Risk Management: Finding agreement on risk and controls

One of the primary activities of a risk management professional is to have conversations with organisation stakeholders to understand risks and what needs to be done to manage these risks.

These conversations can involve trying to reach agreement on the existence of risks and then subsequent risk management activity required. Recognising a risk and working out what to do about it requires, at times, considerable effort that could otherwise go into delivery of mission critical projects and business as usual activity that stakeholders' performance is measured against. Why would a stakeholder spend time on activities they are not measured against?

As a risk management professional, you need to answer this "Why?" question in a compelling way. To answer this question you need to understand the organisation's objectives. You then need to couch your risk analysis and articulation of the risk and impact in terms of how these will impact the organisation's objectives. When I talk about organisation objectives, these may be top level or lower level objectives from the top level organisation or a single department within the organisation. Selection of the appropriate objectives depends on your stakeholder. You need to identify an objective as close as possible to your stakeholder. This is easier if you have a mandatory policy framework that has been approved at the highest levels and that all staff must comply with, but becomes challenging where this doesn't exist or is evolving. If you have a mandatory policy it will generally have an objective that everyone must support. If this doesn't exist or is evolving you need to outline what the objective is and link it to the stakeholder's objective in a clear, compelling and self evident way. This is where good risk articulation is important and understanding that risk is the effect of uncertainty on objectives, comes into play.

Understanding this, the conversation needs be be preceded with youself understanding the relevant objectives, articulating a baseline risk that makes it very clear what the effect on the objectives might be; and as much as possible quantify this with relevant facts such as estimated loss or frequency of similar risks materialising in the organisation or industry. This helps to paint the picture for the stakeholder.

One thing you need to remember is not to ne wedded to your initial risk articulation. Your conversations with stakeholders will provide you with valuable insights that need to be incorporated into your risk analysis and associated risk articulation. Your stakeholders will also likely have pragmatic and valuable suggestions for controlling the risks they deal with day to day. You need to seriously consider this. One of the biggest causes of disagreement I have seen in my experience is risk professionals swooping in with theoretical notions of risk and controls without considering what happens on the ground already to address risks or suggesting best practice controls while not considering pragmatism and sizing.

You need to work side by side with your stakeholders to understand their objectives and how these tie into the objective of the organisation to manage risks. You need to understand their business and how they may already be managing their risks and try to leverage this where feasible. And finally, keep the conversations going to identify any gaps as they arise and opportunities to make risk management more efficient and effective, alongside your stakeholders.

Failing all of the above, if you find yourself dealing with an intransigent stakeholder, sometimes the best way to advance is to escalate your case and follow the same approach with the next level up. If you have the support of a broader risk management function then use this also as good working relationships may already exist at your management's level.

Review of Wealth of Nations - Part 1

Title: Wealth of Nations (Wordsworth Classics of World Literature)

Author: Adam Smith

Pages: 1008 pages

Publisher: Wordsworth Editions Ltd.; Classic World Literature edition (5 July 2012)

Language: English

ISBN-10: 1840226889

ISBN-13: 978-1840226881

The Wealth of Nations is composed of five books each with a number of chapters. I figured I'd share what I've learned from my reading of the book as I go. So here it is for the first 7 chapters which set the scene before some of the more detailed text.

Overall, Smith has a fairly easy turn of phrase and the language used in the book is not archaic even though it was published in the 1700s. It is easy enough to follow and dwells on the fundamentals to ensure that the reader has fully grasped these prior to moving on in the book. I thought I'd try to summarise what each chapter is trying to say in this review to give an idea of how Smith has developed this work.

Book 1 - Introduction and Chapter 1:

Smith establishes labour as the fundamental basis of national economic output (commodities). Smith advises that the national economic output will be regulated by a) the way in labour is applied, and b) the level of employment. Smith highlights how specialisation and the division of labour has enabled the production of many of the commodities of life (such as glazed windows) which would not have been possible for any one person to produce for themselves within their lifetime to the same standard.

Book 1 - Chapter 2:

Smith recognises people's "almost constant occasion for the help of his bretheren". He recognises that people's ability to "truck, barter and exchange" goods and services to satisfy their needs and wants, enables the division of labour described in the first chapter to be useful to those specialising in the production of one sort of good or service.

