ERM and InformationRisks
July 2013
Advisory
1
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Agenda
Introduction
ISACA’s Risk IT Management Framework
Information Quality Risk Management in Basel II
Managing IT Risk with the Balanced Scorecard
Questions
Introduction
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
3
ABCD
Purpose
An Enterprise Risk Management (ERM) systemessentially comprises of a governance componentand a risk management process
The relevance of information systems risks stemfrom firstly the quality of information the ERMsystem itself relies on, and secondly as componentof the enterprise-wide business risks in focus
The purpose of this presentation is to highlight thesedimensions of information systems risks in ERMframeworks notably ISACA’s Risk IT, Basel II andthe Balanced Scorecard
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
4
ABCD
What is Enterprise Risk Management (ERM)
“… a process, effected by anentity’s board of directors,management and otherpersonnel, applied in strategysetting and across theenterprise, designed to identifypotential events that may affectthe entity, and manage risk tobe within its risk appetite, toprovide reasonable assuranceregarding the achievement ofentity objectives.”
- COSO ERM Framework
5
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Characteristics of an ERM System
Has a primary objective to prioritize andmanage risk across the enterprise
Establishes ownership for risk
Has an oversight over ownership for risk
Seeks assurance over the enterprise riskmanagement processes
6
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
ERM Benefits
ISACA’s Risk ITManagement Framework
8
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
The Underlying Principle
Risk IT framework is based on theprinciples of Enterprise Risk Management(ERM) standards/frameworks such asCOSO ERM and AS/NZS 4360
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
9
ABCD
System Risks as Part of Business Risk
ISACA’s Risk IT Framework defines IT Risk as
“the business risk associated with the use, ownership,
operation, involvement, influence and adoption of IT
within an enterprise”
10
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
IT Risks in Enterprise Risk Management
11
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
The Risk IT Framework
Information Quality RiskManagement in Basel II
13
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Objecives
Introduce a risk sensitive framework to robustly quantify the bank’srisk profile
Introduce incentives for banks to adopt improved risk managementpractices
Refine regulatory capital charges
Align regulatory capital with economic capital
Maintain absolute levels of capital in the banking system whilerecognising the relative levels of risk across institutions
14
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Overview of the Basel II Accord Cont’d
PILLAR I
Minimum Capital Requirements
PILLAR II
Supervisory Review
PILLAR III
MarketDisclosure
Methodology
Measurement
Capital AdequacyRatio
Standardised
FoundationInternal Ratings
AdvancedInternal Ratings
Standardised
AdvancedMeasurementApproaches
Basic Indicator
Standardised
Internal Models
Min. Capital forCredit Risk
Min. CapitalforOperationalRisk
Min. Capitalfor MarketRisk
MINIMUM CAPITAL REQUIREMENTS
Total Reg. Capital less deductions = Capital Ratio (min 8%)
Min. Capital Requirements x 12.5
+
+
=
Risk Mgmt &Reporting
Capital Mgmt
ProductPricing
StrategicPlanning
PerformanceMeasures
Credit Risk
Bankingbook’sInterest raterisk
OperationalRisk
Market Risk
Corporatestructure &organisation
Board ofDirectorsrole
Publicdisclosure &transparency
Use Test
Stress Test
InternalGovernance
DISCLOSURE TO STAKEHOLDERS
+
+
REGULATOR CAPITAL ADD-ON
=
Othermaterialrisks
LiquidityRisk
Internalcontrol
Capitalassessment(ICAAP)
15
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Enterprise Risk Management in Basel II
16
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Information Risks to the ERM Process of Basel II
Pillar I
•Trustworthinessof riskinformationused incalculatingCapitalRequirement
Pillar II
•Poorinformation forRiskGovernance
Pillar II
•Accuracy ofRisk reports toExternal Stakeholders
17
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Approach to Achieving Information Quality
Managing IT Risk withthe Balanced Scorecard -
19
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Overview
●The Balanced Scorecard (BSC) was first introduced in 1992 byDavid Norton and Robert Kaplan via an article in the HarvardBusiness Review
●The BSC is a management “system” that links strategic objectivesto performance measures, targets, and initiatives.
●The BSC measures organizational performance from fourperspectives: “Financial”, “Customers”, “Internal BusinessProcess”, and “Learning and Growth”
20
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
The Traditional Balanced Scorecard
21
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Moving toward the IT Balanced Scorecard (IT BSC)
22
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Using the IT BSC to Manage Risk Across the Enterprise
IT RiskGovernance
Focus
The Corporate Contributionperspective evaluates IT risks fromthe viewpoint of executivemanagement, the Board of Directorsand the shareholders.
The Customer Orientationperspective evaluates IT risks fromthe viewpoint of business users (ourcustomers) and, by extension, thecustomers of the business units
The Future Orientation perspectiveevaluates IT Risks from theviewpoint of the IT organizationitself: process owners, practitionersand support professionals
The Operational Excellenceperspective evaluates IT Risks fromthe viewpoint of IT management(process owners and servicedelivery managers) and the audit andregulatory bodies
Corporate Contribution
Future Orientation
Customer Orientation
Operational Excellence
23
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Extrapolate IT Risk Management from IT Governance
IT GovernanceGoals
IT RiskManagement
24
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
Methodology for IT Risk Management
IdentifyBSC Goals
Map ITObjectives
IdentifyRisks
AssessRisks
FinalizeRiskControls
ImplementControls
Review withMetrics
25
© KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International cooperative (“KPMG International”) a Swiss entity. All rights reserved.Printed in Ghana. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.
QUESTIONS?
Thank you
Andy Akoto, Partner
IT Advisory
© 2013 KPMG, a Partnership established underGhanaian Law and a member firm of the KPMGnetwork of independent member firms affiliated withKPMG International Cooperative (KPMGInternational), a Swiss entity. All rights reserved
The KPMG name, logo and ‘cutting throughcomplexity’ are registered trademarks or trademarksof KPMG International Cooperative (KPMGInternational)