Any ongoing enterprise faces business risks on multiple fronts. The Identification, Mitigation and Monitoring of Risks using a combination of People, Process and Technology is arried out by a process called Risk Management. Some examples of Risks are as follows.
Credit Risk: Credit Risk assesses credit worthiness of a customer/vendor/business. For an individual, Credit Risk would be the ability of the customer to service the loan and get an understanding of the net worth. For a corporate, Credit Risk would mean consolidation of risk across its various entities and subsidiaries, many of which could be based overseas.
IT Risk: IT systems are subject to multiple types of risk. External attacks target the IT network from outside the organization (viruses, data theft, Denial of Service, etc.), while internal attacks are more about compromising or by passing security controls (maker/checker).
Regulatory Risk: In today’s world, the cost of non-compliance with appropriate regulations, whether the organization is a Bank, Healthcare provider, etc. is prohibitive. Some organizations have been fined billions of dollars and hence, organizations are seeking to strengthen and tighten internal controls to ensure that Regulatory Risk is contained.
Addressing the entire gamut of risks is beyond the scope of this article and we will restrict ourselves to Financial Institutions and even within that Banks, which do business with Individuals and Corporates – Retail, Wholesale and Private Banks.
Some risks associated with Banks with their impact on People, Process and Technology are listed below.
The Maker/Checker principle dictates that a minimum of two employees, (typically the authorizer being a higher ranking officer with increased entitlements) is required to complete a financial transaction like Foreign Exchange deals, Money Market placements, Mortgages, etc (mortgages may need multiple levels of approval with different specialization). Teller based cash withdrawals and Payments are usually two tiered, with amounts below a specified amount not requiring dual authorization. The People part requires separation of responsibilities, the process part defines it as part of the Bank’s Standard Operating Procedure (SOP) and IT systems are required to enforce it. Maker/Checker applies to transactional systems.
Banks typically have an Internal Control Unit (ICU) which is responsible for Operational compliance with the Bank’s Standard Operating Procedure. ICU usually is an audit function, i.e. its function is not to prevent fraud but rather to detect it. Incidences of fraud detection may lead to higher enforcement or even changes to the SOP.
Internal Controls typically apply to the Bank’s operational systems.
Finance is usually externally audited through an accounting firm which is used to certify the company’s financial position.
Compliance with Regulations such as Basel
Banking and Capital Markets regulators are tightening their reporting norms. While this has been an ongoing process, it has become accelerated post the 2007-08 Mortgage/ Credit meltdown. As a consequence of this, the regulators have been levying fines ranging into billions of dollars. Given the high cost of non-compliance, Financial Institutions have formed units to handle external regulatory risks.
Another example of Regulatory requirements is various rules regarding payments, locally within the country as well as cross border payments.
IT systems need to be configurable and rule based in order to adapt to changing regulations, to detect and if possible prevent fraudulent fund transfers. Banks are getting better at identifying suspicious transactions and flagging them in near real-time. A more pattern based and machine learning based processing system can also detect related transactions. These are typically used for laundering drug money or for terrorist funding.
Another classic example of configurable systems is the change in ATM withdrawal limits as well as Bank deposit limits during the demonetization initiative in India. If systems were not configurable then the amount of effort required to change the various systems would have been far higher than was the case.
In conclusion, we can see that enterprises face risks on multiple fronts and having an appropriate Risk Management Framework is necessary to identify, manage and monitor Risks.