Book 1 - Chapter 3:

Smith draws the conclusion that the division of labour is limited by the extent of the market for goods and services. He highlights that denser population centres will give rise to greater specialisation and division of labour than less dense centres. For example, the market for nails for building work in a dense population centre is greater in that centre and would give rise to specialised nail-makers mass producing nails. In a remote rural region with very low population density and difficulty or prohibitive expense in importing mass produced nails, making nails may be done by a blacksmith who also makes all manner of other metal objects (less specialisation and division of labour).

Book 1 - Chapter 4: 

This chapter looks at money and how this evolved as a way to usefully and conveniently facilitate trade. It talks about trade was initially facilitated through exchange of weights of precious metals such as gold and silver for goods and services. Smith goes on to describe how the uniform goodness of precious metals was attested through stamping a quality mark on it with this giving rise to coinage. Smith also recognises that coinage was debased at the expense of national subjects by sovereign states and princes by gradually reducing the amount of gold and silver in the coin over time in order to create more money from this skimmed precious metal. This chapter introduces the concept of "value in exchange" and outlines how the "real" value of exchanged commodities is composed. 

Book 1 - Chapter 5:

Smith expands upon the concept of "real" value and compares it to "nominal" value. Real value is that which is given up to produce a commodity and nominal value is the money price of that commodity. These values are not always that same with a tendency for a commodity with a nominal value under or over its real value to move towards the real value. This chapter revisits the topic of the value of money in terms of the quantity of gold and silver in coins. Interestingly, he suggests that government regulation making silver and gold the legal tender except for small change would stop the "discreditable" conduct of banks in counting out pennies to depositors calling for their deposits in a bank run. He adds that this regulation would require banks to hold more cash in reserve which would be a considerable security to the banks creditors (including depositors). This suggestion of government regulation and reserve requirements is a feature of the banking system today. 

Book 1 - Chapter 6:

 In this chapter Smith breaks down the price of any good or service into either one or more of three parts:

    - The wages of labour

    - The profits of stock

    - The rent of land

A common thread with all of this, as outlined in the introduction to his book, is that the stock cannot turn a profit and rent cannot be provided without labour. Another interesting anecdote Smith makes in this chapter is that of Smith likening the charging of rent by landlords who annexed the commons as "reaping where they never sowed".

Book 1 - Chapter 7:

This chapter essentially introduces the basic economic concepts of demand, supply and equilibrium price. It also talks on the spectrum of perfect competition and oligopolies and monopolies and the effect of this on the price that is charged versus the "natural" price. An insightful quote from this chapter is:

"The exclusive privileges of corporations, statutes of apprenticeship, and all those laws which restrain, in particular employments, the competition to a smaller number than might otherwise go into them, have the same tendency, though in a less degree. They are a sort of enlarged monopolies, and may frequently, for ages together, and in whole classes of employments, keep up the market price of particular commodities above the natural price, and maintain both the wages of the labour and the profits of the stock employed about them somewhat above their natural rate.

Such enhancements of the market price may last as long as the regulations of policy which give occasion to them."

My conclusion ... so far

My main takeaways from this are that Smith has done a good job at linking economic prosperity to "useful" employment of labour. He also logically and systematically creates a basis for his economic principles based on empirical evidence available to him at the time and from his experiences. He makes it clear that the economic principles are subject to reality and that they may not always hold depending on other factors. Importantly Smith recognises the importance of society and everyone contributing what they are able to progress it. Through induction and a couple of statements Smith also recognises the role of regulation in the economy to ensure it operates in the best interests of society (e.g. reserve requirements and anti-trust / monopoly regulation). There are two ways to read an interesting quote Smith made in Chapter 7  as reproduced above. One is to infer that the exclusive privileges relates to preferential treatment of certain corporations by governments and sovereigns such as the East India Compony while the other is more general and relates to the general privileges enjoyed by corporations, namely, limited liability and a higher barrier to entry into this structure by those with greater resources than those without such resources.

