05:10 PM
Connect Directly

Recalculating Risk: The New Rules of Risk Management

New data management and risk analytics tools are giving banks such as ING, HSBC and Union Bank insight into enterprisewide risk exposures and a head start on Basel II rules.

Accelerating Agent Ease of Use
Data Was at the Heart of the Financial CrisisHow Much Risk Lurks in Your Loan Portfolio?The Changing Role of the CRO
As governments around the world ponder new rules for banks in the wake of the global credit crisis, in the U.S. large banks face former Federal Reserve chairman Paul Volcker's campaign to shrink them and prevent them from proprietary trading, and the FDIC continues to shut down banks (15 in the month of January alone, on top of 140 in 2009). As a result, the pressure on bank risk executives and the technology they use has rarely been more intense. (Banks' desire to at least appear to be risk averse has gotten so strong that in early February a group of businessmen in Cambridge, England, announced that they were setting up a bank that would be called either Boring Bank of Cambridge or the Cambridge Boring Bank.)

"What we just went through in the past two years is nothing short of cataclysmic," notes Scott Baret, partner, governance, regulatory and risk strategies, Deloitte & Touche. "The main driver behind what happened is a lot of poor decision making because of systems that didn't support adequate risk management and didn't provide enough data about risk exposures. The regulators are on top of this issue with regard to data infrastructures and usage like you wouldn't believe."

On the technology front, while bank reform legislation meant to extract risk from the financial system is working its way through Congress (a bill is expected to pass in the summer or fall), U.S. banks are investing many of their risk technology dollars and efforts into meeting the Basel II standards that require banks to measure, monitor and allocate capital against market risk, credit risk and operational risk. At a summit this past September, all Group of 20 countries pledged to apply Basel II rules by 2011. European banks took to the new requirements more quickly than U.S. banks, but American banks are following close behind.

Observers say that although overall bank IT budgets are relatively flat, risk infrastructure is one area where banks are spending. "Risk spend and risk technology spend are definitely on the rise in the banking industry right now," says Luther Klein, head of Accenture's banking risk management team in North America. "We're seeing tremendous focus on enterprise risk capabilities, consolidation of platforms, enterprise risk platforms and risk analytics."

Klein explains that these technology investments are designed to drive better decision making, reduce cost and complexity, and integrate enterprise operations, with a particular focus on the improvement of operational risk and Basel II adherence. To comply with Basel II rules, banks are investing in risk data warehouses and tactical tools, he adds.

Operational risk -- defined by Basel II as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events -- is a relatively new way of looking at risk for U.S. banks, and many are just getting started, according to experts. "As banks start running their parallel processes for Basel II in the first or second quarter of this year, we'll see a lot more activity around operational risk," says Deloitte's Baret, who notes that banks also benefit from avoiding operational losses, such as errors in entering transactions.


Union Bank of California ($86 billion in assets), which upgraded its credit risk program in May 2009, recently built an operational risk governance structure that addresses the four major elements of operational risk: internal loss data, external loss data, business environment and internal control factors, and scenario analysis. Data from those four areas is aggregated and used to estimate how much capital must be set aside.

Union Bank won't necessarily be required to follow Basel II advanced measurement approaches (AMA) for regulatory capital, which are targeted at the largest international banks, but it is "aligned" with the set of rules, according to Greg Jones, the bank's VP of operational risk. "It's prudent risk management to have a model to estimate capital [requirements]," he says. "Capital adequacy is something that's very basic for banks. All banks should assess capital adequacy for all their areas of risk."

1 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.