Professional Documents
Culture Documents
BITS
April 2018
Risk Management – Introduction
Definition of Risk
Controlling the probability and the severity of an uncertain event so that the
consequences of that event are within acceptable limits.
April 2018 2
Risk Management – The Risk Management Cycle
Identify
Risk
Monitor Analyze
Management
Mitigate
April 2018 3
Risk Management – Categorization of Risks
Operational &
Compliance Risk
Reputational Risk Credit Risk (incl. Conduct Risk)
Liquidity Risk
Strategy Risk Market Risk
Model Risk
April 2018 4
Operational Risk – Definition
April 2018 5
Operational Risk Categories
Basel provides the following seven operational risk event types, with
examples of where and how they might arise.
Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company
Internal fraud
policy, (excluding diversity/discrimination events), which involves at least one internal party
External fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law by a third party
Employment practices and workplace Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal
safety injury claims or from diversity and discrimination events
Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including
Clients, products & business practices
fiduciary and suitability requirements), or from the nature or design of a Product
Damage to physical assets Losses arising from loss or damage to physical assets from natural disaster or other events
April 2018 6
Top 10 Operational Risks – risk.net’s Financial Industry Survey
2018 vs. 2017
Ref. 2018 2017
1 IT disruption () Cyber risk and data security
2 Data compromise () Regulation
3 Regulatory risk () Outsourcing
4 Theft and fraud () Geopolitical risk
5 Outsourcing () Conduct risk
6 Mis-selling () Organizational change
7 Talent risk (new) IT failure
8 Organizational change () AML, CTF and sanctions compliance
9 Unauthorized trading () Fraud
10 Model risk () Physical attack (Terrorism)
AML = Anti-Money Laundering
CTF = Counter-Terrorism Financing
Sources: 2018 survey, 2017 survey; see also Top 10 OpRisk Losses of 2017
April 2018 7
Case Studies – Operational Risk
Case Study Questions
April 2018 9
Case Study – 1
At one point Leeson had 20,000 futures contracts worth over $3 billion on the Nikkei. A large
chunk of the losses came from the downturn in the Nikkei after a major earthquake in Japan
caused a broad-based sell-off in the Nikkei within a week. Total loss to the 233-year-old Barings
Bank was well over $1 billion and led to its eventual bankruptcy. Leeson was charged with fraud
and served years in a Singapore prison.
April 2018 10
Case Study – 2
Forex scandal: Activities that resulted in banks being hit with record fines
Traders agreed not to buy or sell at certain times to protect each other’s trading
positions by withholding supply of or demand for currency and suppressing competition in the FX
market. Banks were believed to have insufficient controls in place to monitor these activities.
April 2018 11
Q&A for OpRisk Section
Cybersecurity
What is cybersecurity?
April 2018 14
Security threat landscape – Skyrocketing costs
April 2018 15
How is data lost? – Human error vs malicious intent
Human error
• Accidental disclosure Malicious intent
• Lost or stolen device
• Improper disposal • Unauthorized access
• Sabotage
• Insider data theft
April 2018 16
Two types of Email attacks : Phishing vs spear-phishing
– Quantity vs quality
Attackers send emails to a large list of
people (“campaign”) in the hopes that at
least one person will click and provide
sensitive information or enable the launch
of malware
April 2018 17
Case Study – Cyber Security
Cyber Attack – In Perspective
WannaCry
Worldwide Ransomware Attack
WannaCry was a worldwide ransomware attack that targeted hundreds of thousands of computers in over 150
countries. The ransomware encrypted the hard drive contents of infected computers and the WannaCry
perpetrators then demanded payment in Bitcoin to unlock them. WannaCry is considered among the worst
cyber-attacks of its kind not only because of its widespread impact but also the reason behind its working.
What worried the cybersecurity community the most was that the malware exploited a vulnerability that existed in
the Microsoft Windows operating system using a code which had been developed by the US National Security
Agency. This code, called EternalBlue, was then stolen and leaked to the world by a group called
“TheShadowBrokers”. Despite Microsoft having patched the zero-day vulnerability a few weeks before
the WannaCry attack, several systems hadn’t been updated and were thus left open to the
ransomware.
April 2018 19
Spear-Phising
A simple Google search…
Good cyber hygiene Risky cyber hygiene Good cyber hygiene Risky cyber hygiene
Email address and Title, company, position, Social network profiles Professional and
personal contact job history, education, locked down personal profile photos
information not visible skills, location publicly are the same
Friends lists are hidden
visible
Job details not provided from strangers Customer reviews on
Summary provides detail sites like Amazon hint at
about education and interests
experience Published involvement in
Profile photo allows easy charitable causes
identification
April 2018 21
…can still allow attackers to connect the dots…
April 2018 22
…to craft a spear-phishing email
Attackers do their research and look for interests
and causes to appeal to a victim’s potential to click Sample e-mail
XYZ,
Dear Latha,
April 2018 23
Q&A
Thanks
References
https://www.bis.org/publ/bcbs195.pdf
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018
https://www.risk.net/risk-management/operational-risk/2480528/top-10-operational-risks-
for-2017
https://www.finma.ch/en/news/2013/10/mm-rs-opr-risiken-banken-20130110/
April 2018 25