Automation risk isaca2017

Mohammad Fheili – fheilim@jtbbank.com
Information System Audit &
Control Association
I.S.A.C.A.
Education Committee Event
Wednesday 25th, 2017
Gefinor Rotana, Beirut – Lebanon
“ISACA was incorporated in 1969 by a small group of individuals who recognized a need for a centralized source of
information and guidance in the growing field of auditing controls for computer systems. Today, ISACA serves
140,000 professionals in 187 countries.”

Mohammad Fheili
“Over 30 years of Experience in Banking.
mifheili@gmail.com (961) 3 337175
 Risk & Capacity Building Specialist.
 Trainer in Risk, Compliance, and Capacity Building.
 University Lecturer: Economics, Risk, and Banking Operations
 Currently serves in the capacity of an Executive (AGM) at JTB Bank
in Lebanon.
 Served as:
• Senior Manager & Chief Risk Officer at Group Fransabank
• Senior Manager at BankMed
• Talent Development Advisor at ABL
• Economist at the Association of Banks in Lebanon [ABL]
 Mohammad received his college education (undergraduate &
graduate) at Louisiana State University (LSU), and has been
teaching Economics and Finance for over 25 continuous years at
reputable universities in the USA (LSU) and Lebanon (LAU).
 Finally, Mohammad published over 25 articles, of those many are in
refereed Journals (e.g., Journal of Money Laundering & Control;
Journal of Operational Risk; Journal of Law & Economics; etc.) and
Bulletins.”

QualitativeAssessment
ofRisksinElectronic
Banking&
Automation…

IntroductionIntroduction

And many more . . .
Did You Live The Experience? … Dream vs. Reality?!
Didn’t you dream of having Super Power? Haven’t You Wished You Can Fly?Avatar…!
PG 13 PG 13PG 134
PG 13 PG 13
Motion‐Picture rating of PG 13
advising parents that some
material in the film may be
unsuitable for children under 13.

And many more . . .
This Is Where Dreams Are Made!

Is He For Real?!
The Good Old Days …

We copied ‘Disney’s Mentality’ to ‘Banking’; and here
is what we have . . .
Super Power
Real

TheCyber[Pretend]Challenge
QualitativeAssessmentofRisksinElectronicBanking&Automation…

Are You Convinced that we have been evolving in that fashion?
IF YES, then the extreme majority of anticipated/undertaken projects is about
“Automation”, and/or IT Solutions….
RESULTING in:
1. Increasing Demands for IT skills,
2. Technical skills is favored over soft skills
3. Talent Development potentially biased
4. etc.
The Absence of Such Technical Skills will reflect Negatively on the success of the majority of
projects, and introduce an element of heightened Risks in the successful Completion of
Planned Projects…
Are There More!
4th Industrial Revolution:
which is characterized
by the fusion of
technologies blurring
the lines between the
physical, digital, and
biological spheres.

We Have Evolved Indeed…
1. Are We Better Off?
2. Has it Been An Evolution or a
Revolution?!
3. Has ‘IT’ Made Our Lives
Easier?
4. Disruptive Technologies!
5. ‘IT’ Has Induced Unbearable
Complexities!
Technology combined with increasing day-to-day necessities (is it? Or Desires?) is
the most significant driver of business change!

Compatible
Processing
Speed

My Phone
Smart Phone
 Features
 10s of Built‐In
Applications
 100s of
Applications
Available for
Download

My
Moment!
Mobile
Moment!

My Book
eBook

My Laptop
Slim & Super-Slim Laptop

What’s [Explicitly] Missing in
This Roadmap?!

