A Model for Control Assessment for Credit Card Industry

A Model for Control Assessment for Credit Card Industry

By PR No: - 07030245017

Student Name: - Mohammad Mohsin Khan Specialisation: - Systems (2007 – 2009)

Symbiosis Centre for Information Technology (a constituent member of SIU Established under section 3 of the UGC Act 1956

vide notification No. F.9-12/2001-U.3 of the Government of India)

Symbiosis Centre for Information Technology (A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)

MBA Batch 2007-09

2

Acknowledgement I would like to thank Ms. Shaila Kagal (Director, SCIT) for giving me this opportunity to do Research & Development on “A Model for Control Assessment for Credit Card Industry” I am highly indebted to Professor Manoj Hudnurkar who as given me the opportunity to do the research on the topic “A Model for Control Assessment for Credit Card Industry”. In spite of the severe paucity of time, his valuable suggestions enabled me to fulfil the objectives of my project. He has shown immense patience and understanding in the face of testing difficulties and even kept my morale high. The periodic inputs by such experts were instrumental in expediting my work. His willingness to guide me at every turn spurred me on to put my best efforts. I would also Like to thank Mr. Chaitanya V.K (Business Advisory, Ernst & Young), Mr. Anil Bhandari (Founder, Director ANB Conssulting Pvt Co), without their help I would not to be able to complete the research. I also extend my gratitude to all faculties of SCIT for their support. They provided me great help in understanding certain concepts. Their experience was of immense help

to me.


MBA Batch 2007-09

3

Table of Contents

1. Chapter 1:- Introduction _________________________________ 4

1.1. Brief on Research Topic ........................................................................... 4

1.2. Summary of Abstract: .............................................................................. 4

1.3. Objective:.................................................................................................. 5

1.4. Methodology: ............................................................................................ 5

2. Chapter 2:- Literature Review _____________________________ 6

2.1. Risk Assessment: ...................................................................................... 6

2.2. Steps for Process for Assessing and Managing Risk in SCM: ................ 7

2.3. CORAS approach to risk assessment: ..................................................... 7

2.4. Committee of Sponsoring Organizations of the Treadway Commission

(COSO) Model for Enterprise Risk Management (ERM): ................................ 8

2.5. COSO based Process Assessment Model:................................................ 9

2.6. Failure Modes, Effects and Criticality Analysis (FMECA): ................. 10

3. Chapter 3: Analysis of Work Done ________________________ 12

3.1. Analysis of Work Done: ................................................................................... 12 Risk Identification Process:............................................................................................. 12 It consist of the risk management process which involves ............................................. 12 COSO ERM Framework: ................................................................................................ 12 COSO based Process Assessment Model: ...................................................................... 13 Fig 4. COSO based Process Assessment ModelFailure Modes, Effects and Criticality Analysis (FMECA): ........................................................................................................ 13 Failure Modes, Effects and Criticality Analysis (FMECA): ........................................... 14

3.2. The Model: .......................................................................................................... 15 Steps to Create the Model: .............................................................................................. 15 Identification of Process and Activities: ......................................................................... 15 Monitoring and Control Framework: .............................................................................. 15 Classifying Risk: ............................................................................................................. 16 Classification of Risk: ..................................................................................................... 17 Classifying Impact Level: ............................................................................................... 18 Construct the Hazard Totem Pole Chart (HTP): ............................................................. 20

3.3. Framework Pyramid (Proposed): .......................................................... 23

3.4. Possible applications in the industry ..................................................... 23

4. Chapter 4: Finding, Recommendations & Conclusion: ________ 24

4.1. Findings .................................................................................................. 24

4.2. Recommendation: .................................................................................. 25

4.3. Conclusion: ............................................................................................. 26

4.4. References: ............................................................................................. 27


MBA Batch 2007-09

4

1. Chapter 1:- Introduction 1.1. Brief on Research Topic � A Bank has varied processes under its Credit Card wing. � Control Assessment Plan provides proofs and evidences about their

processes and functions to the external auditors and will also serve them as a guide to their processes i.e. whether a process is critical or what is the level of criticality of a processes.

� As there is no standardization of techniques to be followed while evaluation of control in the industry. Every individual follows techniques as per his convenience and understanding.

