Operational Risk Management

BITS

April 2018
Risk Management – Introduction

Definition of Risk

An uncertain event associated with a probability of occurrence and an impact. The

impact can be positive (opportunity, profit) or negative (threat, loss).

Definition of Risk Management

Controlling the probability and the severity of an uncertain event so that the
consequences of that event are within acceptable limits.

April 2018 2
Risk Management – The Risk Management Cycle

Identify

Risk
Monitor Analyze
Management

Mitigate

April 2018 3
Risk Management – Categorization of Risks

Management Chosen Consequential

Risk Risk Risk

Operational &
Compliance Risk
Reputational Risk Credit Risk (incl. Conduct Risk)

Liquidity Risk
Strategy Risk Market Risk

Model Risk

April 2018 4
Operational Risk – Definition

Definition of Operational Risk

Operational risk is the risk of loss resulting from inadequate or failed

internal processes, people and systems or from external events. This
definition includes legal risk, but excludes strategic and reputational risk. However
it is recognized that some operational risks can lead to subsequent reputation
issues.

April 2018 5
Operational Risk Categories

Basel provides the following seven operational risk event types, with
examples of where and how they might arise.

Event-Type Category Examples

Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company
Internal fraud
policy, (excluding diversity/discrimination events), which involves at least one internal party

External fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law by a third party

Employment practices and workplace Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal
safety injury claims or from diversity and discrimination events

Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including
Clients, products & business practices
fiduciary and suitability requirements), or from the nature or design of a Product

Damage to physical assets Losses arising from loss or damage to physical assets from natural disaster or other events

Business disruption and systems

Losses arising from disruption of business or system failures
failures

Execution, delivery, and process

Losses from failed transaction processing or process management, from relations with trade counterparties and vendors
Management

April 2018 6
Top 10 Operational Risks – risk.net’s Financial Industry Survey
2018 vs. 2017
Ref. 2018 2017
1 IT disruption () Cyber risk and data security
2 Data compromise () Regulation
3 Regulatory risk () Outsourcing
4 Theft and fraud () Geopolitical risk
5 Outsourcing () Conduct risk
6 Mis-selling () Organizational change
7 Talent risk (new) IT failure
8 Organizational change () AML, CTF and sanctions compliance
9 Unauthorized trading () Fraud
10 Model risk () Physical attack (Terrorism)
AML = Anti-Money Laundering
CTF = Counter-Terrorism Financing
Sources: 2018 survey, 2017 survey; see also Top 10 OpRisk Losses of 2017

April 2018 7
Case Studies – Operational Risk
Case Study Questions

Both the incidents went un-noticed / un-questioned for a relatively long

period. What do you think went wrong internally?
What would you as a CRO of a bank do differently to -
a. Prevent such wrong-doing
b. Identify any similar issues

April 2018 9
Case Study – 1

Barings Bank: the collapse that erased 232 years of history

One of the most famous rogue traders is

Nick Leeson, who was a derivatives trader
at the Singapore office of Britain's Barings
Bank. Leeson incurred heavy losses
through the unauthorized trading of large amounts of Nikkei futures and options. Leeson
took large derivative positions on the Nikkei which leveraged the amount of money at stake in the
trades.

At one point Leeson had 20,000 futures contracts worth over $3 billion on the Nikkei. A large
chunk of the losses came from the downturn in the Nikkei after a major earthquake in Japan
caused a broad-based sell-off in the Nikkei within a week. Total loss to the 233-year-old Barings
Bank was well over $1 billion and led to its eventual bankruptcy. Leeson was charged with fraud
and served years in a Singapore prison.

April 2018 10
Case Study – 2

Forex scandal: Activities that resulted in banks being hit with record fines

In 2015, 6 global banks were fined ~USD

10bn for rigging foreign exchange markets

Between 2007 and 2013 euro-dollar traders

at 6 global bulge bracket banks were
found to have manipulated benchmark foreign exchange (FX) rates in spot markets
using exclusive chat rooms to exchange confidential information, such as the size and
direction of the banks’ net orders using a coded language just before the one-minute fixing period
in an effort to increase their profits.

