IT RELATED RISKS AND CONTROLS IN BANKING

Classifying IT risk

Identification, analysis, measurement and management of IT risk, requires specialized knowledge and skill. IT risk management has to be done in every organization, and each has its own unique IT risk profile. Technology risks have a deep impact on financial, operations, regulatory and reputation of banks. IT risks can be classified according to their impact on the organization, as listed below:

1. Security risk- The risk that information will be altered, accessed, or used by unauthorized parties. Sources of security risk could be external attacks, malicious code, physical destruction, inappropriate access, unsatisfied employees, variety of platform and messaging types.

Potential impacts associated with them are corruption of information, external fraud, identity theft, theft of financial assets, damage to reputation and damage to assets.

2. Availability risk- The risk that information or applications will be inaccessible due to system failure or natural disaster, including recovery period. Sources of availability risk are hardware failures, network outages, data center failures, force majeure etc.. Potential impacts associated with them are abandoned transactions and lost sales, reduced level of customer, partner or employee confidence, interruption or delay of business critical processes, reduced IT staff productivity.

3. Performance risk- The risk that under performance of systems, applications, or personnel, or IT as a whole can diminish business productivity or value. Sources of performance risk are poor system architectures, network congestion, inefficient code, inadequate capacity etc. Potential impacts associated with them are reduced customer satisfaction and loyalty, interruption or delay of business critical process, lost IT productivity.

4. Compliance risk- It is a risk of information handling or processing which fail to meet regulatory, IT or business policy requirements. Usually, it involves penalties, fines or loss of reputation from failure to comply with laws or regulations, or consequences of non-compliance with IT policies. Sources of compliance risk are third-party compliance standards etc. Potential impacts associated with them are damage to reputation, breach of client confidentiality, litigation.

Controls required for managing IT risks

An effective control mechanism is required managing risks in IT areas. These controls are:

i. Preventive Controls: This is a control mechanism that stops and reduce errors and mistakes from occurring. Good layout of forms or screen to a large extent reduces the likelihood of mistakes happening while inputting the data.

ii. Detective Controls: They identify the errors after they are committed. This is done through what is known as validation protocols or programmes.

iii. Corrective Controls: These controls eliminate or reduce errors after identification of such data with errors or irregularities.

The basic purpose of these controls is to prevent the occurrence of errors or irregularities in the system. Secondly, in spite of such prevention if such errors or irregularities occur they need to be detected and eliminated or corrected.

In addition to generic controls mentioned above, depending upon the nature of controls that can be exercised in managing risks are as follows:

Physical Controls: These are the controls that restricts physical access to IT assets such as computers, servers, computer room, media, documentation, data storage places, other hardwares/ components etc.

  • The first restriction to be put, is to ensure that only authorized persons are allowed access for repairs, maintenance, servicing, etc. through a prior log in entry in a register, validated by a proper authentication.
  • Care should also be taken to see such persons are not allowed access to data stored.
  • Access to system and software is to be restricted through PINs, Passwords or biometric verification. Similarly, access register/ log should be maintained to record access to the system by various users.
  • Clear segregation of machines should be done such that machines which are meant for operations are not used for developing or testing software and vice-versa. Similarly hard copies of various transactional reports should be kept under proper security and access should be given to these to only authorized persons/ staff.
  • Preventive checks of disaster prevention equipment’s such as Fire alarm, fire extinguishers, smoke detectors, CCTV cameras, physical locking arrangements etc. should be done on outline basis. Similarly hardware servicing at periodical intervals should also be done to prevent failures through AMCs.

Internal Controls: These controls are in-built computers, for checking accuracy and reliability of data. Indirectly they ensure operational efficiency and safeguard assets too. There are two types of internal controls. They are:

(i) Accounting controls

(ii) Administrative controls.

These controls also ensure that adherence to procedures and policies formulated by a bank.

Accounting controls form part of the Software and can be seen in the form of-

  • Dual Authorization and Controls
  • Validation Checks in the System
  • Numerical Sequencing

Administrative control flows through spelt out policies of responsibility and procedures. One may also see existence of controls in the following activities such as:

  • Validation/ authorization of:
  • transactions relating to limits, authorizations on bank’s software, passing of cheques and vouchers,
  • drawing powers, defective/ incorrect drawn cheques, stop payment orders, reactivation of dormant and inoperative accounts, standing instructions, money transfer transactions, etc.
  • pre-transaction verification of due dates, rates of interest, etc.

Operational Controls: These are embedded in software itself to ensure data integrity, consistency apart from processing. Check sum verification is another example of operational control exercised during day begin operations. Double checking concept of inputter and authorizer of every system transaction should be introduced by banks to control operations risk.

Additionally the following controls are also available for banks to monitor system and its operations by authorized personnel.

Audit Trail: Recording of all events that occur in a system on a chronological order.

There are two types of Audit trails- Accounting Audit trail and Operations Audit trail.

  • Accounting Audit trail maintains chronological order based record of processes that had taken place within the system involving data and information.
  • Operations Audit trail gives a chronological record of access to a terminal, user id, data, time of access, authorization record, etc. which are generated by the system itself. This will provide evidence in case of any violations or unauthorized use.

Data encryption: This is control measure involved while transmitting data from one place to another using encoding process. It is a fixed algorithm based and uses a key word. At the receiving end the encryption is decoded. At both ends if the codes match, it indicates that message has not been altered and thus integrity of the transmitted message is confirmed. If there is no matching, then it triggers an investigation. This process is also used for electronic funds transfers.

is a Qualified Company Secretary from Lucknow having a rich and Core expertise in Secretarial compliances of Companies, Nclt matters and Corporate Litigation matters.