� This creates a gap in understanding of Control, its severity, Gap analysis, impact and also point of impact.

� This creates a lot of confusion among stakeholders regarding the effectiveness of controls applied to a process. As there is no model or standard technique to measure the severity, different process owners have their own severity level for a particular activity based on individual understanding of processes.

� This leads to a mismatch between risk and control leading to improper control assessment.

� Due to this a model is needed which is not individual dependent and also not dependent on his cognitive skills wherein, the risk will be measured against certain parameters and based on these parameters the severity will be adjudged.

� The control will be also measured against these parameters and the model help evaluate a standard Control Assessment Plan which will generate same result for a particular activity irrespective of the individual, in organizations belonging to Credit Card Domain.

1.2. Summary of Abstract: As there is no set of standard techniques while evaluation of control in the Credit Card industry. Every individual follows techniques as per his convenience and understanding. This creates a gap in understanding of Control & its severity, Gap analysis, impact and also point of impact. This creates a lot of confusion among stakeholders regarding the effectiveness of controls applied to a process, as different process owners have their own severity level for a particular activity which is based on individual understanding of processes. This leads to a mismatch between risk and control leading to improper control assessment. Due to this a model is needed which is not individual dependent and also not dependent on his cognitive skills wherein, the risk will be measured against certain parameters and based on these parameters the severity will be adjudged. The control will be also measured against these parameters and the model help evaluate a standard Control Assessment Plan which will generate same result for a particular activity irrespective of the individual, in organizations belonging to Services Domain.


MBA Batch 2007-09

5

1.3. Objective: To prepare a model which will achieve a standardization of method and techniques to be followed for preparing a Control Assessment plan as an output, independent of individual capabilities.

1.4. Methodology: � Collecting data from secondary resources and analyzing for trends in

them for control assessment.

1. Collection of data about the various techniques used in preparation of Risk Management Plan.

2. Collecting details about the various models which are currently being applied in the industry.

3. Feasibility of the models as per industry. 4. Application area in the industry. 5. The technical as well as business environments for application. 6. Advantages and Disadvantages of the these models. 7. Comparison of the models and the various techniques that could be

amalgamated in this new model. 8. Preparation of the new model. 9. Possible application in the industry.

� Getting inputs from Mentor and Guide regarding the progress and

ascertaining the right direction.

1. Validation of data from guide and mentor. 2. Charting out course of preparation of the new model. 3. Validation of the models and how to go about the techniques. 4. Using the mentors and guide industrial and well as domain experience in

model building. 5. Verifying of the final model.

� Preparing a model for Control Assessment which can be used as standard

procedure to have similar output for preparing a Control Assessment

Plan.


MBA Batch 2007-09

6

2. Chapter 2:- Literature Review

2.1. Risk Assessment: � Risk assessment is a common first step in a risk management process. Risk

assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat. Quantitative risk assessment requires calculations of two components of risk R, the magnitude of the potential loss L, and the probability p that the loss will occur.

R = L*P

Fig1. Risk assessment overview

� Risk assessment incorporates risk analysis and risk management, i.e., it combines systematic processes for risk identification and determination of their consequences, and how to deal with these risks. Many risk assessment methodologies exist, focussing on different types of risks or different areas of concern. The CORAS methodology builds on: HAZard and Operability study (HazOp); Fault Tree Analysis (FTA); Failure Mode and Effect Criticality Analysis (FMECA); Markov analysis (Markov); CCTA Risk Analysis and Management Methodology (CRAMM).

� The above mentioned all models may or may not be used for this research and in due course of time new models can also be taken in purview but, currently the models that are being viewed as a benchmark for creation of new model for risk and control assessment for credit card industry are as follows.


MBA Batch 2007-09

7

2.2. Steps for Process for Assessing and Managing Risk in SCM: � Identify potential risk factors. � Assess the severity of the Consequences of the Identified Risk factors. � Assess the Likelihood of Occurrence of the Identified Risk Factors. � Classify the Identified risk factors. � Determine the cost of implementing risk response action plan. � Determine the risk priority indices. � Construct hazard totem pole chart.