Overall, my own reading of the text has changed the way in which I have thought of Adam Smith. I see in the words of the author and the ideas espoused, someone trying to create a model by which to better understand economics. The economics espoused in this text is that based on hard work (labour) being the prime mover in economic performance with the real value of things being that which is given up by those who perform the labour. He does include stock and land as secondary elements but these can only be utilised through labour. Sounds to me so far that true capitalism is based on "useful labour" rather than playing around with the money supply or having hoards of unused stock and land.

More to come in Part 2 (just need to finish reading more chapters).

Money : whence it came, where it went: A review

Title: Money : whence it came, where it went

Author: John Kenneth Galbraith

Pages: 335 pages

Publisher: Bantam (1976)

Language: English

ISBN-10: 0553026887

ISBN-13: 978-0553026887

Review

In terms of content, Galbraith has done good job of providing a fairly representative round-up of the early days of money and the various ways in which is was managed or abused, He then continues into a more US focused history of money and looks at the effectiveness of monetary policy in dealing with periods of recession. He provides a very candid account of his and his contemporaries and near contemporaries role in economic policy making. He concludes with six points which essentially point out the failings of monetary policy as a sole lever in the economy and highlights the importance of combining monetary policy with fiscal policy to effect desired outcomes in the economy. Galbraith made the point that monetary policy may make available more money through banks by reducing official interest rates and loosening reserve requirements but fiscal policy was needed to encourage people to actually use this extra money made available.

In terms of style, Galbraith has used a conversational style with amusing anecdotes and opinions interspersed. sometimes though, you find yourself back tracking to get some of his points due to some of the sidelines and witty quips. Overall not impenetrable.

I would recommend reading this book. Textbooks I studied while studying various economics subjects lack the same colour and courage in discussing the subject matter and for the most part take monetary policy as gospel. This book gives a more balanced view.

What is privileged access? - A definition of privileged access from review of US financial institution regulation and ISO 27002

Why is it important to understand what privileged access is? Highlighting some examples of what can happen when privileged access is not managed appropriately demonstrates it is something that needs to be understood:

• March 2002 – It was reported that Roger Duronio brought down 2,000 business critical servers, including trading servers, with a logic bomb in UBS costing $3.1m in restoration costs and unknown business loses during the downtimeⁱ.
• January 2008 - It was reported that Jérôme Kerviel lost Société Générale €4.9bn in trades purportedly utilising privileged access accumulated from his previous and last roles in the bankⁱⁱ.
• January 2009 - It was reported that Rajendrasinh B. Makwana almost brought down 4,000 critical servers with a logic bomb that could have lost Fannie Mae “many millions of dollars” with his privileged accessⁱⁱⁱ.

From this, the impacts of not understanding and appropriately controlling privileged access are significant. The primary challenge with implementing privileged access policies and controls is a lack of a clear definition of what privileged access is.

Fortunately, US financial institutions regulation and the International Standards Organisation provide a starting point.

US Financial Institutions Regulation

The Board of Governors of the Federal Reserve System (the Board) implements the Federal Reserve Act and other laws pertaining to banking and financial activities. The Board implements those laws, in part, through its regulations A through to YY, which are codified in Title 12, Chapter II, of the Code of Federal Regulations within the US Code (USC)^iv.

Section 6801 and section 6805 in Title 15 of the USC applies the Gramm-Leach-Bliley Act of 1999 (GLBA) to financial institutions including Bank holding companies. Section 501(b) of the GLBA introduced the “Financial Institutions Safeguards” requirement that requires financial institutions implement administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer information^v.

Further guidance as to how to establish these safeguards is provided by CFR Regulation Y - Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards. These guidelines were developed by the Member agencies of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC published examination handbooks that apply to the examination of a financial institution's operations and all related data, and serves as a supplement to the agencies' GLBA 501(b) expectations.

Page 19 of the Federal Financial Institution Examination Council (FFIEC) Information Security Examination Handbook defines privileged access as^vi:

“the ability to override system or application controls”

A key point to note in this definition is the distinction between systems and applications. This distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

International Standards Organisation

The FFIEC Information Security Examination Handbook definition is aligned to the international standard ISO 27002 Information technology - Security techniques - Code of practice for information security management (ISO 27002).

