Cyber risk fheili.mohammad

Mohammad Fheili – fheilim@jtbbank.com
A Qualitative
Assessment
of Risks in Electronic
Banking…
The Cyber Challenge!

Mohammad Fheili
“Over 30 years of Experience in Banking.
mifheili@gmail.com (961) 3 337175
 Risk & Capacity Building Specialist.
 Trainer in Risk & Compliance
 University Lecturer: Economics, Risk, and Banking
Operations
 Currently serves in the capacity of an Executive (AGM) at
JTB Bank in Lebanon.
 Served as:
• An Economist at ABL,
• Senior Manager at BankMed
• Senior Manager & Chief Risk Officer at Group
Fransabank
 Mohammad received his college education
(undergraduate & graduate) at Louisiana State University
(LSU), and has been teaching Economics and Finance for
over 25 continuous years at reputable universities in the
USA (LSU) and Lebanon (LAU).
 Finally, Mohammad published over 25 articles, of those
many are in refereed Journals (e.g., Journal of Money
Laundering & Control; Journal of Operational Risk;
Journal of Law & Economics; etc.) and Bulletins.”

If You’re Convinced that we have been evolving in that fashion, then the extreme
majority of anticipated and undertaken projects is about “AUTOMATION”, or IT in
General.
Increasing Demands for Certain Skills. The Absence of
Such Technical Skills reflects Negatively on the Success of
the Majority of Undertaken Projects, and introduces an
element of Risk in Planned Projects..

Banking (& Business Transactions)…. got complicated

Human Induced
Complexity in
the Game:
Instant Replay!

People
Come
First
Data
Come First
The Age of Instant Interconnectivity…a human
induced complexity in Banking

Survey Says!

Mobile Internet
Automation of Knowledge
Work
Internet of Things
Cloud Technology
Advanced Robotics
Increasingly inexpensive and capable mobile computing devices
and Internet connectivity.
Intelligent software systems that can perform knowledge work
tasks involving unstructured command and subtle judgments.
Networks of low-cost sensors and actuators for data collection,
monitoring, decision making, and process optimization.
Use of computer hardware and software resources delivered over a
network or the Internet, often as a service.
Increasingly capable robots with enhanced senses, dexterity, and
intelligence used to automate tasks or augment humans.
Disruptive Technological Change
Autonomous Vehicles Vehicles that can navigate and operate with reduced or
no human intervention.

Next Generation Genomics
Energy Storage
3D Printing
Advanced Materials
Advanced Oil & Gas
Exploration & Recovery
Renewable Energy
Fast, low-cost gene sequencing, advanced big data
analytics, and synthetic biology (“writing” DNA)
Devices or systems that store energy for later use,
including batteries.
Additive manufacturing techniques to create objects by
printing layers of material based on digital models.
Materials designed to have superior characteristics (e.g.,
strength, weight, conductivity) or functionality.
Exploration and recovery techniques that make extraction
of unconventional oil & gas economical.
Generation of electricity from renewable sources with
reduced harmful climate impact..
Disruptive Technological Change… Continues

√
√

√
√
√

Rising Cyber-Risks

In 2015, 38% more security incidents were detected than
in 2014.
Theft of “hard” intellectual property increased 56% in
2015.
While staff remains the most cited source of
compromise, incidents attributed to business partners
climbed 22%.
Source: Global State of Information Security Survey, March 2016

Suppliers /
Partners
35% 34%
30% 29%
18%
22%
15%
19%
13%
16%
2015
2014Current
Employees
Former
Employees
Current Service
Providers/Consult
ants/Contractors
Former Service
Providers/Consult
ants/Contractors
Sources of Security Incidents
Source: Global State of Information Security Survey, March 2016

Implicate the Employee Or Eradicate the Business

Abilities
Knowledge
(Knowledge + Skills)X(Attitude)= Abilities
Formal + Self-
Acquired
To Perform & Excel
And Grow
Skills
Technical + Soft
Human Capital Accumulation = ∑Abilities
The NOT so visible
Argument that we
often forget

Skill Marketability
Loyalty To The
Organization
Loyalty To One’s
Profession
Skill Marketability Reflects
Favorably On The Career And
The Salary Of The Individual
Loyalty To The Organization
May Help The Individual
Sustain A Company-Specific
Employment
Loyalty To One’s Profession Exerts
The Necessary Pressure On
Knowledge And Skill Build-Up
(Benefiting Both The Individual &
The Organization)

General
Ledger
Clients &
Settlement
P & L
Risk
Reporting
Core
Analytical
Engine
ModelRiskManagement
Other Models
Predictive
Models
Regulatory
Models
Asset-Liability
Management
Models
Risk
Models
Business
Strategy
Analysis
Valuation
Models
Pricing
Models
Exposure
Measurements
B ACD
These Risks could
Exist Inside each
Module and in the
Interface between
Two or More
Modules
Interface Between
Two Modules

ModelRiskManagement
The Financial Models
& Model Risk
Management (MRM)