2.3. CORAS approach to risk assessment: � CORAS focuses on the integration of viewpoint oriented modelling in the risk

assessment process. The integration of this state-of-the-art modelling technology in the risk assessment process, in the following referred to as model-based risk assessment, is motivated by several factors. Model-based risk assessment employs modelling technology for three main purposes: a. Providing descriptions of the target of assessment at the right level of

abstraction. b. As a medium for communication and interaction between different groups

of stakeholders involved in a risk analysis. c. To document results and the assumptions on which these results depend.

� CORAS framework.


MBA Batch 2007-09

8

2.4. Committee of Sponsoring Organizations of the Treadway

Commission (COSO) Model for Enterprise Risk

Management (ERM): � COSO was formed in the year 1985 to sponsor the work of what became

commonly referred to as the Treadway Commission. COSO sponsors were (and remain) American Accounting Association (AAA), Institute of Management Accountants (IMA), Institute of Internal Auditors (IIA), AICPA and the Financial Executives International (FEI).

� Public Company Accounting Oversight Board (PCAOB) recommended the COSO model as a way to evaluate and report on internal controls. Thus, AS2 entrenched the COSO model as a tool that auditors, internal and external, needed to understand, especially in applying it to section 404 evaluations of internal controls.

� COSO defines internal controls as "a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable laws and regulations." The COSO Model of Internal Controls uses five elements of internal controls: control environment, risk assessment, information and communication, control activities, and monitoring.

� There are various important ERM frameworks, each of which describes an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include: a. Avoidance: exiting the activities giving rise to risk. b. Reduction: taking action to reduce the likelihood or impact related to the

risk. c. Share or insure: transferring or sharing a portion of the risk, to reduce it. d. Accept: no action is taken, due to a cost/benefit decision.

� The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight components - additional components highlighted - are: a. Internal Environment. b. Objective Setting. c. Event Identification. d. Risk Assessment. e. Risk Response. f. Control Activities. g. Monitoring.

� The four objectives categories - additional components highlighted - are: a. Strategy - high-level goals, aligned with and supporting the organization's

mission. b. Operations - effective and efficient use of resources. c. Financial Reporting - reliability of operational and financial reporting. d. Compliance - compliance with applicable laws and regulations.


MBA Batch 2007-09

9

2.5. COSO based Process Assessment Model: � The Process Assessment Model defines a two-dimensional model of process

capability. In one dimension i.e. the process dimension, the processes are defined and classified into process categories. In the other dimension, the capability dimension, a set of process attributes grouped into capability levels is defined. The process attributes provide the measurable characteristics of process capability.

Fig 2. COSO based Process Assessment Model

� The Process Assessment Model is based on the principle that the capability of a process can be assessed by demonstrating the achievement of process attributes on the basis of evidences related to assessment indicators.

� There are two types of assessment indicators: process capability (generic) indicators, which apply to capability levels 2 to 5 and process performance (specific) indicators, which apply exclusively to capability level 1.

� The process attributes in the capability dimension have a set of process capability indicators that provide an indication of the extent of achievement of the attribute in the instantiated process. These indicators concern significant


MBA Batch 2007-09

10

activities, resources or results associated with the achievement of the attribute purpose by a process.

� The first three capability levels are focusing on the instance or activity view of the processes, while from level 3 the attributes are focusing on the corporate entity view. This observation helps us to understand how the COSO Internal Control and ERM frameworks fit into this assessment model. The Internal Control framework third dimension is the Unit/Activity, while in ERM the third dimension is the corporate structure.

Fig 3. Process Improvement and Organization Level (COSO ERM)

2.6. Failure Modes, Effects and Criticality Analysis (FMECA): � It is designed to identify potential failure modes for a product or process, to

assess the risk associated with those failure modes, to rank the issues in terms of importance and to identify and carry out corrective actions to address the most serious concerns.

� FMECA requires the identification of the following basic information: a. Item(s). b. Function(s). c. Failure(s) d. Effect(s) of Failure. e. Cause(s) of Failure. f. Current Control(s). g. Recommended Action(s). h. Plus other relevant details.

� The basic steps for performing an FMEA/FMECA analysis include: a. Assemble the team.


