Beating IT Risks

varying degrees bearing responsibility for the direct financial losses and associated reputational damage.

Reports on the incident by independent reviewers and the regulator have been made public,94 and it is a fascinating case. The IT system ‘Horizon’, which was custom-built, allowed traders seemingly to manipulate at will the information on trades and exposures to conceal their true position.

Of course, on its own these system features would not have caused damage – but if we add unethical and fraudulent intent on behalf of the risk-takers to incompetence in the checkers and overseers and then whisk them together, the result is: A$360 million lost, four traders and their manager summarily dismissed. Collateral damage losses have also taken the chairman and the CEO (both resigned) and, following the appointment of a new CEO, a ‘clean sweep’ of executive ranks associated with the debacle: the head of corporate and institutional banking, the head of risk management and the head of global markets.

This case illustrates that IT controls are necessary but not sufficient in major bank trading desks, as in many other areas of business.

Let’s look at another worrying area: identity theft.

A lot of identity theft is occurring now – the US Federal Trade Commission estimated losses to business, including financial institutions of US$47.6 billion.95 To what extent should IT shoulder the blame? Surely ‘the systems’ should play a part in ‘stopping this’ or ‘picking this up’?

A friend of the authors had her identity stolen and used by the thief at Pizza Hut. She was offended the thief stole her identity and didn’t order from a top restaurant! The bogus transaction was mundane and wouldn’t have stuck out even if you were looking for it.

Perhaps more obvious was the counterfeit use of a new ‘gold’ credit card of the wife of one of the authors: three gold ingots purchased from three separate jewellers in Hong Kong in a morning.

Although fraudulent transactions are in many cases handled electronically, which system or systems are we suggesting should pick up the fraudulent transactions? For example, the merchant, the provider of authorization services, the credit bureau, the credit-card issuer, the international credit-card schemes, the banks and financial institutions processing transactions and managing customer accounts may all have a part to play in a solution.

If it isn’t possible for a human to distinguish between a real and a bogus transaction, let alone prevent a new customer credit account from being created based on fraudulent records, how can IT alone plug the gap?

94 In a break with the ‘sins of the past’ the National Australia Bank has opted for full disclosure and has made public all reports on their website.

95 The US$47.6 billion is comprised of an estimated US$14 billion from misuse of existing accounts (both credit card and non-credit card) and US$32.9 billion from new accounts and other frauds (US FTC, 2003).

It can’t. The design of the entire business system – encompassing people, process and technology – must contribute to cost effectively reducing risks to acceptable levels. Where business relies most heavily or entirely on IT to do the task, then most of the opportunity for improvement in risk management controls must come through IT.

In summary, a particular business risk can be looked at in various ways. Where useful, the risk should be compartmentalized, labelled and addressed in a specific way – either on the basis of cause, risk-event type or on business impact or consequence. Certainly we have argued extensively that IT risks require their share of special attention as ‘root causes’ you should be seeking to control.

However, any scheme to categorize or compartmentalize business risks should not create risk management silos. Our particular concern is that distinctions between IT vs. non-IT risk do not result in a suboptimal response.

Let’s now look at the key areas that IT can make a difference to the way your business manages risk.

Supporting risk-based management with IT

Whenever IT is the sinner there is also the opportunity for it to be the saint. When our IT controls fail us, we learn from our mistakes and turn again to IT for the answer: a smarter form of authentication, better encryption, smart cards, biometrics, real-time anomalous transaction reporting, etc.

Just as IT can be applied to yield results that were not previously possible in many fields so too in the field of risk management. In doing so, let’s not conceive of a search for an IT ‘silver bullet’. No one technology is the complete answer, even to today’s problems and issues, let alone tomorrow’s more challenging questions.

Next generation technology will certainly be incrementally improved from the last; however, the next generation of thieves, attackers and subversives will also be better equipped and better informed and the next generation of legislation, regulation and compliance more demanding and specific.

The wired organization (now going wireless)

If your organization is wired up – moving to Bill Gates’ vision of ‘Business at the Speed of Thought’ – then it is most probably highly reliant on IT, or else you all sit in the same room or share an extrasensory perception gift.

Rather than traditional end-of-month reports that may have been relied on to identify a dip in demand for a particular product, today’s systems might be producing daily or real-time equivalents. Perhaps management intervention has been bypassed altogether and the stock control systems automatically reschedule

are docile in their acceptance of their employer’s monitoring of their electronic information exchange and website usage. You keep a log of every email I send and receive? And every website I visit? And my telephone call records? And a transcript of my telephone calls with customers? Yep.