Sources of Operational Risks(Ref: Basel ii)
PRIMARY SECONDARY
PEOPLE
Employee Fraud / Malice (Criminal)
PROCESSES
Payment / settlement / delivery risk
SYSTEMS
Technology investment risk
EXTERNAL
Legal / Regulatory Risk / Public Liability
Unauthorized activity / Employee misdeed (Willful)
Employment Law
Workforce disruption
Loss or lack of key personnel
Documentation or contract risk
Valuation / Pricing
Internal / External reporting and compliance
Project risk / Change management
Selling Risks
System development and implementation
Systems failures
Systems security breach
Systems capacity
Criminal Activities
Out-sourcing / Supplier Risk
In-sourcing Risks
Disaster and Infrastructural utilities Failures
Political and Government Risks

have led to:
• Increased Usage of Impersonal Electronic Services: Low Cost
Electronic Services; Widespread and Diffused Customer Base. This, in
turn led to:
Lower Customer Intimacy.
Reduced Switching Costs Between Different Banks (Customers
these days are constantly shopping for the better deal)
Increased Chances of Fraud and Credit Risk
Increased the Demand for Transparency
• Less Time to Know and Influence Customers.
Research shows that Customer Interest peaks and falls rapidly
especially in response to a Promotional Event.
This makes it absolutely necessary for banks to optimally leverage
all available customer touch points so as to be able to influence
the customer (e.g., You find ads and offers on ATM receipts).

Information Technology at the forefront of Operational Risk:
But ….!
 The Introduction of any form of technology in a given production process or the mere
modification of an existing IT environment necessitates a number of changes which
spillover on Branch Performance: Staff Skills, Workflows, Policies & Procedures, and a
host of other changes.
 In today’s technologically intense production
processes, information technology (IT) risks cannot be
considered independently of other types of risks since
it reflects on our ability to serve and satisfy our clients.
 Recognizing these challenges and acknowledging that
the Branch has a role to play in managing this risk will
put management one step ahead. Because processes are
Technology dependent, Accurate, Complete and timely data collection has
changed from being mostly qualitative to overwhelmingly quantitative; Types/Nature
of Mistakes committed by Branch Employees are Different; etc.

The Devil Is In
The Details
• Pay Attention

 All Organizations need to take Risks to
achieve their Goals.
 The Prevailing Risk Culture within an
Organization can make it significantly
Better or Worse at Managing these Risks.
 Risk Culture significantly affects the
organizational capability to take strategic
risk decisions and deliver on
Performance Promises.
It’s never been about the
presence of a Risk Culture
nor the absence of!
Risk is there; like it or
not!
How Do You Do Things (&
Think) Around Here?
There are MANY Risks but ONE Risk Culture!

Where Should We Go To Look For Risk Culture?
Board of Directors? Staff: Every Day Fire Fighters?

Then We Should Go Look For Risk Culture In
Every individual comes to an
organization with his/er own
personal Perception of Risk.
Every individual comes with
his/er own Inventory of Moral
Values and these have a great
influence over the decisions
they make on day-to-day basis.
The Man In The
Mirror . . .

People vary in all sorts of ways and this includes their predisposition toward Risk. Two
specific Traits:
1. The extent to which people are either:
 spontaneous and challenge convention or
 organized, systematic and compliant.
2. The extent to which people may be:
 cautious, pessimistic and anxious, or
 optimistic, resilient and fearless.
Organizations need to pay attention to the ethical profile of those working in their
business.
Every individual comes with their own inventory of moral values and these have a great
influence over the decisions they make on day-to-day basis.
Three ethical consciences, significantly influencing individuals’ Decision Making:
1. Ethic of Obedience (Rule Compliance, Spirit of the Law, etc.)
2. Ethic of Care (Empathy, Concern, Respect, etc.)
3. Ethic of Reason (Wisdom, Experience, Prudence, etc.)

Risk Culture
Personal
Predisposition
of Risk
Personal Ethics
Behavior
Organizational
Culture
Individual values and beliefs and
attitudes toward risk contribute to
and are affected by the wider overall
culture of the organization.
It is useful to consider Organizational
culture in relation to two key
dimensions:
1. Sociability: People Focus (based on
how well staff get on socially)
2. Solidarity: Task Focus (based on
goal oriented and team
performance)

Risk Management Is Everybody’s Business
Staff Business Unit Senior
Management
Assessment &
Follow Up
Acceptance or Mitigation
of Identified Risks
Follow Up on Decided
Actions
Oversight &
Control
Reports to Enable Senior
Management Appraisal
Identification
Reporting
Registration of Incidents
and Monitoring of the
Internal Control
Environment
Problems with Risk Culture
are frequently found at the
root of organizational
scandals and collapses.
Every individual
comes to an
organization with
his/er own
personal
perception of
Risk
It Starts Here
Risks

Risk Management & Associated Culture
The Chief Risk
Officer
Your Risk Culture Can Be
Characterized as:
 Participative Risk Management
 Autocratic Risk Management

Participative
Risk
Management
Full and
Consistent
Communication
& Coordination
with all Business
Units
Involve Everyone
Culture is subject to cycles which
can self-reinforce in either
virtuous, or vicious, circles.

