Operational Risk Management for IT infrastructure · Operational Risk Management for IT infrastructure IWI jour fixe ... Combination of financial risk mgmt and IT mgmt theory

Operational Risk Managementfor IT infrastructure

IWI jour fixe – Daniel J. Hinz, [email protected]

Frankfurt/Main, November 23rd, 2004

This material was used during an oral presentation; it is not a complete record of thediscussion.

1

AGENDA

• Definitions and research question

• Theoretical foundation and practical motivation

• Approach and validation

• Relevance: Practical application

• Next steps

2

DEFINITIONS

The measurable probability of the negative deviation of a target value froma reference value - [Jorion and Khoury 1996]Risk

OperationalRisk

The risk of loss resulting from inadequate or failed processes, people andsystems or from external events - [Basel Committee on BankingSupervision 2003]

Systems risk /IT risk

Losses arising from disruption of business or system failures,e.g. hardware, software, telecommunications, utility outage/disruptions –[Basel Committee on Banking Supervision 2003]

IT infrastructure

The underlying technological components that constitute an organization'ssystem architecture. The seven components of IT infrastructure arehardware, operating system, network, database, developmentenvironment, user interface and application. – e.g., [Gartner]

3* Also variations in cost structure (fixed costs, expected losses)

RISK TYPES

• Interest rate, FX, and equity risk

• Credit losses• Changes in credit worthiness

• Changing business volume• Changing margins*

• Wrong management decisions

• Loss of customer trust

• Events not covered otherwise, such as fraud,catastrophe, processing errors

Root causes for unexpected change in value

Credit risk

Market risk

Business volumerisk

Operationalrisk

Reputationalrisk

Strategic risk

Risks

Focus

4

DEFINITIONS

The measurable probability of the negative deviation of a target value froma reference value – [Jorion and Khoury 1996]Risk

OperationalRisk

The risk of loss resulting from inadequate or failed processes, people andsystems or from external events – [Basel Committee on BankingSupervision 2003]



IT infrastructure


5

OPERATIONAL RISK

People

Processes

SystemsOperationalRisk

Internal

External

Main focus

Basel II definition

6

DEFINITIONS

The measurable probability of the negative deviation of a target value froma reference value - [Jorion and Khoury 1996]Risk

OperationalRisk

The risk of loss resulting from inadequate or failed processes, people andsystems or from external events - [Basel Committee on BankingSupervision 2003]



IT infrastructure


7

?

RESEARCH QUESTION

How can risks in financialinstitutions arising from ITinfrastructure be effectivelyassessed and managed?

Assessment

Main question

Sub questions

Management

• How to identify IT risks in a structuredway

• How to estimate/calculate the potentialloss (e.g., value-at-risk) for

– Compliance with regulators

– Calculation of business cases formitigation measures

• How to identify risk mitigation measures

• How to calculate the optimal mitigationeffort from a cost-benefit perspective

• How to integrate IT risk managementinto a firm-wide operational riskmanagement

8

STRUCTURE

Introduction/Motivation

Financial riskmanagementdomain

Application for IT managers• Management of IT risks with BSCs• Risk mitigation strategies

IT mgmttheory

DSS

Causal modelling of IT risks• Development of classification model for

operational risk• Identification of key risk drivers and

dependencies• Modelling of Bayesian Belief Network• Validation

Outlook and further research

Structure

( )

Peer review plan

• Presented at PACIS 2004 (togetherwith Heiko Gewald)

• Submitted to ECIS 05: Identificationprocess and tools (with cluster 2)

• Open: Modelling andvalidation

• Planned for Dec. 04 (with Stefan B.)• Open

• Presenting at HICSS-38: Combinationof IT mgmt and DSS theory

• Open: Combination of financial riskmgmt and IT mgmt theory (with AGSM)

�

�

�

04/05

12/04tbd

02/0506/05

9

AGENDA





• Next steps

10

THEORETICAL FOUNDATION

Financial riskmanagement domain

• Value-at-Risk• Bayesian Belief

Networks• CAPM…

IT managementtheory

• IT Controlling• Common Criteria*• Data security

(NRC**)• ITIL• …

Decision supportsystems (DSS)

• Data oriented• Model oriented• …

Combining financial risk management approaches (i.e. Bayesian BeliefNetworks) with IT management techniques (e.g., risk and threatassessment) to develop the IT part of an integrated decision supportsystem

* "Common Criteria for Information Technology Security Evaluation" of the International Standards Organization(ISO) of 1999 (also known as "Common Criteria", CC, or ISO 15408)

** National Research Council

11

PRACTICAL MOTIVATION

Spectacular losses

BIS* Survey key results

• September 11• Barings Bank• …

• 89 banks from 19 countries

• 47,269 individual events

• Total losses of EUR 7.8 billion in 2001

• Average of 528 losses accounting for EUR87 million p.a. for every participating bank

• Average loss of almost EUR 400,000 foroperational losses from "businessdisruptions and system failures"

• Average loss of EUR 160,000 for allother event types

* Bank for International SettlementsSource: Basel Committee on Banking Supervision; The 2002 Loss Data Collection Exercise for Operational Risk, 2003.

