Question - New Risk Methodology (European Banking Authority)

Our beloved European Union guidelines to assess risk management for financial institutions:

thanks @sge and company for the lovely reading you sent over … i’m enjoying the reading a lot…not. the important piece here is that they tell you quite clearly how they want you to do risk management , is not “generic guidelines” as put by ISO and other standards.

General Provisions Chapter

This document contains Guidelines issued pursuant to Article 16 of Regulation (EU) No 1093/20104. In accordance with Article 16(3) of Regulation (EU) No 1093/2010, competent authorities and financial institutions must make every effort to comply with the Guidelines

These Guidelines build on existing references to ICT risk in the SREP Guidelines and also feed into the SREP methodology more generally

Competent authorities should perform the assessment of ICT risk and the governance arrangement and ICT strategy as part of the SREP process following the minimum engagement model and proportionality criteria specified in Title 2 of the EBA SREP Guidelines … the depth, detail and intensity of the ICT assessment should be proportionate to the size … the frequency of the ICT risk assessment would depend on the minimum engagement model

These Guidelines are aimed at addressing risks arising to market integrity and the viability of institutions from ICT. The Guidelines do not therefore explicitly address ICT risks arising to consumers, although the EBA would expect that beneficial effects will materialise indirectly, as a result of the comprehensive assessment of ICT risks as set out in the Guidelines.

Like the EBA SREP Guidelines, these Guidelines do not specify whether onsite or offsite inspections are most appropriate to conduct the assessments contained within these Guidelines

According to Article 16(3) of Regulation (EU) No 1093/2010, competent authorities must notify the EBA as to whether they comply or intend to comply with these Guidelines, or otherwise with reasons for non-compliance, Notifications will be published on the EBA website, in line with Article 16(3)

2.4 ICT Risk […]

With specific regard to b), competent authorities should assess whether the independent control and internal audit functions, as detailed in paragraphs 104 (a), 104 (d), 105 (a) and 105 (c) of the EBA SREP Guidelines, are appropriate to ensure a sufficient level of independence between the ICT and the control and audit functions, given the size and ICT risk profile of the institution

In assessing the institution’s institution-wide risk management and internal controls, as provided by Title 5 of the EBA SREP Guidelines, competent authorities should consider whether the institution’s risk management and internal control framework adequately safeguards the institution’s ICT systems […] the risk appetite and the ICAAP cover the ICT risks, as part of the broader operational risk category, for the definition of the overall risk strategy and determination of internal capital;

Title 3 Assessment of institutions’ ICT risks exposures and controls

Competent authorities should first identify the material inherent ICT risks to which the institution is or might be exposed, followed by an assessment of the effectiveness of the institution’s ICT risks’ management framework, procedures and controls to mitigate these risks.

As part of the process to identify the ICT risks with a potential significant prudential impact on the institution, competent authorities should review documentation from the institution and form an opinion on which ICT systems and services are critical for the adequate functioning, availability, continuity and security of the institution’s essential activities

To this end, competent authorities should review the methodology and processes applied by the institution to identify the ICT systems and services that are critical, taking into consideration that some ICT systems and services may be considered critical by the institution from a business continuity and availability perspective, a security (e.g. fraud prevention) and/or a confidentiality perspective (e.g. confidential data).

• they support the core business operations and distribution channels (e.g. ATMs, internet and mobile banking) of the institution
• they support essential governance processes and corporate functions, including risk management (e.g. risk management and treasury management systems);
• they fall under special legal or regulatory requirements (if any) that impose heightened availability, resilience, confidentiality or security requirements (e.g. data protection legislation
• they process or store confidential or sensitive data to which unauthorised access could significantly impact the institution’s reputation, financial results or the soundness and continuity of its business
• they provide base line functionalities that are vital for the adequate functioning of the institution

Taking into account the performed reviews of the institution’s ICT risk profile and critical ICT systems and services above, competent authorities should form an opinion on the material ICT risks that, in their supervisory judgement, can have a significant prudential impact on the institution’s critical ICT system and services

When assessing the potential impact of ICT risks on the critical ICT systems and services of an institution,
competent authorities should consider

• The financial impact, including (but not limited to) loss of funds or assets, potential customer compensation, legal and remediation costs, contractual damages, lost revenue
• The potential for business disruption, considering (but not limited to) the criticality of the financial services affected; the number of customers and/or branches and employees potentially affected;
• The potential reputational impact on the institution based on the criticality of the banking service or operational activity affected (e.g. theft of customer data); the external profile/visibility of the ICT systems and services affected (e.g. mobile or on-line banking systems, point of sale, ATMs or payment systems);
• The regulatory impact, including the potential for public censure by the regulator, fines or even variation of permissions
• The strategic impact on the institution, for example if strategic product or business plans are compromised or stolen

Competent authorities should then map the identified ICT risks that are considered material into the
following ICT risk categories for which additional risk descriptions and examples are provided in the
Annex. Competent authorities should reflect on the ICT risks in the Annex as part of the assessment
under Title 3

To assess the institution’s residual ICT risk exposure, competent authorities should review how the
institution identifies, monitors, assesses and mitigates the material risks identified by the competent
authorities in the assessment above

• Internal audit coverage and findings; and
• ICT risk controls that are specific for the identified material ICT risk

The ICT risk control framework is audited with the required quality, depth and frequency and commensurate with the size, activities and the ICT risk profile of the institution; the audit plan includes audits on the critical ICT risks identified by the institution; the important ICT audit findings, including agreed actions, are reported to the
management body; and ICT audit findings, including agreed actions, are followed up and progress reports periodically reviewed by the senior management and/or the audit committee

