05:10 PM
Connect Directly

Recalculating Risk: The New Rules of Risk Management

New data management and risk analytics tools are giving banks such as ING, HSBC and Union Bank insight into enterprisewide risk exposures and a head start on Basel II rules.

The San Francisco-based bank, Jones reports, is building a mathematical model for calculating this capital estimate using analytics software from SAS (Cary, N.C.). The SAS software has some elements of Basel II requirements and financial institution "range of practice" best practices built into it. (The Basel II Accord Implementation Group's Operational Risk Subgroup obtained its range of practice from members' supervisory work, benchmarking exercises, discussions with bank management and other sources.)

"It's very helpful; many banks reference the range of practice to see what others are doing in particular areas of the model," Jones notes, adding that the SAS software also has other built-in features, such as the ability to correlate risk across different event types, that developers otherwise would have to create from scratch.

The mathematically intense Value at Risk model is being developed in-house by six quantitative analysts at the bank. It will consider best-case and worst-case scenarios, according to Jones. "Our risk models are complex because it's more of a probabilistic model as opposed to a regression model," he explains.

Jones points out that an internal database feeds internal loss data into the model. The external loss data comes from the American Bankers Association. The results of the operational risk model will be fed into a broader risk model that looks at all the risk-weighted assets of the bank and considers credit and market risk as well as operational risk.

The biggest benefit to the bank of implementing this new model will be safety and soundness from a capital adequacy perspective, Jones asserts. "That's really what this is all about -- how much capital does a bank need to hold to absorb unanticipated losses. That's the primary goal -- whether it's market risk, credit risk or operational risk," he says, noting that the model also will help the bank reconsider its processes and controls and perhaps make risk management changes as a result.


For its part, Amsterdam-based ING (US$1.3 trillion in assets) currently is focused on controlling market risk, according to Valerie Benichou, project manager, market risk management and product control, ING Belgium. "Efficient market risk management is a top priority for ING," she says. "To be compliant with Basel II standards and rules, we need to improve our market risk control and link market and counterparty controls. We're making a lot of effort now and will do much in the future to be compliant with this standard."

Like many U.S. banks, ING plans to implement before the end of the year stress VAR models -- mathematical modeling of the bank's Value at Risk taking into account difficult market conditions such as those that existed during the subprime crisis. "The objective of stress VAR is to try to estimate the right level of capital to be sure that we'll have sufficient capital to face even a worst-case scenario in the markets," Benichou explains.

2 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.