MBA Batch 2007-09

11

b. Establish the ground rules. c. Gather and review relevant information. d. Identify the item(s) or processes’ to be analyzed. e. Identify the function(s), failure(s), effect(s), cause(s) and control(s) for

each item or process to be analyzed. f. Evaluate the risk associated with the issues identified by the analysis. g. Prioritize and assign corrective actions. h. Perform corrective actions and re-evaluate risk. i. Distribute, review and update the analysis, as appropriate

� Risk Evaluation Methods: A typical FMEA incorporates some method to evaluate the risk associated with the potential problems identified through the analysis. The two most common methods, Risk Priority Numbers and Criticality Analysis.

� Risk Priority Numbers: To use the Risk Priority Number (RPN) method to assess risk, the analysis team must: a. Rate the severity of each effect of failure. b. Rate the likelihood of occurrence for each cause of failure. c. Rate the likelihood of prior detection for each cause of failure (i.e. the

likelihood of detecting the problem before it reaches the end user or customer).

d. Calculate the RPN by obtaining the product of the three ratings: RPN = Severity x Occurrence x Detection

� Criticality Analysis (quantitative and qualitative): To use the quantitative criticality analysis method, the analysis team must: a. Define the reliability/unreliability for each item, at a given operating time. b. Identify the portion of the item’s unreliability that can be attributed to each

potential failure mode. c. Rate the probability of loss (or severity) that will result from each failure

mode that may occur. d. Calculate the criticality for each potential failure mode by obtaining the

product of the three factors:

Mode Criticality = Item Unreliability x Mode Ratio of

Unreliability x Probability of Loss

e. Calculate the criticality for each item by obtaining the sum of the criticalities for each failure mode that has been identified for the item.

Item Criticality = SUM of Mode Criticalities

To use the qualitative criticality analysis method to evaluate risk and prioritize corrective actions, the analysis team must: a. Rate the severity of the potential effects of failure. b. Rate the likelihood of occurrence for each potential failure mode. c. Compare failure modes via a Criticality Matrix, which identifies severity

on the horizontal axis and occurrence on the vertical axis.


MBA Batch 2007-09

12

3. Chapter 3: Analysis of Work Done

3.1. Analysis of Work Done: Risk Identification Process:

Risk Assessment Risk Management

“What can go wrong?” “What can be done?”

“What is the likelihood that something will go wrong?”

“What are the available options and their associated tradeoffs?”

“What are the associated consequences?”

“What are the impacts of current decisions to future options?”

It consist of the risk management process which involves

a. Establishing Context: This includes an understanding of the current conditions in which the organization operates on an internal, external and risk management context.

b. Identifying Risks: This includes the documentation of the material threats to the organization’s achievement of its objectives and the representation of areas to the organization may exploit for competitive advantage.

c. Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk.

d. Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and portfolio effects, and the formulation of the results in terms of impact on the organization’s key performance metrics.

e. Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritization.

f. Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting the various risks.

g. Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk environment and the performance of the risk management strategies.

COSO ERM Framework:

� The COSO ERM Framework has eight Components and four objectives categories. The eight components are: 1. Internal Environment 2. Objective Setting 3. Event Identification 4. Risk Assessment 5. Risk Response 6. Control Activities 7. Information and Communication 8. Monitoring

� The Four Objective Categories are: 1. Strategy - high-level goals, aligned with and supporting the organization's

mission


MBA Batch 2007-09

13

2. Operations - effective and efficient use of resources 3. Financial Reporting - reliability of operational and financial reporting 4. Compliance - compliance with applicable laws and regulations.

COSO based Process Assessment Model:

� The Process Assessment Model defines a two-dimensional model of process capability. In one dimension, the process dimension, the processes are defined and classified into process categories.

� In the other dimension, the capability dimension, a set of process attributes grouped into capability levels is defined.