The Big Brother scenario is with us, and the employer – while needing to navigate the laws in all jurisdictions to ensure compliance is maintained – has the tools in hand to perform this with ease.97

Fortunately, merely the knowledge of the level of surveillance is sufficient to stop most from infringing. For those who trip up, the evidence is at hand.

There is a catch here. Every private email between your executive team is also indelibly etched onto the corporate record and remains open to legal ‘discovery’ processes for years to come. Acting honourably remains the only long-term course for all.

Decision support, risk analytics and reporting

Advanced risk-return decision-making requires advanced IT support. Can you imagine manually calculating the riskiness of your credit portfolio? Data volumes are huge and the sophisticated models require precise calibration and consistent fine tuning.

Of course your quantitative analysts will turn to IT for the large-scale analysis of risks, as we always turn to IT when the going gets tough and a large number of inputs and mathematical complexity are involved.

The objective of all management information systems is to enable faster and better decision-making; in the case of risk management information, decisionmaking about known and potential risks. The ‘holy grail’ of risk management information systems: compatible and efficient IT systems for capturing, analysing and ultimately reporting risks of all types, knitted up across the entire business (Cuneo, 2003). The consumers of output from the risk management information system are both internal – across all layers of management – and external.

Automating risk information management can assist you to embed required practices into your organization by making ‘business as usual’ risk management activities efficient rather than onerous.98

97 Of course, surveillance can be surreptitious, unauthorized and evolving – refer, for example, to the exposures generated through use of instant messaging (Hancock, 2001) with vulnerabilities running well ahead of potential legal sanctions.

98 The Australian National Audit Office note that: ‘An important contribution to fraud prevention is to have a suitable management information system that assists in identifying systemic issues or control weaknesses and helps to manage cases of fraud expeditiously once they have occurred . . . Of particular concern to the ANAO was that approximately 43 per cent of agencies that had reported having experienced fraud in the previous two years also advised that they did not have any form of fraud control MIS’ (ANAO, 2003c, p. 15).

Ignorance wasn’t bliss, but not knowing was a convenient excuse. With more knowledge comes the obligation to act. If a risk is identified and reported and the required action obvious, the executive who does not act will be later found to be guilty – certainly of incompetence and maybe worse.

As with any application, the risk information management systems may fail – refer to Chapter 8 for further exploration of defects and their impact. In such a case your risk decisioning may be flawed, and systematically so.

The dependence of IT risk management on broader enterprise competencies

Finally we consider how IT risk management relies on advanced levels of competence in other functions of your organization, in particular human resource management, strategy and planning, legal, financial management and physical security. The key question here: Despite best efforts in managing IT risk, what other management capabilities that we rely on might let us down?

Human resource management

People’s performance has a strong bearing on IT risks, from the top-notch IT project manager who drives hard to meet a deadline to the diligent systems administrator who checks the integrity of the nightly back-up tapes.

Recruitment When people are brought in carry out an IT role – either as employees or contractors – they need to be ‘processed’ by HR. We are looking beyond simple payroll form-checking and security card dispensing. Thorough background reference checks can assist you mitigate the downstream threat of insider attacks or other malicious acts.

Performance management Once people are working for you, the system should identify and allow you to weed out underperformers and provide appropriate incentives and encouragement for high performers. We are looking for a balanced regime that rewards both risk-taking and risk-minimizing behaviours. We would have expected destructive effects at National Australia Bank to have been lower if traders’ personal bonuses had been risk-adjusted.

Retention A high rate of staff turnover can result in a rapid dilution of your knowledge base and dramatically impact productivity. In particular, if significant systems expertise is lost suddenly from a specialized development team, the ability to make changes confidently and without introducing defects is impaired.

Training and development Sufficient investment is required to maintain the basic competencies, including those required for operating and administering the company’s IT and conforming with standard operating procedures and policies.

Strategy and planning

Setting direction for IT starts with setting direction for the business as a whole. What objectives are important for the company? There should be only one IT strategy. This will define the criteria for selecting the right mix of projects amongst other things – both the business initiatives and the counterpart IT projects.

Is a ten-year deal with a major IT service provider desirable? Potentially not, if divestment of one or more business units is on the cards.

Should we stick with our current vendor’s technology or is another viable candidate emerging that we should consider?

