Скачать презентацию ARMRe N Seminar Thursday 13 September 2007 Balancing Скачать презентацию ARMRe N Seminar Thursday 13 September 2007 Balancing

bf9735a56549f01034c3a03b54007ce3.ppt

  • Количество слайдов: 18

ARMRe. N Seminar Thursday, 13 September 2007 Balancing Access and Privacy: Using Risk Management ARMRe. N Seminar Thursday, 13 September 2007 Balancing Access and Privacy: Using Risk Management to Walk the Tightrope Dr. Victoria Lemieux 13 September, 2007 ARMRen research workshop on Access and Impact Liverpool University, Foresight Centre ©Vicki Lemieux 2007

Free flow of information: A competitive imperative n Global investment banking relies on the Free flow of information: A competitive imperative n Global investment banking relies on the free flow of information across borders and institutions – Trading – Fund transfers – Global mergers & acquisitions – Asset management – Other business activities executed on a global scale ©Vicki Lemieux 2007

Credit Suisse: A Case in Point n n n Credit Suisse is a leading Credit Suisse: A Case in Point n n n Credit Suisse is a leading global bank headquartered in Zurich It is focussed on serving its clients in three business lines: investment banking, private banking and asset management For the second quarter of 2007, net income totalled CHF 3. 2 billion and had CHF 1, 629 billion worth of assets under management Total staff worldwide is 45, 000 Credit Suisse operates in approximately 50 countries globally ©Vicki Lemieux 2007

The Legal and Regulatory Landscape & Climate Federal Information Security Management Act Data Protection The Legal and Regulatory Landscape & Climate Federal Information Security Management Act Data Protection Act Bank for International Settlements (Basel II) EBK/ Swiss Banking Secrecy Gramm Leach Bliley Japanese Financial Services Agency California SB 1386 Patriot Act Sarbanes Oxley Financial Services Authority Federal Financial Institution Examiners Council International Standards Organisation ©Vicki Lemieux 2007 Monetary Authority of Singapore

Data Privacy Regulation: A Growth Market n n Almost every country in which Credit Data Privacy Regulation: A Growth Market n n Almost every country in which Credit Suisse now operates has some form of data privacy/data protection legislation or regulation Data privacy legislation/regulation is on the rise – – Growing public concern about data security Recent examples *Facebook *Monster *Wikipedia *J. P Morgan Chase *Nationwide *Bank of America ©Vicki Lemieux 2007

Information Management Compliance – What Could be Easier? Achieving information management compliance boils down Information Management Compliance – What Could be Easier? Achieving information management compliance boils down to three simple steps: 1. Identify relevant laws and regulations 2. Identify records to which laws/regulations apply 3. Ensure records are created & handled in accordance with applicable laws/regulations It’s not as easy as it seems! ©Vicki Lemieux 2007

Which Records? IM Email Web Content Rich Media ©Vicki Lemieux 2007 Which Records? IM Email Web Content Rich Media ©Vicki Lemieux 2007

Which Devices? ©Vicki Lemieux 2007 Which Devices? ©Vicki Lemieux 2007

Which Solutions Information ECM EDRMS Document Content Digital Rights Management Centralised Device Management Data Which Solutions Information ECM EDRMS Document Content Digital Rights Management Centralised Device Management Data Storage Solutions Knowledge Records ©Vicki Lemieux 2007 Encryption

Challenge/Response Ø How the RM community support financial services firms in meeting the IM Challenge/Response Ø How the RM community support financial services firms in meeting the IM compliance challenge: ØSupport a risk-based approach ©Vicki Lemieux 2007

What is risk management? Risk Management is an ongoing process used to: n n What is risk management? Risk Management is an ongoing process used to: n n Identify potential risks associated with business activity Identify the potential impact and severity associated with the risk Identify strategies and activities that can implemented to mitigate or eliminate the risk Assign responsibilities and track progress of risk management activities • n n n Why is risk management important? Rise of the ‘Risk Society’ Rise of accountability frameworks (e. g. , SOX, COSO) in which risk management figures prominently Rise of RIM-related threats Compliance complexity Risk management as an appraisal tool ©Vicki Lemieux 2007

How Risk Management can help Strike the Right Balance n Identify the risks. – How Risk Management can help Strike the Right Balance n Identify the risks. – Lack of clarity re: application of law to different records – Absence of controls for particular devices – Technical weaknesses in recordkeeping solutions n n n Categorize the risks. Rank the risks. Accept or look for ways to mitigate the risks Develop risk mitigation action plan Track and monitor plan ©Vicki Lemieux 2007

Identifying risks n Risk assessment – Business context + business functions/activities Business Context Threats Identifying risks n Risk assessment – Business context + business functions/activities Business Context Threats Business Activities Risk Vulnerabilities ©Vicki Lemieux 2007

Categorizing risk n n n Operating Risks: Those risks associated with business process and Categorizing risk n n n Operating Risks: Those risks associated with business process and technical operations and the challenges of providing service delivery globally – including Loyalty Risk addressing any staff related exposure. Legal Risk addressing any risks around non-compliance with legal/regulatory requirements, or risk of litigation Technology Risks: Those risks associated with the ability to control future technology direction and to use technology to provide a competitive edge. Financial Risks: Those risks that have an adverse effect on the financial condition of the company or the achievement of Credit Suisse’s sourcing objectives. Business Risks: Those risks that have an adverse effect on Credit Suisse’s business operations or competitive position in the marketplace – including Reputation Risk. ©Vicki Lemieux 2007

Ranking risk n Probability is the likelihood that a risk will occur n Impact Ranking risk n Probability is the likelihood that a risk will occur n Impact is the consequences of a given risk once it occurs n Risk management entails estimating probability and impact n The measurement of probability and impact can be qualitative, quantitative, or a combination of the two n It is important to assess the inter-dependency of risks as well as assessing each risk independently ©Vicki Lemieux 2007

Risk treatment options Avoid n Accept n Transfer n Reduce n ©Vicki Lemieux 2007 Risk treatment options Avoid n Accept n Transfer n Reduce n ©Vicki Lemieux 2007

Risk mitigation • 7 Impact Mitigation Plans reduce the level of risk. Risks are Risk mitigation • 7 Impact Mitigation Plans reduce the level of risk. Risks are mitigated either by stabilizing or limiting the impact of the underlying assumption or desensitizing the outcome. Action Required to Desensitize • Similar techniques can be used to identify risk mitigation strategies as can be used to identify risks ©Vicki Lemieux 2007 Risk 8 9 4 5 6 1 2 3 Action Required to Stabilize Probability

Tracking and monitoring n Measure that risk treatment strategies have had the intended results Tracking and monitoring n Measure that risk treatment strategies have had the intended results n Monitor risks over time to detect increases or decreases in their ranking n Monitor that procedures and information gathered during the risk identification, risk measurement and risk treatment phases were accurate and complete n Identify where improved knowledge would have helped to reach better decisions n Identify lessons to be learned from the risk management process n Assess whether risk management processes are adequate and being fully implemented. ©Vicki Lemieux 2007