InSportsInSports
Instant Replay

The NCAA
Playing Rules Oversight Panel has approved an experimental rule that will
allow the Big Ten and Mid‐American conferences to use instant replay on
certain plays within the restricted area arc during the 2016‐17 season.
The experimental rule, which will be in effect only during conference
play, can be used when an official believes that an incorrect call was
made on a restricted area ruling, or when a head coach makes an appeal
for a review.
If a coach appeals and the instant‐replay review determines the official’s
call was correct, the appealing coach’s team will be charged a timeout. If
the call is reversed on appeal, no timeout will be charged.
In the NBA
If referees confirm the shot was made in time (or have no
conclusive video to overturn their on‐court ruling), referees
also look to confirm:
• Whether the shot was a two‐ or three‐point attempt, or
• Whether the shooter committed a boundary line violation
or the ball touched an out‐of‐bounds area, such as the
stanchion, prior to entering the basket. If it did, the goal
would be disallowed.
If the shot was not made in time, referees will still try to
determine if any of the following occurred before the ball left
the shooter's hand and adjust the shot and game clocks
accordingly:
• The shooter stepped on a boundary line,
• The 24‐second clock expired,
• There was an 8‐second backcourt violation, or
• A player or players committed an unsportsmanlike act or
unnecessary contact.
Exception: Instant replay is not used in cases where the made
basket followed a throw‐in, free throw attempt or jump ball
started with 0.2 or 0.1 on the game clock because players can
only tip the ball in those situations according to the
Comments on the Rules, Section II L.
The NFL’s
instant replay debate has been a hot‐button issue since games were first
regularly televised in the late 1940s. Traditionalists, hesitant to interfere
with the purity of the game by removing human error, clashed with those
eager to embrace technology and all that it offered the game.
The NFL has come to embrace instant replay, but the process that led to
the state‐of‐the‐art system the league uses today was not always
seamless. The history of instant replay in professional football is filled
with stops and starts; missteps and controversy; and modifications and
improvements that continue to this day.
Instant replay’s history begins in earnest four decades ago — with a man
and a stopwatch.
Is there any evidence or reason why FIFA is so against adding instant
replay to soccer?
InstantReplay

Banking …. got complicated
ComplexityTechnology-Induced
Innovation that Displaces established Market Leaders, Technologies & Alliances
PLUS Creates a new Market or Industry & Value Networks!

Between
Humanizing “The Technology’ & Digitizing “The Human-Client!”
Technology Has Altered Our Existence

People
Come
First
Data
Come First
The Age of Instant Interconnectivity…
More About Technology‐Induced Complexity
Technology-induced complexity in Banking

have led to:
Increased Usage of Impersonal Electronic Services
• Low Cost Electronic Services;
• Widespread and Diffused Customer Base.
This, in turn led to:
Lower Customer Intimacy.
Reduced Switching Costs Between Different Banks (Customers these days are
constantly shopping for the better deal)
Increased Chances of Fraud and Credit Risk
Increased the Demand for Transparency
• Less Time to Know and Influence Customers.
Research shows that Customer Interest peaks and falls rapidly especially in
response to a Promotional Event.
This makes it absolutely necessary for banks to optimally leverage all
available customer touch points so as to be able to influence the customer
(e.g., You find ads and offers on ATM receipts).

 The Introduction of any form of technology in a given production process or
the mere modification of an existing IT environment necessitates a number of
changes which spillover on Bank Performance: Staff Skills, Workflows, Policies
& Procedures, and a host of other changes.
 In today’s technologically intense production processes, information
technology (IT) risks cannot be considered independently of other types of
risks since it reflects on our ability to serve and satisfy our clients.
 Because processes are Technology dependent, Accurate, Complete and timely
data collection has changed from being mostly qualitative to overwhelmingly
quantitative.
 Recognizing these challenges and acknowledging that the Employee has a
role to play in managing these risks will put management one step ahead.
Is not enough anymore!