Specifically, page 61 of ISO 27002 defines privileged access rights, as those^vii:

“access rights which allow users to override system controls”

How this definition differs from the FFIEC definition is that is refers to access rights and these applying only to system controls rather than both system and application controls. This ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of their “access rights”.

Additionally page 62 of ISO 27002 defines system administration privileges as^viii:

“any feature or facility of an information system that enables the user to override system or application controls”

The last part of this definition is identical to the FFIEC wording “override system or application controls”. This additional ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of “any feature or facility of an information system”. As per the FFIEC definition, a key point to note in this definition is the distinction between systems and applications. As with the FFIEC definition, this distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

Finally, further guidance is available at page 56 of ISO 27002 which defines privileged operations as^ix:

“use of privileged accounts, e.g. supervisor, root, administrator; system start-up and stop; [and] I/O device attachment/detachment”

While not a definition of privileged access it does provide useful interpretation guidance in what is commonly considered to be the operations of those with privileged access, and from this, what constitutes privileged access. In this case, operating system or database system administrator accounts such as “root”, “administrator” and “supervisor”. By extension, similar access to the access level of these accounts would be considered privileged access. This definition also describes the ability to execute system start-up; and stop and I/O device attachment/detachment, system level services generally accessible via service or system accounts.

Conclusion - A Working Definition of Privileged Access

From these sources we can develop a working definition of privileged access that is aligned to US regulatory requirements and international standards.

From the FFIEC definition, the working definition needs to cover both applications and systems. Expanding the FFIEC definition’s use of the term “ability” using ISO guidance, would result in the following definition:

“Privileged access is the ability to override system or application controls, conferred to a user by virtue of their access rights or any feature or facility of an information system. This includes the ability to use system administration and service accounts.”

From this working definition, we can better understand what ability is considered privileged and that a user with this access would be considered to have privileged access. Policy making and controls based on this definition will ensure alignment with the US regulators and international standards hopefully resulting in better risk and control assessments to implement the necessary administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer information.

Endnotes

i Gaudin, S., Ex-UBS Systems Admin Sentenced To 97 Months In Jail, United States of America, 2006. Available at: http://www.informationweek.com/ex-ubs-systems-admin-sentenced-to-97-months-in-jail/d/d-id/1049873? (Accessed 6 March 2014).

ii Tarzy, B., Revoke legacy privileged accounts – or pay the consequences, United Kingdom, 2012. Available at: http://www.computing.co.uk/ctg/the-big-picture-blog/2157940/revoke-legacy-privileged-accounts-pay-consequences# (Accessed 6 March 2014).

iii Keizer, G., Ex-Fannie Mae engineer pleads innocent to server bomb charge, United States of America, 2009. Available at: http://www.computerworld.com/s/article/9127157/Ex_Fannie_Mae_engineer_pleads_innocent_to_server_bomb_charge (Accessed 6 March 2014).

iv Government Printing Office, Electronic Code of Federal Regulations, United States of America, 2012. Available at: http://www.ecfr.gov/cgi-bin/ECFR?page=browse (Accessed 6 March 2014).

v Government Printing Office, GRAMM–LEACH–BLILEY ACT, United States of America, 1999. Available at: http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf (Accessed 6 March 2014).

vi Federal Financial Institution Examination Council, The FFIEC Information Security IT Examination Handbook, United States of America, 2006. Available at: http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf (Accessed 6 March 2014).

vii International Organisation for Standardization (ISO), ISO 27002:2005, Information technology - Security techniques - Code of practice for information security management, Switzerland, 2005

viii Ibid

ix Ibid

PS: This is also published in the IT Risk Practitioner

Would Recommend Code::Blocks IDE for C++ Development

I normally use a Linux host for my development work (Eclipse and Netbeans) but have today decided to look at Windows again. I was looking around for a no-nonsense IDE with version control, syntax highlighting, compiling and running of programs in the one intuitive interface. I finally found a good IDE that fits the bill: Code::Blocks (see home page at http://www.codeblocks.org). This IDE installs easily and without any issues from a single downloaded binary (albeit 100mb in size. Download the one at: http://sourceforge.net/projects/codeblocks/files/Binaries/13.12/Windows/codeblocks-13.12mingw-setup-TDM-GCC-481.exe) and can build and run C++ application code straight out of the box. I was very impressed. I didn't have to setup cygwin or MinGW it set this up for me (i.e MinGW was installed alongside the IDE and GCC).