Traders agreed not to buy or sell at certain times to protect each other’s trading
positions by withholding supply of or demand for currency and suppressing competition in the FX
market. Banks were believed to have insufficient controls in place to monitor these activities.

April 2018 11
Q&A for OpRisk Section
Cybersecurity
What is cybersecurity?

Application security CYBERSECURITY is

the body of
technologies, processes
Information security
and practices designed
to protect networks,
Network security computers, programs
and data from attack,
Disaster recovery / business continuity planning damage or unauthorized
access. In a computing
context, security
Operational security
includes
both cybersecurity and
End-user education physical security.

April 2018 14
Security threat landscape – Skyrocketing costs

Global annual cybercrime costs will grow from

$3 trillion in 2015 to
$6 trillion annually by 2021*

In the next four years, costs from…

Damage and destruction of data
Stolen money
Lost productivity
Intellectual property theft
Theft of personal and financial data
Embezzlement
Fraud
Post-attack disruption to the normal course of business
Forensic investigation are predicted to double as the attack surface
Restoration and deletion of hacked data and systems grows a full order of magnitude larger than what
Reputational harm it is today.
*Source: Cybersecurity Ventures

April 2018 15
How is data lost? – Human error vs malicious intent

Human error
• Accidental disclosure Malicious intent
• Lost or stolen device
• Improper disposal • Unauthorized access
• Sabotage
• Insider data theft

April 2018 16
Two types of Email attacks : Phishing vs spear-phishing
– Quantity vs quality
Attackers send emails to a large list of
people (“campaign”) in the hopes that at
least one person will click and provide
sensitive information or enable the launch
of malware

Attackers first determine

what data they want to get and identify the
people that can help them get it. Then they
research the individuals and craft targeted
emails to entice them to click.

April 2018 17
Case Study – Cyber Security
Cyber Attack – In Perspective

WannaCry
Worldwide Ransomware Attack

WannaCry was a worldwide ransomware attack that targeted hundreds of thousands of computers in over 150
countries. The ransomware encrypted the hard drive contents of infected computers and the WannaCry
perpetrators then demanded payment in Bitcoin to unlock them. WannaCry is considered among the worst
cyber-attacks of its kind not only because of its widespread impact but also the reason behind its working.
What worried the cybersecurity community the most was that the malware exploited a vulnerability that existed in
the Microsoft Windows operating system using a code which had been developed by the US National Security
Agency. This code, called EternalBlue, was then stolen and leaked to the world by a group called
“TheShadowBrokers”. Despite Microsoft having patched the zero-day vulnerability a few weeks before
the WannaCry attack, several systems hadn’t been updated and were thus left open to the
ransomware.

April 2018 19
Spear-Phising
A simple Google search…
Professional profiles
Good cyber hygiene Risky cyber hygiene
 Email address and  Title, company, position,
personal contact job history, education,
information not visible skills, location publicly
visible
 Job details not provided
 Summary provides detail
about education and
experience
 Profile photo allows easy
identification
Personal profiles
Good cyber hygiene Risky cyber hygiene
 Social network profiles  Professional and
locked down personal profile photos
are the same
 Friends lists are hidden
from strangers  Customer reviews on
sites like Amazon hint at
interests
 Published involvement in
charitable causes
April 2018 21
…can still allow attackers to connect the dots…

Professional profiles Personal profiles

Profile of Ms. XYZ

Company XYZ
Global Training, Awareness and
Title
Communications Director
Industry Banking
Location London
School Kingston University
Marketing, pets, social causes (civil rights
and social action, disaster and
Possible
humanitarian relief, education,
interests
environment, health, human rights, politics,
social services)

April 2018 22
…to craft a spear-phishing email
Attackers do their research and look for interests
and causes to appeal to a victim’s potential to click Sample e-mail

Sender address looks official but no-

reply is a red flag

XYZ,

Dear Latha,

Link can lead to fake Web site that

captures personal information

April 2018 23
Q&A
Thanks
References

https://www.bis.org/publ/bcbs195.pdf

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018

https://www.risk.net/risk-management/operational-risk/2480528/top-10-operational-risks-
for-2017

https://www.finma.ch/en/news/2013/10/mm-rs-opr-risiken-banken-20130110/

April 2018 25