operational risk management for it infrastructure · operational risk management for it...
TRANSCRIPT
Operational Risk Managementfor IT infrastructure
IWI jour fixe – Daniel J. Hinz, [email protected]
Frankfurt/Main, November 23rd, 2004
This material was used during an oral presentation; it is not a complete record of thediscussion.
1
AGENDA
• Definitions and research question
• Theoretical foundation and practical motivation
• Approach and validation
• Relevance: Practical application
• Next steps
2
DEFINITIONS
The measurable probability of the negative deviation of a target value froma reference value - [Jorion and Khoury 1996]Risk
OperationalRisk
The risk of loss resulting from inadequate or failed processes, people andsystems or from external events - [Basel Committee on BankingSupervision 2003]
Systems risk /IT risk
Losses arising from disruption of business or system failures,e.g. hardware, software, telecommunications, utility outage/disruptions –[Basel Committee on Banking Supervision 2003]
IT infrastructure
The underlying technological components that constitute an organization'ssystem architecture. The seven components of IT infrastructure arehardware, operating system, network, database, developmentenvironment, user interface and application. – e.g., [Gartner]
3* Also variations in cost structure (fixed costs, expected losses)
RISK TYPES
• Interest rate, FX, and equity risk
• Credit losses• Changes in credit worthiness
• Changing business volume• Changing margins*
• Wrong management decisions
• Loss of customer trust
• Events not covered otherwise, such as fraud,catastrophe, processing errors
Root causes for unexpected change in value
Credit risk
Market risk
Business volumerisk
Operationalrisk
Reputationalrisk
Strategic risk
Risks
Focus
4
DEFINITIONS
The measurable probability of the negative deviation of a target value froma reference value – [Jorion and Khoury 1996]Risk
OperationalRisk
The risk of loss resulting from inadequate or failed processes, people andsystems or from external events – [Basel Committee on BankingSupervision 2003]
Systems risk /IT risk
Losses arising from disruption of business or system failures,e.g. hardware, software, telecommunications, utility outage/disruptions –[Basel Committee on Banking Supervision 2003]
IT infrastructure
The underlying technological components that constitute an organization'ssystem architecture. The seven components of IT infrastructure arehardware, operating system, network, database, developmentenvironment, user interface and application. – e.g., [Gartner]
5
OPERATIONAL RISK
People
Processes
SystemsOperationalRisk
Internal
External
Main focus
Basel II definition
6
DEFINITIONS
The measurable probability of the negative deviation of a target value froma reference value - [Jorion and Khoury 1996]Risk
OperationalRisk
The risk of loss resulting from inadequate or failed processes, people andsystems or from external events - [Basel Committee on BankingSupervision 2003]
Systems risk /IT risk
Losses arising from disruption of business or system failures,e.g. hardware, software, telecommunications, utility outage/disruptions –[Basel Committee on Banking Supervision 2003]
IT infrastructure
The underlying technological components that constitute an organization'ssystem architecture. The seven components of IT infrastructure arehardware, operating system, network, database, developmentenvironment, user interface and application. – e.g., [Gartner]
7
?
RESEARCH QUESTION
How can risks in financialinstitutions arising from ITinfrastructure be effectivelyassessed and managed?