It's looking good so far but we'll see how it goes when I start to exercise it a bit more.

Financial services systems change failures and how to control them

When it comes to systems change there are a number of notable failures in the financial services industry:

January 2009: - It was reported that IT systems engineer Rajendrasinh B. Makwana almost brought down 4,000 critical servers with a logic bomb, embedded in developed scripts, which could have lost Fannie Mae “many millions of dollars” that was only discovered by chance by another engineerⁱ.

January 2010: It was reported that a HSBC Mainframe upgrade shut down cash machines and online banking for HSBC customers as part of upgrade to One HSBC platformⁱⁱ. This was in addition to a similar outage in June 2009 a further telephone banking outage in February 2008 due to “coding” changesⁱⁱⁱ.

September 2010: It was reported that J.P. Morgan’s online banking service was offline for 3 days due to third party database software “corrupting the login process” impacting 16 million customers^iv. It was reported that J.P. Morgan appeared not to have a roll-back plan so they could recover while continuing business as normal^v.

June 2012: It was reported that the Royal Bank of Scotland to pay £125 million in costs related to a glitch in the CA7 batch process scheduler as part of systems maintenance activity that resulted in 12 million customer accounts being frozen for almost a week^vi.

August 2012: It was reported that Knight Capital Group lost $440 million in 30 minutes and wiped 62% of its stock price, due to a trading software algorithm glitch that generated erratic trades and that bought high and sold low for nearly 150 stocks^vii. The glitch resulted in 4 million additional trades in 550 million shares that would not have occurred otherwise^viii.

August 2013: It was reported that Goldman Sachs lost $100 million due to an automated trading systems glitch that caused a number of incorrect options trades that disrupted US exchange trading affecting shares with listing symbols starting with the letter H through L^ix. The glitch caused automated trading systems to accidentally send indications of interest as real orders to be filled at the US exchanges. The cause was reported to be due to inadequate software testing^x.

September 2013: It was reported that Clydesdale Bank was fined £8.9 million by the Financial Conduct Authority for failing to inform customers of their rights after a software glitch caused the miscalculation of repayments on over 42,500 mortgages^xi.

Risk and associated controls

A good, actionable risk statement that captures these events is:

“Customer data leakage, corruption or system unavailability caused by defective or malicious system changes resulting in financial losses of UK £100 million, customer churn of 6.4 percent^xii and regulatory sanction by the Financial Conduct Authority and Information Commissioner’s Office.”

This risk statement is a lower level risk that contributes to the organisational level risk of for example:

“Loss of market share caused by eroded customer confidence in the organisation’s information security resulting in net revenue reduction to the order of hundreds of millions and bank share value reduced from loss of market confidence in operational management.”

From the lower level risk statement we can then identify the risk causes that need to be controlled. In this case we need to control defective or malicious systems changes that might result in customer data leakage, corruption or systems unavailability.

To take these in turn, we’d need to implement a change quality testing process to ensure that system changes are adequately tested which may include activities such as code quality reviews, unit, functional, systems, integration and regression testing. An additional step for business supporting systems would be user acceptance testing by the business that also includes tests for boundary conditions and invalid data inputs to the system data input interfaces.

We’d then need to implement a change control strategy that uses technical and administrative controls to restrict the ability to make changes to production or critical systems unless these changes are approved. The approval should not be a simple tick in the box but should require appropriately senior stakeholder approval of changes with high risk changes signed off at senior executive levels within the IT and business areas. Part of this sign-off should be that they have assured themselves that the change has been adequately tested and is fit for purpose.

There is a further control required to make these two controls work. This control is to ensure there is a technically enforced separation of duties so that those making changes cannot implement these changes in the target environment.

