A probabilistic approach to IT risk management in the Basel regulatory framework. A case study
| DOI | https://doi.org/10.1108/JFRC-06-2016-0050 |
| Published date | 08 May 2017 |
| Pages | 176-195 |
| Date | 08 May 2017 |
| Author | Semir Ibrahimovic,Ulrik Franke |
| Subject Matter | Accounting & Finance,Financial risk/company failure,Financial compliance/regulation |
A probabilistic approach to IT
risk management in the Basel
regulatory framework
A case study
Semir Ibrahimovic
Department for Management and Information Technologies,
School of Economics and Business in Sarajevo, Sarajevo,
Bosnia and Herzegovina, and
Ulrik Franke
Swedish Institute of Computer Science, Stockholm, Sweden
Abstract
Purpose –This paper aims to examine the connection between information system (IS) availability and
operational risk losses and the capital requirements. As most businesses today become increasingly
dependent on information technology (IT) services for continuous operations, IS availability is becoming more
important for most industries. However, the banking sector has particular sector-specic concerns that go
beyond the direct and indirect losses resulting from unavailability. According to the rst pillar of the Basel II
accord, IT outages in the banking sector lead to increased capital requirements and thus create an additional
regulatory cost, over and above the direct and indirect costs of an outage.
Design/methodology/approach –A Bayesian belief network (BBN) with nodes representing causal
factors has been used for identication of the factors with the greatest inuence on IS availability, thus helping
in investment decisions.
Findings –Using the BBN model for making IS availability-related decisions action (e.g. bringing a causal
factor up to the best practice level), organization, according to the presented mapping table, would have less
operational risk events related to IS availability. This would have direct impact by decreasing losses, related
to those events, as well as to decrease the capital requirements, prescribed by the Basel II accord, for covering
operational risk losses.
Practical implications –An institution using the proposed framework can use the mapping table to see
which measures for improving IS availability will have a direct impact on operational risk events, thus
improving operational risk management.
Originality/value –The authors mapped the factors causing unavailability of IS system to the
rudimentary IT risk management framework implied by the Basel II regulations and, thus, established an
otherwise absent link from the IT availability management to operational risk management according to the
Basel II framework.
Keywords Availability incidents, Basel regulatory framework, IT risk
Paper type Research paper
1. Introduction
Unavailability of information systems (ISs) can have large consequences for banks and their
clients. Every so often, institutions suffer signicant nancial losses because of the
JEL classication – M150, G210, G280, C110
U. Franke was supported by the Swedish Civil Contingencies Agency, MSB, agreement no. 2015-698.
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1358-1988.htm
JFRC
25,2
176
Journalof Financial Regulation
andCompliance
Vol.25 No. 2, 2017
pp.176-195
©Emerald Publishing Limited
1358-1988
DOI 10.1108/JFRC-06-2016-0050
unavailability of ISs. In June 2012, because of system unavailability at NatWest Bank, a
subsidiary of the Royal Bank of Scotland, millions of customers could not access their
accounts all week. The bank suffered huge damage, and reserved 125 million pounds to cover
the direct damages (provisions for compensations). Bank of America has suffered
unavailable e-banking systems several times (February 2013 and May 2011). In July 2010,
DBS Bank in Singapore, having experienced a 10-hour outage in their core banking system,
received a mandate from the regulatory authorities to reserve US$180 million for operational
risks. In September 2010, the full online banking system of JP Morgan was inaccessible for
more than two days because of corruption in a database le, which had also been replicated
to the disaster recovery (DR) system. In a survey conducted by the Business Continuity
Institute in 2011 on a sample of 128 companies in the nancial sector in ve developed
countries, it was found that the main reason for concern regarding business continuity in
nancial institutions was system availability (Ibrahimovic and Bajgoric 2016). Furthermore,
there are also numerous indirect consequences of information technology (IT) system
outages such as poor customer satisfaction, bad publicity, plummeting stock price, legal
liabilities, worsened employee morale and an impact to external reputation (Marcus and
Stern, 2003).
However, the banking sector also has particular sector-specic concerns that go beyond
the direct and indirect losses resulting from unavailability. New Capital Accord, also known
as Basel II, is a set of recommendations issued by The Basel Committee on Banking
Supervision (from now on: the Committee) regulating the adequacy of banks’ capital in
relation to risk exposure. (Even though Basel II in parts has been superseded by Basel III,
Basel III did not change the assessment of operational risks.) Basel II provisions apply to
internationally active banks in G10 countries. The European Union adopted a Directive
(CAD3), rendering the provisions of the Accord compulsory for all banks in European Union
member countries from 2007. Basel II is based on three pillars, each dening a different area
and each logically following the previous one. The rst pillar regulates capital adequacy; the
second pillar denes the control of procedures and processes dened in the rst pillar; and
the third pillar deals with disclosure of the results. The rst pillar deals with calculation of
the minimum capital requirements for credit, operational and market risk (minimum
regulatory capital – MRC). The MRC is dened as a ratio of the bank’s total capital and the
sum of risk-weighted assets – RW, including the components related to the credit, market
and operational risk. Basel II denes operational risk as risk of loss caused by inadequate
internal processes, procedural errors, human errors, system errors or external events; and
identies three methodologies for determining operational risk. Also, the Basel Committee is
preparing a new methodology for calculating capital requirements for covering operational
risks (Basel Committee on Banking Supervision, 2015). To summarize, IT outages in the
banking sector lead to increased capital requirements and thus create an additional
regulatory cost, over and above the direct and indirect costs of an outage.
This connection between IS availability and operational risk losses and the capital
requirements is the primary motivation for this work. In the following sections, we map the
factors causing unavailability of ISs to the rudimentary IT risk management framework
implied by the Basel II regulations. We thus enable an otherwise absent link from the IT
availability management to operational risk management (ORM) according to the Basel II
framework. More precisely, better-informed decision-making is enabled by tracing the
impact of measures to improve IT availability on capital requirements.
The paper is structured as follows. The next section contrasts our contribution with some
related work. Section 3 introduces the Bayesian model of IT service unavailability that is
used to assess and evaluate best practices in IT management with respect to availability.
177
Basel
regulatory
framework
To continue reading
Request your trial