at the forefront of Operational Risk: But ….!

The Introduction of any form of technology in a given production process or the mere modification of an existing IT environment necessitates a number of changes which spillover on Branch Performance: Staff Skills, Workflows, Policies & Procedures, and a host of other changes.

In today’s technologically intense production processes, information technology (IT) risks cannot be considered independently of other types of risks since it reflects on our ability to serve and satisfy our clients.

Recognizing these challenges and acknowledging that the Branch has a role to play in managing this risk will put management one step ahead. Because processes are Technology dependent, Accurate, Complete and timely data collection has changed from being mostly qualitative to overwhelmingly quantitative; Types/Nature of Mistakes committed by Branch Employees are Different; etc.


The Devil Is In The Details

• Pay Attention


All Organizations need to take Risks to achieve their Goals.

The Prevailing Risk Culture within an Organization can make it significantly Better or Worse at Managing these Risks.

Risk Culture significantly affects the organizational capability to take strategic risk decisions and deliver on Performance Promises.

It’s never been about the presence of a Risk Culture

nor the absence of!

Risk is there; like it or not!

How Do You Do Things (& Think) Around Here?

There are MANY Risks but ONE Risk Culture!


Where Should We Go To Look For Risk Culture?

Board of Directors?

Staff: Every Day Fire Fighters?


Then We Should Go Look For Risk Culture In

Every individual comes to an organization with his/er own personal Perception of Risk.

Every individual comes with his/er own Inventory of Moral Values and these have a great influence over the decisions they make on day-to-day basis.

The Man In The Mirror . . .


People vary in all sorts of ways and this includes their predisposition toward Risk. Two specific Traits:1. The extent to which people are either:

spontaneous and challenge convention or organized, systematic and compliant.

2. The extent to which people may be: cautious, pessimistic and anxious, or optimistic, resilient and fearless.

Organizations need to pay attention to the ethical profile of those working in their business. Every individual comes with their own inventory of moral values and these have a great influence over the decisions they make on day-to-day basis.

Three ethical consciences, significantly influencing individuals’ Decision Making:1. Ethic of Obedience (Rule Compliance, Spirit of the Law, etc.)2. Ethic of Care (Empathy, Concern, Respect, etc.) 3. Ethic of Reason (Wisdom, Experience, Prudence, etc.)


Risk Culture

Personal Predisposition

of Risk

Personal Ethics

Behavior

Organizational Culture

Individual values and beliefs and attitudes toward risk contribute to and are affected by the wider overall culture of the organization.It is useful to consider Organizational culture in relation to two key dimensions: 1. Sociability: People Focus (based on

how well staff get on socially)2. Solidarity: Task Focus (based on

goal oriented and team performance)


Risk Management Is Everybody’s Business

Staff Business Unit Senior Management

Assessment & Follow Up

Acceptance or Mitigation of Identified Risks

Follow Up on Decided Actions

Oversight & Control

Reports to Enable Senior Management Appraisal

IdentificationReporting

Registration of Incidents and Monitoring of the

Internal Control Environment

Problems with Risk Culture are frequently found at the root of organizational scandals and collapses.

Every individual comes to an

organization with his/er own

personal perception of

Risk

It Starts Here

Risks


Risk Management & Associated Culture

The Chief Risk Officer

Your Risk Culture Can Be Characterized as: Participative Risk Management Autocratic Risk Management


Participative Risk

Management

Full and Consistent

Communication & Coordination

with all Business Units

Involve EveryoneCulture is subject to cycles which

can self-reinforce in either virtuous, or vicious, circles.


Autocratic Risk

Management

I Know what to do, and I will do it all alone.

My way or the

highway!

Involve EveryoneCulture is subject to cycles which

can self-reinforce in either virtuous, or vicious, circles.


Increasing Our Understanding of Potential Outcomes

Incr

easin

g Ev

iden

ce o

n Pr

obab

ility

of

occu

rren

ce

Ambiguity

Unce

rtain

ty Ignorance

A Bank is expected to collect ALL needed data to move closer to Risk Management and Away from: Ambiguity, Ignorance, and Uncertainty.

