IS Risks and Operational Risk Management in Banks
1st Edition
Published on 1. January 2005
678 pages
978-3-89936-326-5 (ISBN)
Description
Financial risk management has always been a core business of banks. However, in recent years operational risks have gained in importance. This manifests itself, for example, in the New Basel Capital Accord and is similarly expressed in the Sarbanes-Oxley-Act.
Due to the fact that business processes in the banking industry rely heavily on information systems (IS), the emerging demand for operational risk management calls specifically for a contribution from the IS discipline. An empirical study with the Top 100 German banks was conducted, which yielded data from 43 face-to-face interviews all over Germany. Managers from both the IS/IT department as well as from the risk management department participated in the interviews.
Three key perspectives of IS risk management have been investigated. First, evidence was provided that existing approaches from the IS discipline cannot sufficiently contribute to a sound IS risk management. In the second key perspective, current operational risk management activities in the German banking industry were explored. Finally, the third key perspective reveals banks' requirements for a sound management of IS risks as operational risks.
This research can provide significant value both to academia and practitioners. Several suggestions are developed that may help banks on their way to implement the recommendations of the Basel Committee on Banking Supervision by 2007. Further, this thesis represents a first step towards an IS risk management approach that supports the complete risk management process and covers all four categories of IS risks as operational risks during the entire system life cycle. Insights from the results may be transferred to other industries with a high dependency on IS, such as the insurance industry, which is subject to Solvency II.
The author:
Elke Wolf graduated at the University of Cologne with a Master's of Economics in 1997. After the faculty-wide project VIRTUS from 1998 to 1999, she joined the Department of Information Systems and Information Management, headed by Prof. Dr. Dietrich Seibt. Here, she worked as a research and teaching assistant until 2004. From 2000 to 2002 she also was in charge of the EU-funded project MobiCom as the leader of the Cologne team. After the retirement of Prof. Seibt, she was offered the opportunity of an academic career at the University of Auckland, New Zealand, where she has been working since February 2004. She completed her doctoral degree at the Faculty of Economics, Business Administration and Social Sciences of the University of Cologne in January 2005.
Due to the fact that business processes in the banking industry rely heavily on information systems (IS), the emerging demand for operational risk management calls specifically for a contribution from the IS discipline. An empirical study with the Top 100 German banks was conducted, which yielded data from 43 face-to-face interviews all over Germany. Managers from both the IS/IT department as well as from the risk management department participated in the interviews.
Three key perspectives of IS risk management have been investigated. First, evidence was provided that existing approaches from the IS discipline cannot sufficiently contribute to a sound IS risk management. In the second key perspective, current operational risk management activities in the German banking industry were explored. Finally, the third key perspective reveals banks' requirements for a sound management of IS risks as operational risks.
This research can provide significant value both to academia and practitioners. Several suggestions are developed that may help banks on their way to implement the recommendations of the Basel Committee on Banking Supervision by 2007. Further, this thesis represents a first step towards an IS risk management approach that supports the complete risk management process and covers all four categories of IS risks as operational risks during the entire system life cycle. Insights from the results may be transferred to other industries with a high dependency on IS, such as the insurance industry, which is subject to Solvency II.
The author:
Elke Wolf graduated at the University of Cologne with a Master's of Economics in 1997. After the faculty-wide project VIRTUS from 1998 to 1999, she joined the Department of Information Systems and Information Management, headed by Prof. Dr. Dietrich Seibt. Here, she worked as a research and teaching assistant until 2004. From 2000 to 2002 she also was in charge of the EU-funded project MobiCom as the leader of the Cologne team. After the retirement of Prof. Seibt, she was offered the opportunity of an academic career at the University of Auckland, New Zealand, where she has been working since February 2004. She completed her doctoral degree at the Faculty of Economics, Business Administration and Social Sciences of the University of Cologne in January 2005.
