According to IBM a consistent way to manage all types of risk is the key to success for financial services organizations. To support this IBM will be rolling out their Smarter Risk offering during Q1 2014. Failure to properly manage risk has been alleged to be the cause of the financial crisis and, to force financial services organizations to better manage risk, the regulators around the world are introducing tougher rules.
The underlying causes of the damaging financial crisis can be traced back to the management of risk. Financial services organizations need to hold capital to protect against the various forms of risk. The more capital they have to hold to cover existing risks the less the opportunity to use that capital in other ways. So fully understanding the risks faced is a key factor to organizational success.
According to Gillian Tett in her book Fool’s Gold – the roots of the financial crisis can be traced back to the Exxon Valdez disaster in 1993. To cover the billions of dollars needed for the clean-up Exxon requested a credit line from its bankers J.P. Morgan and Barclays. The capital needed to cover this enormous credit line required the banks to set aside large amounts of capital. In order to release this capital J.P. Morgan found a way to sell the credit risk to the European Bank for Reconstruction and Development. This was one of the earliest credit default swaps and, while this particular one was perfectly understood by all parties, these types of derivatives evolved into things like synthetic collateralized debt obligations (CDOs) which were not properly understood and were to prove to be the undoing.
IBM believes that, in order to better manage risk, financial services organizations need to manage all forms of risk in a consistent way since they all contribute to the ultimate outcome for the business. These include financial risk, operational risk, fraud and financial crimes, as well as IT security. The approach they advise is to build trust through better and more timely intelligence, then to create value by taking a holistic view across all the different forms of risk. The measurement of risks is a complex process and involves many steps based on many sources of data. Often a problem that is detected at a lower level is not properly understood at a higher level or is lost in the noise. Incorrect priorities may be assigned to different kinds of risk or the relative value of different kinds of intelligence may be misjudged.
So how does this relate to IT security? Well security is about ensuring the confidentiality, integrity and availability of information. In this last week the UK bank RBS suffered a serious outage which led to its customers’ payment cards being declined over a period of several hours. The reasons for this have not been published but the reputational damage must be great since this is the latest in a series of externally visible IT problems suffered by the bank. IBM provided an example of how they had used a prototype Predictive Outage Analytics tool on a banking application. This banking application suffered 10 outages, each requiring over 40 minutes recovery time, over a period of 4 weeks. Analysing the system monitoring and performance data the IBM team were able to show that these outages could have been predicted well in advance and the costs and reputational damage could have been avoided if appropriate action had been taken sooner.
So in conclusion this is an interesting initiative from IBM. It is not the first time that IT companies have told their customers that they need to take a holistic view to manage risk and that IT risk is important to the business. However, as a consequence of the financial crisis, the financial services industry is now subject to a tightening screw of regulation around the management of risk. Under these circumstances, tools that can help these organizations to understand, explain and justify their treatment of risks are likely to be welcomed. This holistic approach to the management of risk is not limited to financial organizations and many other kinds of organization could also benefit. In particular, with the increasing dependence upon cloud computing and the impact of social and mobile on the business, the impact of IT risk has become a very real business issue and needs to be treated as such.