The Fallacy . . .


Brilliant Surgery!Well Done!Shame the patient died.

Outcomes

Fear of AML Violation Penalty (i.e., Outcome), the FI decides not to serve the client (i.e., Decision) sparing itself the pain of Enhanced Due Diligence.


Level Of Maturity in AML Compliance

Nat

ure

& E

xten

t of E

ffort

s Dep

loye

d

DD

EDD

RBA

Due Diligence

Enhanced Due Diligence

Risk-Based Approach to AML Compliance

Enhancing Compliance Capabilities …

AML Cost

Skills Needs

Know-How

AML Analytics

Those Enhanced AML Compliance Steps: Are clear indication of a desire, on the

part of the FI, to continue on serving the Client.

Otherwise, the FI would engage in Derisking.

Enhance AML Compliance require: The Use of Technology:

Quantification/Data-Rich vs. Judgment/Opinion-Rich

Increase reliance on Technology: Less Human Intervention;

Increase exposure to Technology Failures: Different Sets of Skills are required.

Reliance on Technology may Reduce Frequency But Increase Impact.

Being Pragmatic About Compliance?

Culture-Driven


Risk

Management is a Decision & a Choice. Compliance With Regulatory Guidelines & Rules

Pillar 1 is More Attractive.

Standardized Approach in Credit & Market Risks

Basic Indicator Approach in

Operational Risk. Advanced Approaches

… No Way! ICAAP only if Required

by Regulator; and the bare minimum.

RCSA Marginalized. IFRS 9 ………a

nightmare!

Pillar 2 is at the top of Risk Management

Priorities. Advanced

Approaches are Effectively Explored.

ICAAP required by Management as a

Desired Self-Assessment Tool.

RCSA is Essential. IFRS 9 is a welcomed

wakeup call. Etc.

Risk Culture Failure: Regulatory Compliance is Competing with Risk

Management


It’s been Pouring Regulatory Guidelines Ever since its inception . . .


Basel IBasel II

Credit Risk

Credit RiskMarket Risk

Operational Risk

1986 proposed

1999 proposed

1988 effective

2007 effective

Basel III

Credit RiskMarket Risk

Operational RiskCapital Quality

Additional BuffersLiquidity: LCR, NSFR

2009 proposed

Kick Off in 2011

Amendm

ents

Amendm

ents

Basel 2 ½

Basel 1 ½

Amendm

ents

Basel 3 ½

Basel IV2017 Anticipated Or Not

Kick Off in 20??

• Capital Requirements• Liquidity Requirements • Disclosure Requirements • National Divergences• Risk Sensitivity • Use of Internal Models in

Decision Making

• Total Risks = Credit Plus Market Risks

• Internal Models Emerged

• Later on, Tier 3 Capital

• Enhanced Pillar 2, 3

• Complex Securitization obtained higher Risk Weights.

• Trading Books

Tequila Crisis

Asian Market Crisis

Shadow Banking Crisis

Regulator’s Risk Culture

The Basel Accord with a

history of Incomple

te Impleme

ntation

The Signal it Sends has much to do with Regulatory Risk Culture.


Your Life Begins At the End Of

Your Comfort Zone

Coping With

What’s @Risk ? Risk Culture is!

a Rapidly Changing Banking Environment

Your Life Begins At the End Of

Your Comfort Zone


Poor

Unclear

Lack of Insight

Over Confidence

No Challenge

Fear of Bad News

Indifference

Slow

Gaming

Beat the System

Good

Clear

Good Insight

Confident But Careful

Constructive Challenge

Reward Honesty

Diligence

Fast

Coordinating

Play By The Rules

Communication

Tolerance

Level Of Insight

Openness

Confidence

Challenge

Level of Care

Speed of Response

Cooperation

Adherence to Rules

Transparency of Risk

Acknowledgement of Risk

Responsiveness To Risk

Respect For Risk

High Risk Low Risk

Risk Culture Framew

ork

Beware of the Weak End of the Continuum!


Risk Management of Today has been Contaminated by the Complexity of Regulations. … Where in Many Jurisdictions Risk Management should be as Simplistic as the Environment it Operates in.