A business-IT dialogue should differentiate between at least three different planning horizons:

•Short-term: Over the next six to 12 months, what are the top priorities for IT? This indicates where today’s limited IT resources need to be allocated and focused now and what they will be doing next. Milestones should be agreed for each month.

•Medium-term: Over the next one to two years, what are the emerging business requirements for IT? This indicates where IT capability needs to develop, perhaps where resources need to be shifted and external expertise bought in. Milestones should be agreed for each quarter.

•Longer term: Beyond two years, what is the direction for the business and IT? This indicates where investment will be allocated and which of today’s services may be in the ‘sunset phase’ and no longer relevant. Milestones should be agreed for each year through to five years out. Beyond this timeframe is challenging.

The IT function serves many parts of the business that may not be completely aligned in their thinking. A process for dealing with ambiguity, disagreement and ‘multiple business strategies’ may be required – involving the CEO as arbiter if required.

Finally, in many companies, plans can be quite fluid. The cost of ‘churning’ IT projects (stopping one and starting another in its place) beyond ‘concept and feasibility’ can be enormous. It is most important, therefore, that greater precision over the short-term plan is agreed and tight ‘change control’ placed over the six-month committed program of work.

Legal

The main areas of potential IT risk for the legal function to support lie in third party contracts for IT services.

With a solid contractual framework in place, most vendor and outsource service provider relationships operate mainly on ‘scope of work’ and service

level agreement schedules. However, when the going gets rough everyone turns to the contract. The provisions you will rely on must be enforceable.

When IT is required to play a key part in achieving legal compliance, the experts in the respective fields – for example, privacy – will need to articulate the requirements and confirm the adequacy of proposed solutions. This will require their close involvement in the IT project.

Financial management

If there are lackadaisical controls over project spend and ‘blowouts’ in IT projects go undetected, then the resultant wastage cannot be entirely blamed on those who spent it (in IT) but also on the business unit that channelled the money in and the bean-counters who should have been watching more closely.

It is necessary to place financial controls over the dollars spent in IT in line with the controls over money spent in other parts of the business, in two main particular areas:

•Budgeting – estimating and agreeing the amount to be spent on IT activities – and how this will be cross-charged to the business units; and

•Tracking – capturing and allocating actual spend against the defined budget categories, identifying and reconciling variances.

Physical security

While considerations of physical security have been touched on in Chapter 6 and Chapter 9, we view this as a related but distinct area of competence, apart from IT management.

Every employee, including the janitor, will play a part in securing your company’s premises. While IT and information assets are not the only items of value, they are commonly the target of theft or misuse. It is important for all of your sites to raise awareness and promote practices that reduce this loss.

What to look out for? Social engineering and ‘tailgating’ are practised as art forms. The prescription is quite simple: allow and encourage your staff to be ‘rude’ and simply don’t let people whom they don’t recognize into the building.

Sites that house corporate application and data servers must be subject to even greater procedure: identity checking, sign-in, escorting and monitoring of visitors. On these sites it is a matter of not letting anyone in without absolute and explicit authorization.

And here we conclude our brief review of the five key areas of organizational competence that your IT risk management efforts will rely upon: human resource management, strategy and planning, legal, financial management and physical security.

In conclusion

We hope that as a business manager at risk from IT failure you will benefit from our ideas and we wish you well on your journey. Again, bon voyage! For your colleagues who may not get it, can we prompt you with a quote from Dr Seuss (Seuss, 2003):

I’m sorry to say so but, sadly, it’s true

that Bang-ups and Hang-ups can happen to you.

Appendix 1: Review checklists

These review questions are to be supplemented by specific issues relating to the project, organization or technology. They complement the project risk health check at the end of Chapter 4. Merely answering ‘yes’ is not enough; these assertions need to be well supported.

Key review questions to answer: Completion of concept and feasibility stage

Business rationale

•Are targeted business benefits clearly articulated?

•Is the approach for realizing the benefits understood and planned?

•Is there clear alignment with organization objectives?

•Are business and user requirements defined?

•Do executive sponsors and user representatives agree the concept?

Solution and delivery options

•Has there been exploration of various solution options?

•Do solution options exist that are technically feasible?

•Do vendors and internal / external service providers have pre-existing products and service capability that will meet the requirement?

•Are delivery timeframes acceptable?

•Is the technical complexity of the solution understood?

•Are non-functional requirements defined?

•Can the solution achieve compliance with technology architectures and standards and fit within the existing technical environment?

Commercial value

•Is there a sufficiently robust quantification of business benefits being sought?

•Is the range of estimates of project cost comprehensive?