4/15/2021

BANKING RISK MANAGEMENT DI ERA 4.0

Dr. Embun Prowanta, MM, CFP, CSA, CRP.

Dr. Embun Prowanta, MM, CFP, CSA, CRP.

http://embunpro.com embunprow

1
 4/15/2021

“
“Belajar dari pengalaman orang lain,
Risikonya jauh lebih rendah daripada
pengalaman diri sendiri” #empro

“Risiko Terbesar Dalam Hidup, Terjebak

Dalam Rutinitas (Comfort Zone)” #empro

2
 4/15/2021

3
 4/15/2021

“
7

Opportunity for Digitalization in Banking

“
8

4
 4/15/2021

An Enterprise-Wide Approach to Digital Risk Management

Digital Risk Management

Primary Risk Category Description Example Digital Risks

Preventable Internal risks that derive from the day to  Hardware and software system failures
(Operational) Risks day operations of an organisation Internal breaches of procedure
 Loss of data
 Online bullying

Strategic Risks Risks that are taken for a strategic return
(profit, market share, etc.) or which may
significantly affect the achievement of an
organisation’s
strategic objectives
External Risks Risks from the external environment
(political, economic, social, etc.)
 Hardware and software systems
development (e.g. the failed
implementation of a new system)
 Regulatory breaches (e.g. data
protection)
 Reputation risks (e.g. stemming from
loss of data)
 External hacking and denial of service
attacks
 Theft of data

10

5
 4/15/2021

Benefit of Highly Digitized Banks

Robotics and automation

Reduced credit losses

Reduced operation losses

Lower capital reserves

Risk IT efficiency

Revenue increase

11

The relationship between Banking 4.0 and Infrastructure

12

6
 4/15/2021

POJK No. 12 /POJK.03/2018

Tentang Penyelenggaraan Layanan Perbankan
Digital Oleh Bank Umum

“Penyediaan layanan perbankan digital dapat Kesiapan penerapan manajemen

berdampak pada peningkatan risiko terutama pada
risiko operasional, risiko strategi, dan risiko reputasi
sehingga perlu peningkatan penerapan manajemen
risiko dalam penggunaan teknologi informasi secara
efektif oleh bank”
• Bank dapat menyelenggarakan Layanan Perbankan
Elektronik atau Layanan Perbankan Digital.
• Bank yang menyelenggarakan Layanan Perbankan
Elektronik atau Layanan Perbankan Digital, wajib
menerapkan manajemen risiko, prinsip kehati-
hatian, dan memenuhi ketentuan dalam Peraturan
Otoritas Jasa Keuangan ini.
risiko khususnya pengendalian
pengamanan (security control) untuk
memastikan terpenuhinya prinsip
kerahasiaan (confidentiality), integritas
(integrity), keaslian (authentication),
tidak dapat diingkari (non repudiation),
dan ketersediaan (availability)
Layanan Perbankan Elektronik antara
lain Automated Teller Machine (ATM),
Cash Deposit Machine (CDM), phone
banking, Short Message Services (SMS)
banking, Electronic Data Capture (EDC),
Point of Sales (POS), internet banking, dan
mobile banking.

13

Pengendalian dan Pengamanan

POJK No. 12 /POJK.03/2018

Pengendalian, pengamanan data dan transaksi nasabah

dari Layanan Perbankan Elektronik:

a. kerahasiaan (confidentiality);
b. integritas (integrity);
c. ketersediaan (availability);
d. keaslian (authentication);
e. tidak dapat diingkari (non repudiation);
f. pengendalian otorisasi dalam sistem, pangkalan data
(database), dan aplikasi (authorization of control);
g. pemisahan tugas dan tanggung jawab (segregation of duties);
h. pemeliharaan jejak audit (maintenance of audit trails).

14

7

Digital Bank Risk
15
A Road Map for Successful Digital Risk Transformations
Defining a vision for
digital risk
• A view on the key
activities risk will
perform in the future,
and in what way;
• The corresponding
mandate and role of
risk; and the metrics
that will be used to
determine success
16
4/15/2021
Determining the
Running a swarm of
opportunities for
initiatives
digitization
• Through a bottom-up • Meets the strategic
assessment of risk goals and captures the
processes, a plan for defined opportunities,
applying digital tools to through a considered
the most promising approach to
activities, and a governance and the
business case that operating model and
estimates the total new techniques such
impact as the agile sprints
8
 4/15/2021

17

Governance, Risk, Compliance (GRC)

9
 4/15/2021

19

INTEGRATED GRC
GRC MAP

20

10
 4/15/2021

The Benefit of Integrated GRC

Higher Quality Information

Process Optimization

Better Capital Allocation

Improved Effectiveness

Protected Reputation

Reduced Costs

21

Who is Involved ?
◇ The Role of the Governing Authority
◇ The Role of the Chief Financial Officer and Managers
◇ The Role of the Risk Executive and Managers
◇ The Role of the Compliance and Ethics Executive and
Managers
◇ The Role of the Chief Information Executive and Managers
◇ The Role of the Human Resources Executive and Managers
◇ The Role of the Internal Audit Executive and Managers
◇ The Role of the Business Unit Operator and Managers

22

11
 4/15/2021

GRC Capability Model

LEARN. Examine and analyze context, culture, and stakeholders
to learn what the organization needs to know to establish and
support objectives and strategies.

ALIGN. Align performance, risk and compliance objectives,

strategies, decision making criteria, actions and controls with the
context, culture and stakeholder requirements.

PERFORM. Address threats, opportunities, and requirements by

encouraging desired conduct and events, and preventing what is
undesired, through the application of proactive, detective, and
responsive actions and controls.