MAXIMIZE PROFIT subject to:
RISK , REGULATORY, Compliance,
Reporting, Etc. Constraints
RISK .  . .
 Default
 Liquidity
 Maturity
 Others . . .
REGULATORY . . .
 Basel I
 Basel II
 Basel III
 Basel IV (In the making)
 TLAC Requirements
 Sanctions Rules
 USA_FATCA Requirements
 OECD_CRS (1st Reporting 2017)
 ISA 700, 701, 705, 706, and 720
 AML, Etc. . . .
Uses of Funds Sources of Funds
 Reserves
 Loans
 Securities
 Other
Investments
 Fixed Assets
 .  .  .
 All Types of
Deposits
 Borrowings
 Other
Sources
 Capital
 .  .  .
Off-Balance Sheet
With every
Dollar in Profit
a Bank Makes,
it MUST satisfy
all these
Regulatory
Constraints
first!
Legal Issues .  . .
From
Originate‐To‐
hold To
Originate‐To‐
Distribute
(Decompose &
Redistribute)
CRS: Common Reporting Standards, essentially inspired by FATCA, is a framework between governments to exchange information obtained from local financial institutions to
combat tax evasions.
TLAC: The Proposed Minimum Total Loss Absorbing capacity requirements for Globally Systemically Important Banks (G‐Sibs). It aims to boost G‐Sibs’ capital and leverage
ratios, ensuring these banks are equipped to continue critical functions without threatening financial market stability or requiring taxpayer support.
ISA: International Standard on Auditing.
Instead of to Off‐
Balance Sheet; now to
Unregulated Shadow
Banking with less
concerns over loan
monitoring & Follow up.
Deteriorated quality of Capital with the
Introduction of new instruments and Tier 3
The Banking Model…. got complicated and Banks are forced to Automate.

General
Ledger
Clients &
Settlement
P & L
Risk
Reporting
Core
Analytical
Engine
Other Models
Predictive
Models
Regulatory
Models
Asset‐Liability
Management
Models
Risk
Models
Business
Strategy
Analysis
Valuation
Models
Pricing
Models
Exposure
Measurements
B ACD
These Risks could
Exist Inside each
Module and in the
Interface between
Two or More
Modules
Interface
Between
Modules

Level Of Maturity in AML Compliance
Nature & Extent of Efforts Deployed
DD
EDD
RBA
Due
Diligence
Enhanced Due
Diligence
Risk‐Based Approach to AML
Compliance
Enhancing Compliance Capabilities …
AML Cost
Skills Needs
Know‐How
AML Analytics
AML Compliance require:
The Use of Technology:
Quantification/Data‐Rich vs.
Judgment/Opinion‐Rich
Increase exposure to Technology
Failures.
Different Sets of Skills are
required.
Reliance on Technology may
Reduce Frequency of Risk Events
But Increase Impact if and when
a Risk Event occur.

Increasing Our Understanding of Potential
Outcome (i.e., Business Impact of a Risk Event)
Increasing Evidence on Probability of
occurrence (…of a Risk Event)
Ambiguity
Uncertainty
Ignorance
Complexity makes it
difficult, if not impossible,
to understand the “Risk
Environment” and Changing
“Risk Characteristics”.
A Bank is expected to
collect ALL needed data to
move closer to Risk
Management and Away
from:
 Ambiguity,
 Ignorance, and
 Uncertainty.
Technology‐Induced Complexities give birth to an environment with
amplified risk characteristics

A Perspective …A Perspective …

Data acquisition Data analysis Data cable
Data domain Data element Data farming
Data governance Data integrity Data maintenance
Data management Data mining Data modeling
Data visualization Computer data processing Data publication
Data remanence Data set Data warehouse
Database Datasheet Environmental data rescue
Fieldwork Metadata Open data
Data Migration Data Conversion Data Cleansing
Data structure Raw Data Secondary Data
Etc …
Data …

• Client Information Profile
• Balances
• Interest Rates
• Commissions & Charges
• Maturity
• Payments
• Provisions
• Overdue Balances
• Outstanding Balances
 Formulas to Calculate Data
 Framework to Locate Data
 Framework to warehouse Data
 Framework for Compliance
 Calculation Engines
 Financial Statements
 Chart of Accounts
 Regulations
 Core (Raw) Data
 Calculated Data

It’s More about the People
Behind the Technology than
Technology itself!
Between “Innocence”
AND “Criminal”
Intentions
Behind every Risk Event!

