ISACA’S IT Audit, Information Security
& Risk Insights Africa 2014
MAY, 2014
MANAGING IT RISKS IN THE BANKING
INDUSTRY
Emmanuel Ofori Boateng,
Dep. Head, IT , Ecobank Ghana
OVERVIEW
- HISTORY OF RISK
MANAGEMENT
- OVERVIEW OF IT RISKS IN
BANKS
- REMEDIES
HISTORY OF RISK MANAGEMENT
• The Study of Risk Management begun after WWII
• It had to do with market insurance to protect
individuals and companies from various losses
associated with accident.
• The use of derivatives are risk management
instruments begun in the 1970s.
• International risk regulation and Operational
Risks begun in the 1990s.
HISTORY OF RISK MANAGEMENT
• Concomitantly governance of risk management
became essential and integrated risk management
was introduced.
• In the wake of financial scandals and bankruptcies
resulting from poor risk management; the Sarbenes-
Oxley regulation was introduced in 2002 (Enron).
• However these regulations, governance rules and
risk management methods failed to prevent the
financial crisis that begun in 2007 (Lehman Brothers)
RISKS IN BANKS
• MARKET RISKS
• CREDIT RISKS
• OPERATIONAL RISKS
OPERATIONAL RISK
• The main characteristic of operational risk
is that unlike market and credit risks, which
mainly involve risks associated with trading
or lending, everyone in the financial
organization can be a source of operational
risk
IT RISKS CLASSIFICATION
• IT risks can be classified according
to their impact on the organization,
as follows:
• 1. Security risk
• 2. Availability risk
• 3. Performance risk
• 4. Compliance risk
IT RISKS CLASSIFICATION
• SECURITY RISK – the
information will be altered,
accessed, or used by unauthorized
parties.
IT RISK CLASSIFICATION
• AVAILABILITY RISK – that
information or applications will be
inaccessible due to system failure or
natural disaster, including any
recovery period.
IT RISK CLASSIFICATION
• PERFORMANCE RISK – that
underperformance of systems,
applications, or personnel, or IT as
a whole will diminish business
productivity or value.
IT RISK CLASSIFICATION
• COMPLIANCE RISK – that
information handling or processing
will fail to meet regulatory, IT or
business policy requirements.
Usually, it involves penalties, fines,
or loss of reputation from failure to
comply with laws or regulations
IT RISKS
• - IT GOVERNANCE
• - CYBERSECURITY (Cyberterrorism, Data loss)
- CARD FRAUD
- BIG DATA SECURITY & PRIVACY
• INTERNET BANKING
• HACKING
• VIRUSES
• OUTSOURCING
IT RISK
• Unauthorized Access: User/Developer access was
not approved for a particular level of access or
action; Example: Ensure privileged access is
appropriately restricted.
• Excessive Access: User/Developer access level
is beyond the scope of job role and responsibility;
Example: Ensure the Principle of Least Privilege is in
place – people only have access to the information
and transactions needed to perform their job and
scope of responsibility
IT RISKS
• Unauthorized Changes: Program change was
not approved before move to production
• Lack of control around the acquisition and
implementation of new applications and
maintenance of existing applications
• Lack of control around the acquisition,
installation, configuration, integration, and
maintenance of the IT infrastructure.
MITIGATING I.T. RISK
• ROLE OF BOARD OF DIRECTORS
AND MANAGEMENT
• Federal Financial Institutions Examination
Council (FFIEC) direct senior management
and the board of directors to manage IT risks,
including information security, business
continuity and disaster recovery.
MITIGATING IT RISKS
•AUDITS AND OTHER
INDEPENDENT
REVIEWS
MITIGATING IT RISKS
• LEGAL FRAMEWORK
• EDUCATION
MITIGATING IT RISKS
• USING STANDARDS,
FRAMEWORKS etc
• COBIT (ISACA): Control Objectives
for Information Technology that
focuses on four key domain areas of
Plan & Organize, Acquire &
Implement, Deliver & Support, and
Monitor & Evaluate
MITIGATING IT RISKS
• ITIL (INFORMATION
TECHNOLOGY
INFRASTRUCTURE LIBRARY) Framework for IT Service Management practices,
such as Change Management, Incident
Management, Problem Management,
Configuration Management, Service Level
Management
MITIGATING IT RISKS
• CMMi (Software Engineering Institute):
Capability Maturity Model Integration for Software
Development Lifecycle
• ISO20000: Framework and Certification for IT
Service Management
• ISO27001: Framework and Certification for
Information Security
• RiskIT (ISACA): IT-related buisness risk,
focusing in Risk Evaluation, Risk Governance,
and Risk Monitoring/Reporting
MITIGATING IT RISKS
• VENDOR MANAGEMENT RISKS
AND CONTROLS
CONCLUSION
• In years to come, banks will face two major
drivers that will challenge them to take on
deepened I.T. risks:
• GLOBALIZATION AND INTERNET-RELATED
TECHNOLOGIES
• THANK YOU
• QUESTIONS?