ISACA’S IT Audit, Information Security

& Risk Insights Africa 2014

MAY, 2014

MANAGING IT RISKS IN THE BANKING

INDUSTRY

Emmanuel Ofori Boateng,

Dep. Head, IT , Ecobank Ghana

OVERVIEW

- HISTORY OF RISK

MANAGEMENT

- OVERVIEW OF IT RISKS IN

BANKS

- REMEDIES

HISTORY OF RISK MANAGEMENT

• The Study of Risk Management begun after WWII

• It had to do with market insurance to protect

individuals and companies from various losses

associated with accident.

• The use of derivatives are risk management

instruments begun in the 1970s.

• International risk regulation and Operational

Risks begun in the 1990s.

HISTORY OF RISK MANAGEMENT

• Concomitantly governance of risk management

became essential and integrated risk management

was introduced.

• In the wake of financial scandals and bankruptcies

resulting from poor risk management; the Sarbenes-

Oxley regulation was introduced in 2002 (Enron).

• However these regulations, governance rules and

risk management methods failed to prevent the

financial crisis that begun in 2007 (Lehman Brothers)

RISKS IN BANKS

• MARKET RISKS

• CREDIT RISKS

• OPERATIONAL RISKS

OPERATIONAL RISK

• The main characteristic of operational risk

is that unlike market and credit risks, which

mainly involve risks associated with trading

or lending, everyone in the financial

organization can be a source of operational

risk

IT RISKS CLASSIFICATION

• IT risks can be classified according

to their impact on the organization,

as follows:

• 1. Security risk

• 2. Availability risk

• 3. Performance risk

• 4. Compliance risk

IT RISKS CLASSIFICATION

• SECURITY RISK – the

information will be altered,

accessed, or used by unauthorized

parties.

IT RISK CLASSIFICATION

• AVAILABILITY RISK – that

information or applications will be

inaccessible due to system failure or

natural disaster, including any

recovery period.

IT RISK CLASSIFICATION

• PERFORMANCE RISK – that

underperformance of systems,

applications, or personnel, or IT as

a whole will diminish business

productivity or value.

IT RISK CLASSIFICATION

• COMPLIANCE RISK – that

information handling or processing

will fail to meet regulatory, IT or

business policy requirements.

Usually, it involves penalties, fines,

or loss of reputation from failure to

comply with laws or regulations

IT RISKS

• - IT GOVERNANCE

• - CYBERSECURITY (Cyberterrorism, Data loss)

- CARD FRAUD

- BIG DATA SECURITY & PRIVACY

• INTERNET BANKING

• HACKING

• VIRUSES

• OUTSOURCING

IT RISK

• Unauthorized Access: User/Developer access was

not approved for a particular level of access or

action; Example: Ensure privileged access is

appropriately restricted.

• Excessive Access: User/Developer access level

is beyond the scope of job role and responsibility;

Example: Ensure the Principle of Least Privilege is in

place – people only have access to the information

and transactions needed to perform their job and

scope of responsibility

IT RISKS

• Unauthorized Changes: Program change was

not approved before move to production

• Lack of control around the acquisition and

implementation of new applications and

maintenance of existing applications

• Lack of control around the acquisition,

installation, configuration, integration, and

maintenance of the IT infrastructure.

MITIGATING I.T. RISK

• ROLE OF BOARD OF DIRECTORS

AND MANAGEMENT

• Federal Financial Institutions Examination

Council (FFIEC) direct senior management

and the board of directors to manage IT risks,

including information security, business

continuity and disaster recovery.

MITIGATING IT RISKS

•AUDITS AND OTHER

INDEPENDENT

REVIEWS

MITIGATING IT RISKS

• LEGAL FRAMEWORK

• EDUCATION

MITIGATING IT RISKS

• USING STANDARDS,

FRAMEWORKS etc

• COBIT (ISACA): Control Objectives

for Information Technology that

focuses on four key domain areas of

Plan & Organize, Acquire &

Implement, Deliver & Support, and

Monitor & Evaluate

MITIGATING IT RISKS

• ITIL (INFORMATION

TECHNOLOGY

INFRASTRUCTURE LIBRARY) Framework for IT Service Management practices,

such as Change Management, Incident

Management, Problem Management,

Configuration Management, Service Level

Management

MITIGATING IT RISKS

• CMMi (Software Engineering Institute):

Capability Maturity Model Integration for Software

Development Lifecycle

• ISO20000: Framework and Certification for IT

Service Management

• ISO27001: Framework and Certification for

Information Security

• RiskIT (ISACA): IT-related buisness risk,

focusing in Risk Evaluation, Risk Governance,

and Risk Monitoring/Reporting

MITIGATING IT RISKS

• VENDOR MANAGEMENT RISKS

AND CONTROLS

CONCLUSION

• In years to come, banks will face two major

drivers that will challenge them to take on

deepened I.T. risks:

• GLOBALIZATION AND INTERNET-RELATED

TECHNOLOGIES

• THANK YOU

• QUESTIONS?