Let’s Start with

The United States is dealing with a nasty
bird flu outbreak.
Sixteen states have reported cases of highly
pathogenic H5 ‘Avian Flu’ among flocks of
birds like turkeys and chickens as well as
wild birds.
Travel Back in Time to: May 13th, 2015

It’s May 2015, and you’re on
a Visit to the USA. You were
asked by a Dear Friend,
who’s a Zoo Keeper, to pick
One animal to take care of
alone for a day and inside a
25m2 room…
YOU CAN’T DECLINE!
Feel free:
 To ask any question. I’m
the Animal Keeper!
 To do what you deem
necessary to succeed.
You’re THE ZOO KEEPER

1
3
You were asked by a Zoo
Keeper to pick One
animal to take care of,
for a day, inside a 25m2
room; and alone?
Feel free:
 To ask any question.
I’m the Animal
Keeper!
 To do what you
deem necessary to
succeed.
2
4

Survey Says!

In 2015, 38% more security incidents were detected
than in 2014.
Theft of “hard” intellectual property increased 56%
in 2015.
Staff remain the most cited source of compromise
(Risks).
Risk Events attributed to business partners climbed
22%.
Source: Global State of Information Security Survey, March 2016

Suppliers /
Partners
35%
34%
30%
29%
18%
22%
15%
19%
13%
16%
2015
2014Current
Employees
Former
Employees
Current Service
Providers/Consultants
/Contractors
Former Service
Providers/Consultants
/Contractors
Sources of Risk Events
Source: Global State of Information Security Survey, March 2016
More About Security Compromised

Sources: EIU/SHRM Foundation Survey: “Managing Human Resources in a Changing World”

& Business Implications
12
Disruptive
12

Technological Innovations
are happening & Business
Environment is changing
MUCH FASTER than
Curriculums in Universities
are resulting in an alarming
gap between the skills
produced by educational
institutions and those
required by Business
Organizations.
Technological Innovations
are happening & Business
Environment is changing
MUCH FASTER than
Curriculums in Universities
are resulting in an alarming
gap between the skills
produced by educational
institutions and those
required by Business
Organizations.

Loyalty to one’s profession is gaining
over loyalty to the Organization

√
√
√

Rising Cyber-Risks
Beware…!

People, System, and Processes belong to the same Risk Family
PRIMARY SECONDARY
PEOPLE
Employee Fraud / Malice (Criminal)
PROCESSES
Payment / settlement / delivery risk
SYSTEMS
Technology investment risk
EXTERNAL
Legal / Regulatory Risk / Public Liability
Unauthorized activity / Employee misdeed (Willful)
Employment Law
Workforce disruption
Loss or lack of key personnel
Documentation or contract risk
Valuation / Pricing
Internal / External reporting and compliance
Project risk / Change management
Selling Risks
System development and implementation
Systems failures
Systems security breach
Systems capacity
Criminal Activities
Out-sourcing / Supplier Risk
In-sourcing Risks
Disaster and Infrastructural utilities Failures
Political and Government Risks
OperationalRisk

Implicate the Employee Or Eradicate the Business
It is about
People and
Culture

Combating Operational Risks
Rests in Your Risk Culture
…Keeping in mind that the absence of a well defined ‘Risk Culture’ is a
statement of ‘Risk Culture’ … Se Beware!

You start with the “Man in the Mirror”!
Every individual comes to
an organization with his/er
own personal Perception of
Risk.
Every individual comes
with his/er own Inventory
of Moral Values and these
have a great influence over
the decisions they make on
day‐to‐day basis.
The Man In The Mirror . . . The Man In The Mirror . . .