Assessment
Main question
Sub questions
Management
• How to identify IT risks in a structuredway
• How to estimate/calculate the potentialloss (e.g., value-at-risk) for
– Compliance with regulators
– Calculation of business cases formitigation measures
• How to identify risk mitigation measures
• How to calculate the optimal mitigationeffort from a cost-benefit perspective
• How to integrate IT risk managementinto a firm-wide operational riskmanagement
8
STRUCTURE
Introduction/Motivation
Financial riskmanagementdomain
Application for IT managers• Management of IT risks with BSCs• Risk mitigation strategies
IT mgmttheory
DSS
Causal modelling of IT risks• Development of classification model for
operational risk• Identification of key risk drivers and
dependencies• Modelling of Bayesian Belief Network• Validation
Outlook and further research
Structure
( )
Peer review plan
• Presented at PACIS 2004 (togetherwith Heiko Gewald)
• Submitted to ECIS 05: Identificationprocess and tools (with cluster 2)
• Open: Modelling andvalidation
• Planned for Dec. 04 (with Stefan B.)• Open
• Presenting at HICSS-38: Combinationof IT mgmt and DSS theory
• Open: Combination of financial riskmgmt and IT mgmt theory (with AGSM)
�
�
�
04/05
12/04tbd
02/0506/05
9
AGENDA
• Definitions and research question
• Theoretical foundation and practical motivation
• Approach and validation
• Relevance: Practical application
• Next steps
10
THEORETICAL FOUNDATION
Financial riskmanagement domain
• Value-at-Risk• Bayesian Belief
Networks• CAPM…
IT managementtheory
• IT Controlling• Common Criteria*• Data security
(NRC**)• ITIL• …
Decision supportsystems (DSS)
• Data oriented• Model oriented• …
Combining financial risk management approaches (i.e. Bayesian BeliefNetworks) with IT management techniques (e.g., risk and threatassessment) to develop the IT part of an integrated decision supportsystem
* "Common Criteria for Information Technology Security Evaluation" of the International Standards Organization(ISO) of 1999 (also known as "Common Criteria", CC, or ISO 15408)
** National Research Council
11
PRACTICAL MOTIVATION
Spectacular losses
BIS* Survey key results
• September 11• Barings Bank• …
• 89 banks from 19 countries
• 47,269 individual events
• Total losses of EUR 7.8 billion in 2001
• Average of 528 losses accounting for EUR87 million p.a. for every participating bank
• Average loss of almost EUR 400,000 foroperational losses from "businessdisruptions and system failures"
• Average loss of EUR 160,000 for allother event types
* Bank for International SettlementsSource: Basel Committee on Banking Supervision; The 2002 Loss Data Collection Exercise for Operational Risk, 2003.
12
AGENDA
• Definitions and research question
• Theoretical foundation and practical motivation
• Approach and validation
• Relevance: Practical application
• Next steps
13
DECISIONS TO BE SUPPORTED
• IT outsourcing• Contract renegotiation• Big-bang ERP system
replacement• …
• Installation of new SWreleases
• Server replacement• …
Low High
Frequency
Low
Hig
h
Imp
act
Source: Hinz, Daniel; High Severity Information Technology Risks in Finance, HICSS, 2005.
Examples
�
�High impact,low frequencydecisions
Low impact,high frequencydecisions
Need for decision support
14
THE LOSS DISTRIBUTION APPROACH
Pro
babi
lity
dens
ity
Annuallyaggregated
loss
Low Impact,High Frequency
High Impact,Low Frequency
Mean:Expected Loss
BACKUP
15
WHY CAUSAL MODELING
Decisions Need for analyses
�
Requirements for DSS
Model oriented DSSneeded to provide• Decision criteria
and• Design parameter
Data oriented DSSneeded• E.g., operational
value-at-risk• Supported by expert
judgement
Ex-post analysessufficient
• Mostly small losses
• Decisions mostlyreversible
Ex-ante analysesnecessary
• Potentially high impact
• Decisions mostlyirreversible
Low frequency,high impact
High freqency,low impact
Source: Hinz, Daniel; 2005; Alter, S. 1979; Power, D.J., 2004
16
CHANCES AND CHALLENGES OF CAUSAL MODELS