12

AGENDA





• Next steps

13

DECISIONS TO BE SUPPORTED

• IT outsourcing• Contract renegotiation• Big-bang ERP system

replacement• …

• Installation of new SWreleases

• Server replacement• …

Low High

Frequency

Low

Hig

h

Imp

act

Source: Hinz, Daniel; High Severity Information Technology Risks in Finance, HICSS, 2005.

Examples

�

�High impact,low frequencydecisions

Low impact,high frequencydecisions

Need for decision support

14

THE LOSS DISTRIBUTION APPROACH

Pro

babi

lity

dens

ity

Annuallyaggregated

loss

Low Impact,High Frequency

High Impact,Low Frequency

Mean:Expected Loss

BACKUP

15

WHY CAUSAL MODELING

Decisions Need for analyses

�

Requirements for DSS

Model oriented DSSneeded to provide• Decision criteria

and• Design parameter

Data oriented DSSneeded• E.g., operational

value-at-risk• Supported by expert

judgement

Ex-post analysessufficient

• Mostly small losses

• Decisions mostlyreversible

Ex-ante analysesnecessary

• Potentially high impact

• Decisions mostlyirreversible

Low frequency,high impact

High freqency,low impact

Source: Hinz, Daniel; 2005; Alter, S. 1979; Power, D.J., 2004

16

CHANCES AND CHALLENGES OF CAUSAL MODELS

• Simulation of changes andcorresponding effects possible

• Incorporating historical data• Leveraging expert knowledge

• Creating transparency ofdependencies/relationships

Assessment of causal networks

Implications for model

• Reduction to practicallymeasurable number ofindicators necessary

• Structured approach to derivecause and consequences(dependencies) necessary

• High complexity

– Of causes

– Of dependencies

• Difficult to keep model up-to-date

Source: Gewald, H. and Hinz, D., A Framework for Classifying the Operational Risks of Outsourcing, PACIS 2004

17

CAUSAL DEPENDENCY OF RISK CAUSE AND IMPACT

Sources of Risk

Risk

Key RiskDriver (KRD)

Parameter for changes inOpRisk (e.g., staff skills,systems security, etc)

Risk Indicator(RI)

Measurement point to assessactual risk status of onesingle risk component

Key RiskIndicator(KRI)

Top-level indicator,aggregated of multiple riskindicators

Impact Areas

Description Analogy

Accelerator andbrakes

Speed sensors

Tachometer


18

CLASSIFICATION MATRIX

Costs Quality Time

External

Systems

Pro-cesses

Impact Areas

So

urc

eso

fR

isk

KRD* 1KRD 2…

Risk Indicator (RI)

KRI (e.g. processdocumentation

KRD (e.g.process errors)

Risk Indicator(e.g. # failedtransactions)

* KRD = Key Risk Driver

** KRI = Key Risk Indicator

KRD 6KRD 7…

KRD 11KRD 12…

KRD 16KRD 17…

KR

I**

1K

RI2

… KR

I4K

RI5

… KR

I7K

RI8

…

EXAMPLE: DECREASINGSERVICE QUALITY

People


19

REPRESENTATION IN BAYESIAN BELIEF NETWORK

KRI 1 KRI 2

KRD xKey Risk Drivers(KRDs), ~ 20

Risk Indicators(RIs), ~ 200

Key Risk Indicators(KRIs), ~ 10

RI y

KRI z

KRD 1 KRD 2

RI 2 RI 3RI 1


20

MODELLING IN HUGIN


21

INDICATIVE FEEDBACK

Key outcomes

Talks conducted with

• Five operational riskmanagers/controllers inlarge banks

• Three subject matterexperts in internationalconsulting companies

• Strong practical need for that kind of assessment,as currently employed methodologies do not fullyreflect the operational risk in outsourcing.

• Usage of Bayesian Belief Networks has explicitlybeen favoured within all interviews, but none of thecompanies has yet developed a working model.

• Interest is huge to gain theoretically foundedinsights in the outsourcing decision from anoperational risk point of view.


Open: Scientificvalidation

22

AGENDA





• Next steps

23

COCKPIT

+- +- +- +-

KRD

KRI

Risks

Risk management cockpit

20%

<hidden>

4 1,3 MioEUR

23 min

RI

...

24

AGENDA





• Next steps

25

ASSESSMENT OF IT RISK DRIVERS

• Failure Mode and Effects Analysis (FMEA)

• Asset values and Business Impact Analysis

• Hazard and Operability (HAZOP)

• Attack Tree Analysis

• Event Tree Analysis

• Vulnerability Chains/Trees Analysis

• Fault Tree Analysis

• Operational profiles

• (Human) Behaviour Modelling

• Discrete Event Simulation

• …

Risk assessment methods

• No single method alone, canaccomplish all the necessaryfeatures for a complete andeffective risk assessment

• A combination of two or moremethods is recommended inorder to perform a good work[Sample & Poynter 2001]

Key findings

Source: Pérez, Martinovic, Berbner, Hinz, Steinmetz; IT Risk Assessment – Methods and Applications; subm. ECIS 05

Next step:Identification ofkey risk drivers

Documents

Operational Risk Management for IT infrastructure · Operational Risk Management for IT infrastructure IWI jour fixe ... Combination of financial risk mgmt and IT mgmt theory