Fig 4. COSO based Process Assessment Model


MBA Batch 2007-09

14

Failure Modes, Effects and Criticality Analysis (FMECA):

� FMECA requires the identification of the following basic information: 1. Item(s) 2. Function(s) 3. Failure(s) 4. Effect(s) of Failure 5. Cause(s) of Failure 6. Current Control(s) 7. Recommended Action(s) 8. Plus other relevant details

� The basic steps for performing an FMEA/FMECA analysis include: 1. Assemble the team. 2. Establish the ground rules. 3. Gather and review relevant information. 4. Identify the item(s) or process(es) to be analyzed. 5. Identify the function(s), failure(s), effect(s), cause(s) and control(s) for

each item or process to be analyzed. 6. Evaluate the risk associated with the issues identified by the analysis. 7. Prioritize and assign corrective actions. 8. Perform corrective actions and re-evaluate risk. 9. Distribute, review and update the analysis, as appropriate.


MBA Batch 2007-09

15

3.2. The Model: Steps to Create the Model:

� Identification of the common steps in all the models mentioned above � The common steps are

1. Identify potential risk factors 2. Assess the severity of the Consequences of the Identified Risk factors. 3. Assess the Likelihood of Occurrence of the Identified Risk Factors. 4. Classify the Identified risk factors. 5. Determine the cost of implementing risk response action plan. 6. Determine the risk priority indices. 7. Construct hazard totem pole chart.

Identification of Process and Activities:

� List down all the Processes and their Sub-Processes � List Down all the Activities and their Owners � List all the Sub-Activities and their WCGW (what could go wrong) scenarios.

E.g. S No

Process Sub Process

Activity Activity Owner

Sub Activity WCGW/Risk

1 Credit Credit APPLICATION RECEIPT PROCESS

Credit Team 1. The Sales team procures the applications from following channels: Existing KMB group company customers Open market Employee referral 2. Different Application forms are filled for each type of credit card.

1. Delay in Collection of forms

Monitoring and Control Framework:


MBA Batch 2007-09

16

Classifying Risk:

� One technique is to identify the level of processes i.e. w.r.t to COSO ERM Framework

Fig 5. Depiction of various Levels of Improvement

� The probability of problem occurrence is derived from the extent of process attribute gaps and from the capability level where they occur. Capability level gaps are categorized as follows: 1. None - No major or minor gaps 2. Slight - No gap at Level 1, and only minor gaps at higher levels 3. Significant - A minor gap at Level 1, or a single major gap above 4. Substantial - A major gap at Level 1, or more than one major gap above

� The process related risk depends on both the probability of problem arising from the identified gap and the potential consequence. In general the consequences depend on the capability levels where the gaps occur.

� The Figure Below depicts high risk arises from a substantial gap at a lower capability level


MBA Batch 2007-09

17

Classification of Risk:

� Different techniques to Quantify Risk:

1. The first sets of factors are related to the threat agent involved. The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent. a. Skill level b. Motive c. Opportunity d. Size

2. Vulnerability Factors: a. Ease of discovery b. Ease of exploit c. Awareness

3. Using FMECA to Calculate COPQ (Cost of Poor Quality): a. Step 1: Identify the potential causes of failures using the inputs from an

input-output diagram and import them into the FMEA tool. Avoid any initial prioritization of inputs such as through a cause-and-effect matrix, to ensure that all possible failure modes are included in the COPQ analysis. Include only controlled factors (inputs) in the analysis. This is important, as existing costs for uncontrolled factors cannot be calculated with confidence.

b. Step 2: After importing the inputs, review the list with the team to ensure all potential failures are identified. Include every possible failure even if the process has not experienced it. If there is a risk for failure, the team must identify it and include the potential cost of failure in the COPQ calculation.


MBA Batch 2007-09

18

c. Step 3: Perform the risk prioritization calculation for each individual potential failure mode by using the FMECA tool. Record the Risk Priority Number values as a calculation of severity, occurrence and detection scores as follows:

Risk Priority Number = Severity x Occurrence x Detection

d. Step 4: Using team inputs and any available estimation tools, calculate the average cost to resolve (ACR) for each potential cause of failure. The cost will be a multiple of estimated effort hours to resolve (EHR) and the average cost per effort hour (ACH). Note that the estimation in this step tends to have a 90- to 95-percent confidence level, which is an acceptable level for isolating the COPQ.

ACRi = EHRi x ACHi Where: ACRi = Average cost to resolve incident i EHRi = Effort hours to resolve incident i ACHi = Average cost per hour for incident i i = 1 to n (n being the total number of failures)

e. Step 5: Calculate the average effort cost required to resolve a random incident by using the weighted average of time to resolve the failure weighted by the risk priority of each failure.