• Simulation of changes andcorresponding effects possible
• Incorporating historical data• Leveraging expert knowledge
• Creating transparency ofdependencies/relationships
Assessment of causal networks
Implications for model
• Reduction to practicallymeasurable number ofindicators necessary
• Structured approach to derivecause and consequences(dependencies) necessary
• High complexity
– Of causes
– Of dependencies
• Difficult to keep model up-to-date
Source: Gewald, H. and Hinz, D., A Framework for Classifying the Operational Risks of Outsourcing, PACIS 2004
17
CAUSAL DEPENDENCY OF RISK CAUSE AND IMPACT
Sources of Risk
Risk
Key RiskDriver (KRD)
Parameter for changes inOpRisk (e.g., staff skills,systems security, etc)
Risk Indicator(RI)
Measurement point to assessactual risk status of onesingle risk component
Key RiskIndicator(KRI)
Top-level indicator,aggregated of multiple riskindicators
Impact Areas
Description Analogy
Accelerator andbrakes
Speed sensors
Tachometer
Source: Gewald, H. and Hinz, D., A Framework for Classifying the Operational Risks of Outsourcing, PACIS 2004
18
CLASSIFICATION MATRIX
Costs Quality Time
External
Systems
Pro-cesses
Impact Areas
So
urc
eso
fR
isk
KRD* 1KRD 2…
Risk Indicator (RI)
KRI (e.g. processdocumentation
KRD (e.g.process errors)
Risk Indicator(e.g. # failedtransactions)
* KRD = Key Risk Driver
** KRI = Key Risk Indicator
KRD 6KRD 7…
KRD 11KRD 12…
KRD 16KRD 17…
KR
I**
1K
RI2
… KR
I4K
RI5
… KR
I7K
RI8
…
EXAMPLE: DECREASINGSERVICE QUALITY
People
Source: Gewald, H. and Hinz, D., A Framework for Classifying the Operational Risks of Outsourcing, PACIS 2004
19
REPRESENTATION IN BAYESIAN BELIEF NETWORK
KRI 1 KRI 2
KRD xKey Risk Drivers(KRDs), ~ 20
Risk Indicators(RIs), ~ 200
Key Risk Indicators(KRIs), ~ 10
RI y
KRI z
KRD 1 KRD 2
RI 2 RI 3RI 1
Source: Gewald, H. and Hinz, D., A Framework for Classifying the Operational Risks of Outsourcing, PACIS 2004
20
MODELLING IN HUGIN
Source: Gewald, H. and Hinz, D., A Framework for Classifying the Operational Risks of Outsourcing, PACIS 2004
21
INDICATIVE FEEDBACK
Key outcomes
Talks conducted with
• Five operational riskmanagers/controllers inlarge banks
• Three subject matterexperts in internationalconsulting companies
• Strong practical need for that kind of assessment,as currently employed methodologies do not fullyreflect the operational risk in outsourcing.
• Usage of Bayesian Belief Networks has explicitlybeen favoured within all interviews, but none of thecompanies has yet developed a working model.
• Interest is huge to gain theoretically foundedinsights in the outsourcing decision from anoperational risk point of view.
Source: Gewald, H. and Hinz, D., A Framework for Classifying the Operational Risks of Outsourcing, PACIS 2004
Open: Scientificvalidation
22
AGENDA
• Definitions and research question
• Theoretical foundation and practical motivation
• Approach and validation
• Relevance: Practical application
• Next steps
23
COCKPIT
+- +- +- +-
KRD
KRI
Risks
Risk management cockpit
20%
<hidden>
4 1,3 MioEUR
23 min
RI
...
24
AGENDA
• Definitions and research question
• Theoretical foundation and practical motivation
• Approach and validation
• Relevance: Practical application
• Next steps
25
ASSESSMENT OF IT RISK DRIVERS
• Failure Mode and Effects Analysis (FMEA)
• Asset values and Business Impact Analysis
• Hazard and Operability (HAZOP)
• Attack Tree Analysis
• Event Tree Analysis
• Vulnerability Chains/Trees Analysis
• Fault Tree Analysis
• Operational profiles
• (Human) Behaviour Modelling
• Discrete Event Simulation
• …
Risk assessment methods
• No single method alone, canaccomplish all the necessaryfeatures for a complete andeffective risk assessment
• A combination of two or moremethods is recommended inorder to perform a good work[Sample & Poynter 2001]
Key findings
Source: Pérez, Martinovic, Berbner, Hinz, Steinmetz; IT Risk Assessment – Methods and Applications; subm. ECIS 05
Next step:Identification ofkey risk drivers