Information Security

Establishing the operational risks of CIB Bank and creating the system managing such risks

As opposed to its predecessor (the Basel I agreement approved in 1988) the Basel II agreement likely to be approved in 2006 or 2007 focuses more heavily on the establishment and managing of operational risks faced by banks and other financial institutions. Partly as a result of this trend and partly to meet the requirements of foreign owners, the Bank’s management decided to launch a project to establish what operational risks CIB face in order to create a system to successfully manage such risks.

The task was completed through the following steps:
Identification and mapping of the Bank’s processes

• Defining the user level information technology requirements related to the various computer applications and services
• Defining the information technology specifics and features of the individual computer applications and services
• Defining the threat level of the individual computer applications and services
• Properly documenting the findings of the information technology risk analysis
• Establishing and evaluating the proper risk management steps in order to cease the identified information technology threats, problems, errors, deficiencies and risks
• Designing, establishing, installing, training and testing of the Bank’s information technology risk management system (methodology and advisory system)   

From the professional point of view the most challenging aspect of the work was that KÜRT had never before prepared a risk and business impact analysis of such a scale for a financial institution. The majority of the business and operations processes were conducted through information technology means, i.e. the Bank had a complex information technology system with a difficult structure. There were several bank applications with the functions of which KÜRT had not had experience before.  Consequently, an efficient and successful risk analysis required an approach completely different from the one used in the case of production companies or government institutions. As a further challenge, the project was initiated by the business side of CIB, however, due to the information technology focus of the entire project KÜRT had to pay special attention to the support of and communication to the Bank’s information technology department. 

As a further novelty, the Bank required two of their colleagues to be involved in the full risk analysis process so that they would be prepared to utilise KÜRT’s risk analysis methods on their own in the future.

Besides the above, the Bank had the well-defined requirement that KÜRT automate their entire risk analysis and management process to the highest possible extent, thereby making the design and introduction of an independent risk analysis and management software necessary, along with its upload of start-up data.

KÜRT’s advisors had gained a lot of valuable experience throughout the project and for the support of information technology risk analysis and management activities managed to develop an easy-to-use professional system with a continuously developable knowledge base, which met the international information technology security standard requirements.

From the Bank’s point of view the project was a major success. The risk analysis identified several long-existing but hidden regulatory and process management issues or deficiencies the solution or the proper management of which could significantly increase the security, reliability and availability  of the Bank’s information technology system. In the opinion of the Bank’s information technology head, the new system installed as a result of the project has a logical structure, is easy to use and fully covers the risk analysis process. The usage of the new system makes the application of the trained risk analysis methodology much more simple and efficient.

Print page

Top of the page

Back