More details
Content
1 - Preface [Seite 6]
2 - Acknowledgements [Seite 8]
3 - Contents [Seite 10]
4 - List of Figures [Seite 16]
5 - List of Tables [Seite 20]
6 - List of abbreviations [Seite 32]
7 - 1 The problem of risk management for information systems in the banking industry [Seite 38]
7.1 - 1.1 Business drivers for operational risk management [Seite 39]
7.2 - 1.2 Research questions [Seite 53]
7.3 - 1.3 Objectives [Seite 54]
7.4 - 1.4 Relevance for the research field of information systems [Seite 57]
7.5 - 1.5 Structure of the thesis [Seite 59]
8 - 2 Core concepts and review of current research - IS risks in the context of banks' business processes [Seite 62]
8.1 - 2.1 Business processes of banks under changing conditions [Seite 64]
8.2 - 2.2 Risk, IS risks, and operational risk [Seite 81]
8.3 - 2.3 Risk management [Seite 93]
8.4 - 2.4 Review of current research [Seite 121]
8.5 - 2.5 Basic research theses [Seite 142]
9 - 3 Three key perspectives of investigation [Seite 156]
9.1 - 3.1 Exploring the field - Mobile banking [Seite 158]
9.2 - 3.2 Methodological aspects of key perspective 1 - Risk management profiles of existing approaches [Seite 172]
9.3 - 3.3 Methodological aspects of key perspective 2 - Current risk management procedures and tools [Seite 190]
9.4 - 3.4 Methodological aspects of key perspective 3 - Requirements specifications [Seite 234]
10 - 4 Results of the study - The demand for new developments in the field of IS risk management [Seite 240]
10.1 - 4.1 Key perspective 1 - Risk management profiles of existing approaches [Seite 241]
10.2 - 4.2 Key perspective 2 - Current risk management procedures and tools [Seite 275]
10.3 - 4.3 Key perspective 3 - Requirement specifications for future developments [Seite 298]
10.4 - 4.4 Revision of the research theses [Seite 343]
11 - 5 Interpretation of the results - Suggestions for new developments and future research [Seite 352]
11.1 - 5.1 Suggestions for new developments [Seite 354]
11.2 - 5.2 Areas of future research [Seite 383]
11.3 - 5.3 Conclusions [Seite 392]
12 - Bibliography [Seite 396]
13 - Appendix [Seite 454]
13.1 - Appendix A [Seite 456]
13.2 - Appendix B [Seite 462]
13.3 - Appendix C [Seite 466]
13.4 - Appendix D [Seite 472]
13.5 - Appendix E [Seite 486]
13.6 - Appendix F [Seite 488]
13.7 - Appendix G [Seite 504]
13.8 - Appendix H [Seite 518]
13.9 - Appendix I [Seite 522]
13.10 - Appendix J [Seite 598]
13.11 - Appendix K [Seite 618]
2 - Acknowledgements [Seite 8]
3 - Contents [Seite 10]
4 - List of Figures [Seite 16]
5 - List of Tables [Seite 20]
6 - List of abbreviations [Seite 32]
7 - 1 The problem of risk management for information systems in the banking industry [Seite 38]
7.1 - 1.1 Business drivers for operational risk management [Seite 39]
7.2 - 1.2 Research questions [Seite 53]
7.3 - 1.3 Objectives [Seite 54]
7.4 - 1.4 Relevance for the research field of information systems [Seite 57]
7.5 - 1.5 Structure of the thesis [Seite 59]
8 - 2 Core concepts and review of current research - IS risks in the context of banks' business processes [Seite 62]
8.1 - 2.1 Business processes of banks under changing conditions [Seite 64]
8.2 - 2.2 Risk, IS risks, and operational risk [Seite 81]
8.3 - 2.3 Risk management [Seite 93]
8.4 - 2.4 Review of current research [Seite 121]
8.5 - 2.5 Basic research theses [Seite 142]
9 - 3 Three key perspectives of investigation [Seite 156]
9.1 - 3.1 Exploring the field - Mobile banking [Seite 158]
9.2 - 3.2 Methodological aspects of key perspective 1 - Risk management profiles of existing approaches [Seite 172]
9.3 - 3.3 Methodological aspects of key perspective 2 - Current risk management procedures and tools [Seite 190]
9.4 - 3.4 Methodological aspects of key perspective 3 - Requirements specifications [Seite 234]
10 - 4 Results of the study - The demand for new developments in the field of IS risk management [Seite 240]
10.1 - 4.1 Key perspective 1 - Risk management profiles of existing approaches [Seite 241]
10.2 - 4.2 Key perspective 2 - Current risk management procedures and tools [Seite 275]
10.3 - 4.3 Key perspective 3 - Requirement specifications for future developments [Seite 298]
10.4 - 4.4 Revision of the research theses [Seite 343]
11 - 5 Interpretation of the results - Suggestions for new developments and future research [Seite 352]
11.1 - 5.1 Suggestions for new developments [Seite 354]
11.2 - 5.2 Areas of future research [Seite 383]
11.3 - 5.3 Conclusions [Seite 392]
12 - Bibliography [Seite 396]
13 - Appendix [Seite 454]
13.1 - Appendix A [Seite 456]
13.2 - Appendix B [Seite 462]
13.3 - Appendix C [Seite 466]
13.4 - Appendix D [Seite 472]
13.5 - Appendix E [Seite 486]
13.6 - Appendix F [Seite 488]
13.7 - Appendix G [Seite 504]
13.8 - Appendix H [Seite 518]
13.9 - Appendix I [Seite 522]
13.10 - Appendix J [Seite 598]
13.11 - Appendix K [Seite 618]
3 Three key perspectives of investigation (p. 120-121)
Following the introduction to the research problem in Chapter 1, Chapter 2 has provided a clarification of the basic terminology, derived from the research questions. In particular, business processes of banks and related current developments have been discussed, the core terms of risks, IS risks and operational risks have been defined and explained in their contexts. Operational risk as an expression from a banking perspective comprises IS risks in all of its four categories, i.e. personnel, process, system, and external risks. Further, the concept of risk management, its origins and its implications from a banking perspective as well as from an IS perspective have been discussed. The legal foundations of risk management in the banking industry, especially the frame within which banks need to act, as it is recommended in the Basel Capital Accord, is explained with regard to some implications for IS risk management.