Weighted Average Cost to Resolve (WACR) = [Sum of (RPNi x

ACRi) / Sum of (RPNi)]

f. Step 6: Calculate the COPQ for the process by multiplying the random incident cost and the potential reduction in incidents (per year) as identified in the past process data.

COPQ = WACR x Reduction in Events Due to the Project

Classifying Impact Level:

� There are two types of impact Technical Impact and Business Impact

� Technical Impact:

a. Loss of confidentiality b. Loss of integrity c. Loss of availability d. Loss of accountability

� Business Impact: a. Financial b. Reputation c. Non-compliance d. Privacy violation e. Quality / Customer Service f. Information security / Data loss g. Delay in TAT / Deviation in SOP h. Defective product


MBA Batch 2007-09

19

� Based on the above impact the necessary level have been provided to the impacts

Classication Score

F Financial 5

Q Quality / Customer Service 4

S Information security / Data loss 3

D Delay in TAT / Deviation in SOP 2

P Defective product 1

� Now we classify the probability of occurrence

Classification Score

L Likely 3

U Un-likely 2

R Remote 1

� Now find out the Criticality Score

Criticality Score = Probability Score * Impact Score

� Now we classify the Criticality

Classication Score

VH Very High 12 - 15.

H High 9 - 11.9

M Medium 5 - 8.9

L Low 3 - 4.9

VL Very Low 0 - 2.9

� Now, Determine the Cost of Implementing Risk Response Plan. Here the cost

is dependent on the Company Revenue, Size and Other parameters that define how the organization determines the cost based on the following parameters.

Cost Strategies Implementation Cost* Cost Index

Substantial Cost More than $100000 4

High Cost Between $10000 and $100000

3

Low Cost Between $1000 and 10000

2

Trivial Cost Less Than $1000 1

*Dependent on company to classify the cost


MBA Batch 2007-09

20

Construct the Hazard Totem Pole Chart (HTP):

� HTP analysis provides a method for systematic analysis of Risk � It is pyramidal in shape, with most significant risk at the top(Sharply Pointed

for Immediate Management Attention) and less significant risk at the bottom. � The risks at top of HTP represent catastrophic consequences that can be

eliminated or contained for a small amount of money. As we go down the HTP chart the impact of ranked risk diminishes.

� Since no firm can afford to eliminate all the risk, one can find a level in HTP chart below which management appears to accept the risk, instead of implementing risk response plan for removing them. This level is known as “Cut off Level”.

� Here we rate each risk with three letter number Risk (Impact Score, Probablity Score, Cost Index) E.g. a risk with code (3,1,2) is (Info Security / Data loss, Remote, Low Cost)


MBA Batch 2007-09

21

1

2

3

4

5

6

7

8

9

10

11

12

13

14

Fig 6. HTP analysis of Risk

Based on the HTP we construct the Control Assessment Sheet it should be merged with the Risk Assessment sheet. Control Questions Manual/IT P/D H/M/L F/S/Q/D/P IMPACT SCORE L/U/R PROBABILITY SCORE CRITICALITY

The template for the Sheet will be as follows: Activity Activity

Owner Sub Activity

WCGW/Risk Impact Control Questions Manual/IT P/D H/M/L F/S/Q/D/P IMPACT SCORE

L/U/R PROBABILITY SCORE

CRITICALITY

Significant

Code

Hazard Code

Cumulative Preventive Cost ($)

(3,2,1) 5000

(3,3,3) 10000

(2,2,1) 70000

(2,2,1) 140000

(3,3,4) 170000

(2,4,4) 175000

(2,2,2) 200000

(2,2,2) 240000

(1,4,3) 260000

(3,1,3) 370000

(3,1,3) 380000

(4,4,1) 390000

Cut-Off Level


MBA Batch 2007-09

22

� Then based on the above sheet and the HTP analysis we can prepare a checklist and Audit Plan based on which the Stake Owners can assess the process control for effectiveness.

Fig 7. Framework process improvement based on above Control

Framework Model


MBA Batch 2007-09

23

3.3. Framework Pyramid (Proposed): � The Pyramid below will help the Organization to evolve and manage

processes based on COSO ERM methodology.