Autocratic
Risk
Management
I Know
what to
do, and I
will do it
all alone.
My way or
the
highway!
Involve Everyone
Culture is subject to cycles which
can self-reinforce in either
virtuous, or vicious, circles.

Increasing Our Understanding of
Potential Outcomes
IncreasingEvidenceonProbabilityof
occurrence
Ambiguity
Uncertainty
Ignorance
A Bank is expected to
collect ALL needed data
to move closer to Risk
Management and Away
from:
 Ambiguity,
 Ignorance, and
 Uncertainty.
The Fallacy . . .

Brilliant
Surgery!
Well Done!
Shame the
patient died.
Outcom
es
Fear of AML Violation Penalty (i.e., Outcome), the FI
decides not to serve the client (i.e., Decision) sparing itself
the pain of Enhanced Due Diligence.

Level Of Maturity in AML Compliance
Nature&ExtentofEffortsDeployed
DD
EDD
RBA
Due
Diligence
Enhanced Due
Diligence
Risk-Based Approach to AML
Compliance
Enhancing Compliance Capabilities …
AMLCost
SkillsNeeds
Know-How
AMLAnalytics
Those Enhanced AML Compliance Steps:
 Are clear indication of a desire, on the
part of the FI, to continue on serving
the Client.
 Otherwise, the FI would engage in
Derisking.
Enhance AML Compliance require:
 The Use of Technology:
Quantification/Data-Rich vs.
Judgment/Opinion-Rich
 Increase reliance on Technology: Less
Human Intervention;
 Increase exposure to Technology
Failures: Different Sets of Skills are
required.
 Reliance on Technology may Reduce
Frequency But Increase Impact.
Being Pragmatic About Compliance?

RiskManagement is a Decision & a Choice.
Compliance
With Regulatory Guidelines & Rules
 Pillar 1 is More
Attractive.
 Standardized Approach
in Credit & Market Risks
 Basic Indicator
Approach in
Operational Risk.
 Advanced Approaches
… No Way!
 ICAAP only if Required
by Regulator; and the
bare minimum.
 RCSA Marginalized.
 IFRS 9 ………a
nightmare!
 Pillar 2 is at the top
of Risk Management
Priorities.
 Advanced
Approaches are
Effectively Explored.
 ICAAP required by
Management as a
Desired Self-
Assessment Tool.
 RCSA is Essential.
 IFRS 9 is a welcomed
wakeup call.
 Etc.
Risk Culture Failure: Regulatory Compliance is Competing with
Risk Management

It’s been Pouring
Regulatory Guidelines Ever
since its inception . . .

Basel I
Basel II
Credit Risk
Credit Risk
Market Risk
Operational Risk
1986 proposed
1999 proposed
1988 effective
2007 effective
Basel III
Credit Risk
Market Risk
Operational Risk
Capital Quality
Additional Buffers
Liquidity: LCR, NSFR
2009 proposed
Kick Off in 2011
Amendments
Amendments
Basel 2 ½
Basel 1 ½
Amendments
Basel 3 ½
Basel IV
2017 Anticipated
Or Not
Kick Off in 20??
• Capital Requirements
• Liquidity Requirements
• Disclosure Requirements
• National Divergences
• Risk Sensitivity
• Use of Internal Models in
Decision Making
• Total Risks = Credit Plus
Market Risks
• Internal Models Emerged
• Later on, Tier 3 Capital
• Enhanced Pillar 2, 3
• Complex Securitization
obtained higher Risk Weights.
• Trading Books
Tequila
Crisis
Asian Market
Crisis
Shadow Banking
Crisis
Regulator’s Risk Culture
The Basel
Accord
with a
history of
Incomplete
Implement
The Signal it
Sends has much
to do with
Regulatory Risk
Culture.

Your Life Begins At the End Of
Your Comfort Zone
Coping With a Rapidly Changing Banking
Environment
Your Life Begins At the End Of
Your Comfort Zone

Poor
Unclear
Lack of Insight
Over Confidence
No Challenge
Fear of Bad News
Indifference
Slow
Gaming
Beat the System
Good
Clear
Good Insight
Confident But Careful
Constructive Challenge
Reward Honesty
Diligence
Fast
Coordinating
Play By The Rules
Communication
Tolerance
Level Of Insight
Openness
Confidence
Challenge
Level of Care
Speed of Response
Cooperation
Adherence to Rules
Transparency of
Risk
Acknowledgement
of Risk
Responsiveness
To Risk
Respect For Risk
High Risk Low Risk
RiskCultureFramework
Beware of the Weak End of the
Continuum!

Risk Management of Today has been Contaminated by the
Complexity of Regulations. … Where in Many Jurisdictions Risk
Management should be as Simplistic as the Environment it
Operates in.

Cyber risk fheili.mohammad

Recommended

Recommended

More Related Content

Similar to Cyber risk fheili.mohammad

Similar to Cyber risk fheili.mohammad (20)

More from Mohammad Ibrahim Fheili

More from Mohammad Ibrahim Fheili (16)

Recently uploaded

Recently uploaded (20)

Cyber risk fheili.mohammad