Four main IS research areas, in which risks are commonly considered, have been identified, i.e. project management, outsourcing, system development, and security management. Current IS research dealing with IS risks in these areas has been reviewed and important aspects have been summarised. Finally, basic research theses are derived from the literature review as well as from the discussions about the Basel Capital Accord. Each of these theses is investigated from one of the three key perspectives.
This research is strongly based on the postulate of changing conditions. Therefore, some empirical evidence of these chritanging conditions is provided. An exploratory study on mobile banking has been conducted that may illustrate the changing conditions and the risks that are implied when integrating new technology into business processes. Thus, this example in Section 3.1 strengthens the basis of this research and prepares the ground for new developments. The literature review in Chapter 2 has indicated that there is no approach that covers all risk categories, all parts of the risk management process, and the complete system life cycle. These apparent shortcomings are analysed in more depth, i.e. to what extent can existing approaches contribute to the management of IS risks. This further strengthens the approach of this research and is described in Section 3.2.
The discussion of risk management and the literature review have indicated what banks are supposed to do from a regulatory point of view. However, an empirical investigation is needed in order to reveal what is the common risk management practice in banks. This part is described in Section 3.3. Since the largest banks are expected to have the scope for being most innovative and therefore most indicative of common practice, the empirical investigation addresses the top 100 banks (according to their total assets) in Germany. Finally, one of the biggest challenges may be to find out why banks are doing risk management in a particular way and what their essential requirements are for an approach that aims at an actual management of IS risks, on the one hand, and could also be useful as one of the Advanced Measurement Approaches, on the other. The objectives of this investigation are different from key perspective 2, inasmuch as it focusses on the scope for improvements rather than on the status quo. Therefore, it is covered in Section 3.4.
Following the introduction to the research problem in Chapter 1, Chapter 2 has provided a clarification of the basic terminology, derived from the research questions. In particular, business processes of banks and related current developments have been discussed, the core terms of risks, IS risks and operational risks have been defined and explained in their contexts. Operational risk as an expression from a banking perspective comprises IS risks in all of its four categories, i.e. personnel, process, system, and external risks. Further, the concept of risk management, its origins and its implications from a banking perspective as well as from an IS perspective have been discussed. The legal foundations of risk management in the banking industry, especially the frame within which banks need to act, as it is recommended in the Basel Capital Accord, is explained with regard to some implications for IS risk management.
Four main IS research areas, in which risks are commonly considered, have been identified, i.e. project management, outsourcing, system development, and security management. Current IS research dealing with IS risks in these areas has been reviewed and important aspects have been summarised. Finally, basic research theses are derived from the literature review as well as from the discussions about the Basel Capital Accord. Each of these theses is investigated from one of the three key perspectives.
This research is strongly based on the postulate of changing conditions. Therefore, some empirical evidence of these chritanging conditions is provided. An exploratory study on mobile banking has been conducted that may illustrate the changing conditions and the risks that are implied when integrating new technology into business processes. Thus, this example in Section 3.1 strengthens the basis of this research and prepares the ground for new developments. The literature review in Chapter 2 has indicated that there is no approach that covers all risk categories, all parts of the risk management process, and the complete system life cycle. These apparent shortcomings are analysed in more depth, i.e. to what extent can existing approaches contribute to the management of IS risks. This further strengthens the approach of this research and is described in Section 3.2.
The discussion of risk management and the literature review have indicated what banks are supposed to do from a regulatory point of view. However, an empirical investigation is needed in order to reveal what is the common risk management practice in banks. This part is described in Section 3.3. Since the largest banks are expected to have the scope for being most innovative and therefore most indicative of common practice, the empirical investigation addresses the top 100 banks (according to their total assets) in Germany. Finally, one of the biggest challenges may be to find out why banks are doing risk management in a particular way and what their essential requirements are for an approach that aims at an actual management of IS risks, on the one hand, and could also be useful as one of the Advanced Measurement Approaches, on the other. The objectives of this investigation are different from key perspective 2, inasmuch as it focusses on the scope for improvements rather than on the status quo. Therefore, it is covered in Section 3.4.