3.4. Possible applications in the industry

� The framework with the techniques mentioned will be applicable to the Credit Card industry or Payment Card industry. The various processes where it could be applicable is a. Sales: Process deals with sales of the credit cards. It contains finalizing

vendor for sales & alternate sales process b. Pre-Issuance: Process containing detailed steps to follow before issuing

credit cards e.g. procurement of plastic, embossing, ATM PIN generation, c. Post-Issuance: Process to be followed once the credit card is issued to the

customer. It contains statement process, repayment process, interchange & settlement process, charge back, auto-debit, Zeroisation, cut – card & reconciliation.

d. Credit: The process of accepting applications for new credit cards, Screening, Scoring, Risk evaluation and setting credit limits is performed by the Credit function in coordination with the Risk team.

e. Products: Related to various products and add on services offered by the respective bank.

f. Contact Management: Process of handling customer request or complaints when he/she contacts Kotak Mahindra Bank

g. Collections: - As the name suggest the process is all about collections. Keeping track of collections, cycle date, interest calculation, late charges & etc.

Framework Pyramid

Mapping, Control Self-Assessment, Heat Maps

Local Efficiency Gains, Internal Losses, Forward-Looking

Aggregation, Models

Group-Wide Efficiencies, Appetites, Shifting Resources

Fixing Group-Wide Strategy, Industry Change

BU

Group

1

2

3

4

5

We should expect lots of small benefits; with really big but fewer benefits as we reach the top of the pyramid.


MBA Batch 2007-09

24

4. Chapter 4: Finding, Recommendations & Conclusion: 4.1. Findings

� Here there is a comparison among various techniques that are being used in the industry for various risk management activities, some of these techniques are implemented in various models

� Some models have one or more techniques missing which are present in other model, thus making it not fully capable of handling various risks.

� Many models are missing the process improvement part and well as raising the level of Organization as well as business units i.e. from Level 1 to 5.

� Below the table summarizes all those activities and shows the capability of various models to support that activity.

� In all the models not all the factors are considered for Impact

Risk Management Activities

General Risk Assessment

COSO ERM

COSO based PAM

FMECA CORAS Proposed Model*

Identify Context � � � �

Identify Risk � � � � � �

Analyze Risk � � � � � �

Severity of the Consequences*

� � � � � �

Likelihood of Occurrence

� � � � � �

Criticality Analysis � � � � � �

Cost of implementing risk response action plan

� �

Risk priority indices � �

Heat Maps � �

Hazard Totem Pole chart

�

Control Activities � � � � �

Risk Assessment sheet �

Audit Plan �

Audit Checklist �

Compliance �

Monitoring � � � �

Review and Update � � � �

Communication among stakeholders

� � �

Documentation of assumptions and results

� � �

Process Improvement �

Aggregation �

Group and Business Unit Level Strategic Addition

�

Table1: Depiction of various models w.r.t Risk Management Activities

*Not all factors are considered for Impact except for the proposed model


MBA Batch 2007-09

25

4.2. Recommendation: � This proposed model cannot always cover and guarantee against all the risk

that an organization faces, but it also try to cover all the risk which are inherent or not.

� Thus it acts as risk mitigation plan which not only help u avoid, mitigate or transfer risk but helps to improve your processes, which indirectly helps in raising the organizational level as well as business units level upto a certain limit

� As it a mixture of all the models that are generally being used it therefore covers all the risk management activities.

� This model can also be used for other industries such as Manufacturing, Services, Hospitality, and Automobiles etc.

� This models has a generic approach thus it can be applies to any industry. � As the model is not yet tested against cost for processes thus this will be a

future work that has to be done wherein, the processes will be modelled in a modeller to analyze cost and then same processes will checked with our model for knowing the cost.

� This cost should be similar else there is a problem in process or model, so yet work needs to be done in this area.

� This model will cover an wide area of Risk Assessment, Management and Control activities for various industries mentioned.