For this assessment, competent authorities should, in particular, take into account whether the framework […] a comprehensive analysis of dependencies between the critical business processes and supporting systems […] tests ICT availability and continuity solutions, against a range of realistic scenarios including cyberattacks, fail-over tests and tests of back-ups for critical software and data which […]

The information provided shows that all Member States have, for the assessment of ICT risk, mechanisms and measures in certain forms. However, there are also variations in the current level of practices across Member States in relation to future implementation of the Guidelines. 0 (not implemented), 1 (partially implemented), 2 (mostly implemented), 3 (fully implemented).

image1858×1220 197 KB

image1838×494 21.4 KB

image1950×1154 424 KB

Ok we will be updating Risk modules to adjust things a little bit towards meeting the requirements of the EBA.

The risk matrix we have today depend on two things:

• having two “types” of classifications
• defining thresholds (each combination of x and y values and their respective colour and name)

Now for this EBA thing we need to be able to define more than two “types” of classifications, since a 2D matrix has two axes and nothing more we need to create more than one matrix to accommodate this problem.

image2162×952 199 KB

The way we will do this is by:

1- letting the user define more than one classification type (nothing to be done here, as this is possible)
2- create a new Settings / Calculation Method (see “Calculation Method” below)
3- adjust Settings / Risk Appetite settings (see “Risk Appetite”)
4- adjust risk forms (see “Risk Forms”)
5- adjusting filters (see “Filters”)
6- adjusting report charts

Calculation Method

We need a new calculation method called “European Banking Authority” (nor now, this im sure will change) where the user is allowed to choose one type of risk classification as “Likelihood” and more than one type of classification as “Impact”.

Note: the one selected under “Likelihood” should not be allowed on the dropdown of “Impacts”

Is really similar UX as we have on magerit (but the calculation is totally different , this is why we can not re-use it) just the dropdowns aree upside down and impact is a multiple select drop down.

image2304×1002 136 KB

Note: once this is selected and edited and saved, risk recalculations must take place

Risk Appetite

The idea is that now with this risk calculation eramba will be able to create more than one matrix. for example if the user had defined:

Likelihood Classification Type: Tesla
Impact Classification Types: Price, Speed, Brand

Then we should be able to provide three matrix:: Tesla x Price, Tesla x Speed and Tesla x Brand … and each matrix has its own threshold definitions … so the current threshold UX must be “upgraded” when the risk calculation to be used is defined as this new type.

We need to limit which calculation types can use which appetite types, the following table shows the possibilities:

Based on what the calculation was selected you enable or disable totally one or another tab. if no calculation was choosen you disable both. The disable tab needs a red warning message: “The Risk calculation selected (Settings / Risk Calculation) is not compatible with this Risk appetite option”

image2208×808 49.6 KB

Once that above is done, remember that the threshold tab must be adjusted ONLY if ECB calculation is chosen because multiple matrix will be created out of this calculation type, you will need two adjustments:

1. The “Default Threshold” will need to be created as many times as “Impacts” have been defined on the calculation setting of ECB, make sure you show as an additional string the one the user is adjusting.

image2136×810 45.9 KB

2. The “Add Threshold” frame needs to be adjusted, on the top dropdown the user selects the “Likelihood” and on the second one it selects the “Impact” (Price, Speed, Brand). Change the labels so is obvious to the user what they are doing.

image1696×634 52.9 KB

Risk Forms

If this risk calculation is used then the risk form will need to be updated since the user needs now to define for each type of impact the likelihood:

image1696×1020 48.1 KB

So following our example the UX needs to accommodate all these new classification types and three thresholds and three risk scores

image792×664 28.8 KB

This presents a change as we typically always have a unique risk score, now we can have multiple (as many “impacts” are defined). This is why this change is a bit of a pain in the ass.

Filters

We need to adjust must be dynamically created as opposed of what we have today, these are the three fields which are relevant here (one for risk analysis and one for risk treatment):

image1592×738 41.9 KB

They show today the following data:

image1750×698 72.1 KB

Well, now we need to show:

image1216×562 40.1 KB

This is because the user needs separate columns on the filters so they can play with them as they wish.

Reporting

When we create item or section reports we need charts that reflect these three types (as per our example, but remember they can be 2, 5 or 10) so these chart must be created as many times as need:

image2188×1130 197 KB

Same goes fort this, with a pair of lines for each likelihood x impact combination.

image2228×1022 124 KB

All other charts remain the same. How we want to do this, if making a new “chart type” or adjusting the current one to automatically transform itself based on the settings … well…i dont care is your decision.

Hi Esteban,

Most of it looks good.

I have some questions about some things I don’t understand.

Risk Appetite:

• “the section above, in my view, i dont see why is an “user defined setting”, it should be automatically defined (and user disabled) based on the Calculation Method settings as explained above … so we need two drop downs there (disabled) , one called “likelihood” and the other “impact” with the options pre-defined as on the Calculation method. This same fix in my view should be used on the current threshold UX but taking the settings from the calculation type “eramba” and “eramba multiplication”.”

Do you mean that the classification types will be pre-defined (from the EBA Guidelines) and that we won’t be able to make additional classification types by our self? Cause we really need to be able to make our own too.

Reporting:

• All other charts remain the same. How we want to do this, if making a new “chart type” or adjusting the current one to automatically transform itself based on the settings … well…i dont care is your decision.

A risk matrix (heat map) for each classification type (impact) will be fine with us. Just like the one you have already.