REVIEW. Conduct activities to monitor and improve design and

operating effectiveness of all actions and controls, including their
continued alignment to objectives and strategies.

GRC Capability Model Element View

24

12
 4/15/2021

GRC / IT Maturity Model

25

The Central Role of Technology in GRC Processes

 Technologies that address enhanced risk management, specific

compliance concerns and overall support for strategic planning and
decision-making can help businesses save money, save time, get
clearer information and refine the analytics that matter.

 Technology professionals contribute to the GRC system through the

establishment of an information architecture supported by the
selection and integration of technology to enable effective and efficient
GRC processes across the organization

26

13
 4/15/2021

GRC Technology Assessment

1. Develop a Formal GRC Technology Assessment Policy

2. Create an Inventory of Existing GRC Technology
3. Align GRC Technology Assessment Goals and Objectives with IT
Strategies and Organizational GRC Requirements
4. Implement a GRC Technology Assessment Methodology
5. Prioritize GRC Technology Needs for the Organization
6. Prepare a GRC Technology Plan
7. Obtain Management Approval and Initiate Execution of the GRC
Technology Plan.

27

WHAT IS CYBER SECURITY RISK ?

Cyber security risk refers to any cyber

threat to your company’s information
technology, and more importantly, any data
the technology stores, processes, or
transmits.

Cyber security risk management is the

process of identifying cyber risks and
developing strategies to mitigate them.

There are only two types of companies:

“Those that have been hacked, and those that will be hacked.”
Robert S. Mueller, III, Director, FBI

14
 4/15/2021

Cyber Security Risk Management

Improving your cyber security risk management

takes time and energy. But your efforts will not be in
vain.

Benefit :
• Make more strategic decisions
• Boost profits
• Gain a competitive advantage
• Provide insights to the board of directors
• Reduce business liability
• Meet compliance standards
• Protect your brand
An effective cyber security risk assessment
evaluates risks based on the probability that
they will occur and outlines the impact they
could have on your business. Only by
understanding prioritized risks can you develop
cost-effective ways to manage them and
improve your cyber security controls and
culture.

MOTIVES BEHIND CYBER ATTACKS

15
 4/15/2021

Sources of Cyber Risk

Internal Threat
 Internal employees potentially have access to the full
range of corporate information.
 a disgruntled or blackmailed employee may decide
to reveal or sell information to third parties.

External attacks from third parties

 Hackers
 Activists
 Financial criminals (internal and external)
 Intellectual property thieves

31

CYBER RISK IN BANKING

Cyber Attack Risk

Data Governance and Privacy

Process Automation Risk

Dynamic Workforce Risk

Third-Party Risk

Business Resiliency Risks

Cloud-Related Risks

Compliance Risks

32

16
 4/15/2021

Cyber Risk & Mitigation

 The financial industry around the world is using innovative new
technologies to improve services, automate work and drive costs
down.
 The “cloud,” quantum computing, artificial intelligence, the Internet
of Things, fintech and other tools facilitate the efficient electronic
transmission of financial transactions between and among clients,
vendors, institutions, and payment systems.

1. Understand the nature of data which is at risk Value the

data at risk. Take action to manage the data at risk
- Protect the most valuable data
- Manage the remaining risk through insuranceand self-insurance.
- Adopt a plan should a data breach occur

THE BANK’S CYBER SECURITY

The Bank focused on understanding cyber

security impacts to financial stability

The Bank invested in the foundational

elements of cyber security

“
The Bank prioritized protecting critical
operations and assets

The Bank took a people focused approach

to security services

The Bank invested in key initiatives to

increase resilience

Moving beyond protecting: Ready to

respond and recover from an attack

34

17
 4/15/2021

Identification & Mitigation

People and Policy Risks Potential Impact Mitigations

Inadequate security Vulnerabilities are often introduced due to Ensure that security policies
policy. inadequate or lacking policies. Policies need adequately cover all aspects of
to drive operating requirements and maintaining a secure environment.
procedures.
Inadequate privacy policy. Insufficient privacy policies can lead to Ensure that the privacy policies
unwanted exposure of employee or customer / adequately cover all aspects of

“
client personal information, leading to both safeguarding access to private
business risk and security risk. information.
Inadequate security A lack of clear senior management ownership Ensure that a senior manager is
oversight by of a security program makes it almost assigned responsibility for the
management. impossible to enforce the provisions of the overall security program at your
program in the event of a policy being organization. Empower this
compromised or abused. individual to make decisions to
refine and enforce the security
policies.
Improper revocation of Failure to ensure that employee access is Ensure that employees have access
access. revoked when no longer needed may result in to resources and systems only as
unauthorized access. needed to perform their job function
and only for the duration that this
need exists. Revoke all access for
terminated employees before
notifying them of termination.
35

Mitigation of Cyber Security

(Internal Plan)

IDENTIFY &
PROTECT DETECT RESPOND RECOVER
MANAGE
• Governance and • Access to assets • Security • Incident response • Recovery from a
risk management and systems configurations are actions are cyber attack is
processes enable effectives managed consistently applied consistently handled exercised regularly
effective and limited to and monitored 24 x 7 and and plans are
management. authorized users automated when continuously
and usage appropriate improved

36

18
 4/15/2021

Mitigation of Cyber Security

(Eksternal Plan)

STRENGTHEN ENHANCE
MATURE CYBER EVOLVE CYBER
FINANCIAL SYSTEM COLLABORATION&
SECURITY PRACTICES SECURITYOVERSIGHT
RESILIENCE PARTNERSHIPS

37

38

19