1. Establishing Context. 2. Identify the item(s) or process(es) to be analyzed

3. Identifying Risks. 4. Analyzing/Quantifying Risks 5. Integrating Risks 6. Assessing/Prioritizing Risks 7. Treating/Exploiting Risks 8. Monitoring and Reviewing 9. Control Activities 10. Information and Communication

11. Monitoring

12. Perform corrective actions and re-evaluate risk.

13. Distribute, review and update the analysis, as appropriate. 14. Strategy - high-level goals, aligned with and supporting the organization's

mission 15. Operations - effective and efficient use of resources 16. Financial Reporting - reliability of operational and financial reporting 17. Compliance - compliance with applicable laws and regulations

� This model helps us to develop a Monitoring and Control Framework

which helps us to improve our controls and processes with elimination of risk thus reduction of controls.


MBA Batch 2007-09

26

4.3. Conclusion: The model will help us to measure risk and activities and it will help evaluate a standard Control Assessment Plan which will generate same result for a particular activity irrespective of the individual, in organizations belonging to Credit Card Domain. The model will achieve a standardization of method and techniques to be followed for preparing a Control Assessment plan as an output, independent of individual capabilities.


MBA Batch 2007-09

27

4.4. References: [1] ISO/IEC 15504-1:2004 Information technology -- Process assessment -- Part 1: Concepts and vocabulary ISO/IEC 15504-2:2003 Information technology -- Process assessment -- Part 2: Performing an assessment ISO/IEC 15504-2:2003/Cor 1:2004 ISO/IEC 15504-3:2004 Information technology -- Process assessment -- Part 3: Guidance on performing an assessment ISO/IEC 15504-4:2004 Information technology -- Process assessment -- Part 4: Guidance on use for process improvement and process capability determination ISO/IEC 15504-5:2006 Information technology -- Process Assessment -- Part 5: An exemplar Process Assessment Model [2] www.wikipedia.com [3] CORAS, “CORAS: A platform for risk analysis of security critical systems”, 2000. [4] R. Winther, O.-A. Johnsen, and B. A. Gran, “Security Assessments of Safety Critical Systems Using HAZOPs,” presented at 20th International Conference on Computer Safety, Reliability and Security, SAFECOMP 2001, Budapest, Hungary, 2001. [5] Calculating COPQ Using Weighted Risk of Potential Failures by Pankaj Sharma www.isixsigma.com [6] www.coso.org [7] Implementing Process Assessment Model of Internal Financial Control By János Ivanyos, Memolux Ltd. (H), IIA Hungary [8] Model-based Risk Assessment to Improve Enterprise Security by Jan Øyvind Aagedal*, Folker den Braber*, Theo Dimitrakos§, Bjørn Axel Gran#, Dimitris Raptis‡, Ketil Stølen [9] Stoneburner, Gary, Alice Goguen, and Alexis Feringa. Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800–30. (Washington, D.C.: U.S. Government Printing Office, January 2002), http://csrc.nist.gov/publications/nistpubs/800–30/sp800–30.pdf. [10] Control Self-assessment for Information and Related Technology By Sunil Bakshi, CISA, CISM, AMIIB. [11] A whitepaper on Meeting the Requirements of the Payment Card Industry (PCI) Data Security Standard by Consul an IBM Company [12] Credit Risk Modeling and the Term Structure of Credit Spreads by Li Chen and H. Vincent Poor [13] NASA RISK ASSESSMENT AND MANAGEMENT ROADMAP by Student Team: Jacob Burns, Jeff Noonan, Laura Kichak, and Beth Van Doren [14] The Institute of Internal Auditors (The IIA): The International Standards for the Professional Practice of Internal Auditing [15] The COSO Model: How IT Auditors Can Use It to Evaluate the Effectiveness of Internal Controls by By Tommie Singleton, CISA [16] INTOSAI: Guidelines for Internal Control Standards for the Public Sector, 2004 http://www.intosai.org/Level3/Guidelines/3_InternalContrStand/3_GuICS_PubSec_e.pdf


MBA Batch 2007-09

28

[17] Risk based internal auditing - an introduction, David M Griffiths, 30 January 2006 http://www.internalaudit.biz/files/introduction/Internalauditv2_0_3.pdf [18] OWASP Risk Rating Methodology by OWASP

Documents

A Model for Control Assessment for Credit Card Industry