People vary in all sorts of ways and this includes their predisposition toward Risk.
Two specific Traits:
1. The extent to which people are either:
 spontaneous and challenge convention or
 organized, systematic and compliant.
2. The extent to which people may be:
 cautious, pessimistic and anxious, or
 optimistic, resilient and fearless.
Organizations need to pay attention to the ethical profile of those working in their
business because it significantly influence individual’s Decision Making:
 Ethic of Obedience (Rule Compliance, Spirit of the Law, etc.)
 Ethic of Care (Empathy, Concern, Respect, etc.)
 Ethic of Reason (Wisdom, Experience, Prudence, etc.)

Risk Culture
Personal
Predisposition
of Risk
Personal Ethics
Behavior
Organizational
Culture
Individual values and beliefs and
attitudes toward risk contribute to
and are affected by the wider overall
culture of the organization.
It is useful to consider Organizational
culture in relation to two key
dimensions:
1. Sociability: People Focus (based on
how well staff get on socially)
2. Solidarity: Task Focus (based on
goal oriented and team
performance)

Risk Management Is Everybody’s Business
Staff Business Unit Senior
Management
Assessment &
Follow Up
Acceptance or Mitigation
of Identified Risks
Follow Up on Decided
Actions
Oversight &
Control
Reports to Enable Senior
Management Appraisal
Identification
Reporting
Registration of Incidents
and Monitoring of the
Internal Control
Environment
Problems with Risk Culture
are frequently found at the
root of organizational
scandals and collapses.
Every individual
comes to an
organization with
his/er own
personal
perception of
Risk
It Starts Here
Risks Tracking … Finding The Trail

Participative
Risk Management
Full and Consistent
Communication & Coordination
with all Business Units
Autocratic
Risk Management
I Know what to
do, and I will do
it all alone. My
way or the
highway!

Poor
Unclear
Lack of Insight
Over Confidence
No Challenge
Fear of Bad News
Indifference
Slow
Gaming
Beat the System
Good
Clear
Good Insight
Confident But Careful
Constructive Challenge
Reward Honesty
Diligence
Fast
Coordinating
Play By The Rules
Communication
Tolerance
Level Of Insight
Openness
Confidence
Challenge
Level of Care
Speed of Response
Cooperation
Adherence to Rules
Transparency of
Risk
Acknowledgement
of Risk
Responsiveness
To Risk
Respect For Risk
High Risk Low Risk
Risk Culture Framework
Beware of the Weak End of the
Continuum!

What Drives Individual
Performance
And Shapes Risk Culture?

Abilities
Knowledge
(Knowledge + Skills)X(Attitude)= Abilities
Formal + Self-Acquired
To Perform & Excel And Grow
Skills
Technical + Soft
Human Capital Accumulation = ∑Abilities
The NOT so visible
Argument that we often
forget

Skill Marketability
Loyalty To The
Organization
Loyalty To One’s Profession
Skill Marketability Reflects Favorably On
The Career And The Salary Of The
Individual
Loyalty To The Organization May
Help The Individual Sustain A
Company‐Specific Employment
Loyalty To One’s Profession Exerts The
Necessary Pressure On Knowledge And
Skill Build‐Up (Benefiting Both The
Individual & The Organization)
It Makes You Punctual
It Makes You Knowledgeable

Talent Laundering
• Talent Versus Ethic
• Hard Work
• Abundance of Qualifications
overshadow the need to probe about
Ethics.
• Individuals with Bad Ethics seek
Employment only to feed their
criminal intentions.
• Talents tainted with Bad Ethics is only
after short term gains.
• Those who are loyal to their
profession hold the highest degrees of
Professional & Personal Ethics.

Final
Thoughts
Final
Thoughts

Brilliant
Surgery!
Well Done!
Shame the
patient died.
Outcomes

Risk Management of Today has been Contaminated & Disrupted by
the Complexity of Technologies and Technological Innovations.
… Risk Management ought to be as Simplistic as the Environment it
exists in.

Automation risk isaca2017

More Related Content

Viewers also liked (10)

Similar to Automation risk isaca2017 (20)

More from Mohammad Ibrahim Fheili (20)

Recently uploaded (20)

Automation risk isaca2017