Non-financial Risk Management in the Financial Industry

The European Union defines this risk as the violation of “agreements between market operators that would restrict competition, and the abuse of dominance.” [67]According to the International Chamber of Commerce (ICC), the intention of antitrust laws is to guarantee the delivery of goods and services to consumers at a fair price in an ethical manner. Non-compliance may lead to significant penalties as well as serious reputational damage. [68]The Procurement Collusion Strike Force of the US Department of Justice includes as antitrust violations bid rigging, price fixing, and market allocation affecting government procurement at any level. [69]

Balance sheet manipulation, also called financial statement fraud, refers to the manipulation of an organisation’s financial statements. According to the ACFE, it usually involves overstating assets, revenues and profits as well as understating liabilities, expenses and losses. The most common schemes include fictitious revenues, timing differences, improper asset valuations, concealed liabilities and expenses, and improper disclosures. [70]

ICT risk describes the general threats to IT and communication systems which can disrupt operations. The EBA defines this risk as

“risk of loss due to breach of confidentiality, failure of integrity of systems and data, inappropriateness or unavailability of systems and data or inability to change IT within a reasonable time and with reasonable costs when the environment or business requirements change (i.e., agility). This includes security risks resulting from inadequate or failed internal processes or external events including cyber-attacks or inadequate physical security.” [71]

The core of information security, IT security and cybersecurity lies in the protection of information and data. This is referred to as the protection of assets. Assets can be hardware as well as software, so they can encompass data and information or IT systems, products or processes. The US National Institute of Standards and Technology (NIST) defines information security as the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.

The term ICT risk is mainly used in Europe, with the European Parliament proposing the following definition:

“ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems, including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non-malicious event – which, if materialised, may compromise the security of the network and information systems, of any technology-dependent tool or process, of the operation and process’ running, or of the provision of services, thereby compromising the integrity or availability of data, software or any other component of ICT services and infrastructures, or causing a breach of confidentiality, a damage to physical ICT infrastructure or other adverse effects.” [72]

The EBA provides a general definition of ICT risk:

“‘ICT risk’ means the risk of loss due to breach of confidentiality, failure of integrity of systems and data, inappropriateness or unavailability of systems and data, or inability to change IT within a reasonable time and costs when the environment or business requirements change (i.e. agility).” [73]

Accordingly, the aim of any policies “should ensure confidentiality, integrity and availability of a financial institution’s critical logical and physical assets, resources and sensitive data whether at rest, in transit or in use.” [74]

The EBA also provides a view on ICT and security risks from a payment perspective, stating that the

“term ‘ICT and security risks’ addresses the operational and security risks mandate of Article 95 of the revised Payments Services Directive (PSD2). This term recognises that the operational risks for payment services refer predominantly to ICT and security risks because of the electronic nature of payment services (over ICT systems).” [75]

The US National Institute of Standards and Technology (NIST) defines cyber risk as the “risk of depending on cyber resources, i.e. the risk of depending on a system or system elements which exist in or intermittently have a presence in cyberspace.” A more detailed definition of cyber risk, also provided by NIST, is the following:

“Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.” [76]

The Canadian OSFI states that

“‘cyber risk’ or ‘cyber security risk’ is the risk of financial loss, operational disruption or reputational damage from the unauthorized access, malicious and non-malicious use, failure, disclosure, disruption, modification or destruction of an institution’s information technology systems and/or the data contained therein.” [77]

The APRA defines data risk as follows:

“Data risk encompasses the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events impacting on data. Consideration of data risk is relevant regardless of whether the data is in hard copy or soft copy form. Examples include: (a) fraud due to theft of data; (b) business disruption due to data corruption or unavailability; (c) execution delivery failure due to inaccurate data; and (d) breach of legal or compliance obligations resulting from disclosure of sensitive data.” [78]

As compared to other risk categories, there are some possible sub-categories to ICT and cyber risks, as described in the following sections.

According to NIST, “data confidentiality deals with protecting against the disclosure of information by ensuring that the data is limited to those authorized or by representing the data in such a way that its semantics remain accessible only to those who possess some critical information.” [79]Based on this definition, we define data confidentiality risk as the risk of failure of protecting information from being accessed by unauthorised parties.

This spans all types of confidential data in a bank, from personal customer data via employee data to all generated data used for internal operations and reporting.

The EBA defines data availability risk as “the risk that performance and availability of ICT systems and data are adversely impacted, including the inability to timely recover the institution’s services, due to a failure of ICT hardware or software components, weaknesses in ICT system management, or any other event.” [80]

The ECB defines data integrity risk as

“the risk that data stored and processed by IT systems are incomplete, inaccurate or inconsistent across different IT systems, for example as a result of weak or absent IT controls during the different phases of the IT data life cycle (i.e. designing the data architecture, building the data model and/or data dictionaries, verifying data inputs, controlling data extractions, transfers and processing, including rendered data outputs), impairing the ability of an institution to provide services and produce (risk) management and financial information in a correct and timely manner.” [81]