In order to ensure these controls are adequately and effectively implemented there needs to be clearly articulated and enforceable policies, standards, procedures and guidelines in place. The policies and standards need to be clear and unambiguous, have an owner and describe the enforcement actions that will be taken if the policy or standard is not complied with. These enforcement actions must then be applied for all cases of non-compliance. Where a non-compliance is expected this needs to be pre-approved with the policy owner and clearly highlighted to the system senior stakeholders and approved at the appropriate senior executive level within the technology and business areas involved in the change.

Endnotes

i Keizer, G., Ex-Fannie Mae engineer pleads innocent to server bomb charge, United States of America, January 2009. Available at: http://www.computerworld.com/s/article/9127157/Ex_Fannie_Mae_engineer_pleads_innocent_to_server_bomb_charge (Accessed 6 March 2014).

ii ComputerWeekly.com, HSBC mainframe outage causes major HSBC network crash, United States, January 2010. Available at: http://www.computerweekly.com/news/1280091797/HSBC-mainframe-outage-causes-major-HSBC-network-crash (Accessed on 11 March 2014).

iii Ibid

iv Fitzpatrick, D., J.P. Morgan Wrestles Web Snarl, United States, September 2010. Available at:

http://online.wsj.com/news/articles/SB20001424052748703743504575493752756026016?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB20001424052748703743504575493752756026016.html (Accessed 11 March 2014).

v Ibid

vi Flinders, K., RBS computer problem costs £125m, United States, August 2012. Available at:

http://www.computerweekly.com/news/2240160860/RBS-computer-problem-costs-125m (Accessed 11 March 2014).

vii Philips, M., Knight Shows How to Lose $440 Million in 30 Minutes, United States, August 2012. Available at:

http://www.businessweek.com/articles/2012-08-02/knight-shows-how-to-lose-440-million-in-30-minutes (Accessed 11 March 2014).

viii Ibid

ix Holley, E., Goldman Sachs trading error is “a warning to all”, United States, August 2013. Available at:

http://www.bankingtech.com/161162/goldman-sachs-trading-error-is-a-warning-to-all/ (Accessed 11 March 2014).

x Ibid

xi Nguyen, A., Clydesdale Bank fined £8.9m over mortgage system problem, United Kingdom, September 2013. Available at: http://www.computerworlduk.com/news/it-business/3470789/clydesdale-bank-fined-89m-over-mortgage-system-problem/ (Accessed 11 March 2014).

xii Figure of 6.4% customer churn comes from: Ponemon Institute, 2011 Cost of Data Breach Study: United Kingdom, United Kingdom, March 2012.

Economics Reading List - Part 1

Have read these in the past to varying extents but am reading through again to refresh my memory. Some very interesting reads.

Title: Wealth of Nations (Wordsworth Classics of World Literature)

Author: Adam Smith

Pages: 1008 pages

Publisher: Wordsworth Editions Ltd.; Classic World Literature edition (5 July 2012)

Language: English

ISBN-10: 1840226889

ISBN-13: 978-1840226881

Notes: This is the full five books (most versions of this are either abridged or only contain the first 3 books)

Title: The General Theory of Employment, Interest and Money by John Maynard Keynes AND Essays In Persuasion

Author: John Maynard Keynes

Pages: 542 pages

Publisher: CreateSpace Independent Publishing Platform (11 Aug 2009)

Language: English

ISBN-10: 144867302X

ISBN-13: 978-1448673025

Notes: This has the primary text and John Maynard Keynes' Essays in Persuasion in the one book

Title: The Affluent Society: Updated with a New Introduction by the Author

Author: John Kenneth Galbraith

Pages: 288 pages

Publisher: Penguin; 5th Revised edition edition (5 Aug 1999)

Language: English

ISBN-10: 0140285199

ISBN-13: 978-0140285192

Notes: Galbraith has an amusing way of putting things in this book.

Title: Money : whence it came, where it went

Author: John Kenneth Galbraith

Pages: 335 pages

Publisher: Bantam (1976)

Language: English

ISBN-10: 0553026887

ISBN-13: 978-0553026887

Notes: Very interesting to understand the history of money.