IS / IT RISK MANAGEMENT IN BANKING INDUSTRY

Headlines related to the fi nancial crisis highlighted that signifi cant risk failures persist despite the investments in the risk assessment and risk management disciplines. While isolated incidents of one-time governance failure are reduced, the long-term systemic failures are more than just an isolated anomaly. Various experts and professional organizations dealing with risk management have come to the conclusion that the failures may be caused by a mess in the risk information due to different risk assessments from different perspectives (McCuaig, 2008, s. 3; Ernst, 2009, s. 4). The credit crisis and the resulting regulatory pressure forced the chief operating offi cers and senior management of fi nancial services fi rms to focus more on risk convergence the assessment, mitigation and reporting of risk. The process of organizing these risk assessments to provide the organizations with a more holistic view of the enterprise risk is fundamental to mastering risk assessment. Before focusing on the different types of risk management frameworks, let us summarize the basics of risk assessment. Risk assessment falls into the overall discipline of risk management. For most organizations, risk management is an evolving discipline that goes at disparate maturity levels across organizational disciplines such as internal audit, business operations, information technology and fi nance. Risk is defi ned as the uncertainty of an event occurring that could have an impact on the achievement of objectives. The defi nition of risk assessment then follows as the identifi cation, evaluation and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk (ISF, 2010). Risk assessment should answer the following fi ve questions (McCuaig, 2008, s. 3): 1. What can go wrong? 2. How can it go wrong? 3. What is the potential harm?


IS/IT RISK MANAGEMENT IN BANKING INDUSTRY
Vlasta Svatá, Martin Fleischmann *

Introduction
Headlines related to the fi nancial crisis highlighted that signifi cant risk failures persist despite the investments in the risk assessment and risk management disciplines.While isolated incidents of one-time governance failure are reduced, the long-term systemic failures are more than just an isolated anomaly.Various experts and professional organizations dealing with risk management have come to the conclusion that the failures may be caused by a mess in the risk information due to different risk assessments from different perspectives (McCuaig, 2008, s. 3;Ernst, 2009, s. 4).The credit crisis and the resulting regulatory pressure forced the chief operating offi cers and senior management of fi nancial services fi rms to focus more on risk convergence -the assessment, mitigation and reporting of risk.The process of organizing these risk assessments to provide the organizations with a more holistic view of the enterprise risk is fundamental to mastering risk assessment.
Before focusing on the different types of risk management frameworks, let us summarize the basics of risk assessment.
Risk assessment falls into the overall discipline of risk management.For most organizations, risk management is an evolving discipline that goes at disparate maturity levels across organizational disciplines such as internal audit, business operations, information technology and fi nance.Risk is defi ned as the uncertainty of an event occurring that could have an impact on the achievement of objectives.The defi nition of risk assessment then follows as the identifi cation, evaluation and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk (ISF, 2010).
Risk assessment should answer the following fi ve questions (McCuaig, 2008, s. 3): 1. What can go wrong?
2. How can it go wrong?
3. What is the potential harm?Different risk management frameworks take into account the specifi cs of the IT area differently.COSO ERM, AS/NZS 4360, ISO 31000 and BASEL II are typical examples of not paying special attention to IT risk management.However, considering that Basel II is a very important standard for fi nancial organizations, and at the same time these institutions introduce governance principles to their management systems, there is a need to integrate both the frameworks.In 2008, ISACA and ITGI introduced the document "Control Objectives for Basel II".It provides a framework for managing the operational and information risk in the context of Basel II.It presents an outline of risk under Basel II, the links between the operational risk and the IT risk, and an approach for managing the information risk.The document addresses three groups: information risk managers, IT practitioners and fi nancial services experts.The executive summary states that fi nancial services organizations using the framework presented are able to apply recognized IT control objectives and management processes to address the role of IT in operational risk.
On the other hand, focusing on the depth of the IT coverage within the risk management frameworks, we can furnish frameworks such as ISO 2700x, ISF and CRAMM.They are examples of frameworks covering IT risk management without any serious attempt to integrate it with the business risk management.The framework OCTAVE is the only framework which deals with organizational risk in addition to IT risk.

Completeness of risk management scope
Each enterprise has to deal with many different types of risks.Historically, the most serious risk is the business risk.Business risk roots penetrate many business sources: credit, strategic, market, competitive, operational, etc.The growing integration, globalization, complexity and dependence on IT has resulted in the emergence of other important types of risk: compliance, fi nancial and technology.Each risk management framework applies a different approach to risk categorization.Even to our previous considerations about the close relation between business and IT risk, it is quite common to think about these types of risk separately.In Figure 1  Another problem arises when we start to analyze the relationship between risk and control.All the current frameworks are based on the idea that there is a need to distinguish among three main stages in risk management.The below example taken from ISF (2010) represents them:    Business Impact Assessment -assesses the potential level of business impact and determines the security requirements for protecting information in critical business applications;    Threat and Vulnerability Assessment -determines the likelihood of particular threats to exploit vulnerabilities and cause business impact;    Control Selection -evaluates and selects controls to mitigate the threats.
The fi nal stage of the risk management process consists of "control selection", or in other words, "risk treatment" (ISO, 2008)1 .Both the examples represent the fi nal stage in each risk management process.The process should be understood as a cycle that is similar to the PDCA (plan-do-check-act)2 model.The typical characteristic of each cycle is that there is no end or starting point.Therefore, the risk management activities can start either with control systems analysis or risk analysis.Again, different risk management frameworks handle this problem differently and in practice, many organizations struggle to fi nd the proper balance between a riskfocused vs. control focused approach to risk assessment.For most organizationsespecially fi nancial ones -there is a bias towards control-focused risk assessment.The primary driver for this struggle is complying with regulations, such as Sarbanes Oxley and BASEL II, which originally drove the increased need for risk assessment.The need for compliance together with the need for auditing the internal control system forces organizations to focus on control-based risk assessment.Examples of such frameworks are COSO ERM, COBIT, and ISO 27002.These frameworks primarily refer to risk as the risk of missing or broken controls.On the other hand, when risk-focused frameworks (e.g.ANZ/NZS 4360, ISO 27005, and ISF) refer to risk, they refer to one or several responses (reject, accept, transfer or mitigate the risk).As a result, risk assessment teams use the same terminology with completely different meanings.
Different types of risk assessment frameworks are shown in Figure 2. Their positioning along the axis X -Depth of coverage of IT and axis Y -Completeness of risk management scope can help us understand both their relevance to the IT/IS area and the level of commonness in the understanding the phenomenon of risk.Trying to summarize Figure 2, there is a whole range of different frameworks dealing with risk assessment, but these regulations either are too generic to be applicable to IS/IT risk management or, although they deal with IS/IT risk management, they narrow the area to IS/IT security risk management.The area named "GAP" identifi es the space which is not well supported by the available frameworks, however, at the same time it represents the key to more integrated IT/IS and business risk management.
Table 1: The examples of the most popular frameworks for risk assessment (at the end of the text) offers a complete overview of the risk assessment frameworks.
With regard to fi lling the gap shown in Figure 2, it is worth mentioning especially the generally oriented initiative of these organisations called meaningfully Risk IT.In our opinion, the key contribution of this initiative is the fact that the framework connects business with IT risk management as closely as possible.This set of principles leads an enterprise to align its management of IT related business risk with its overall risk management.As such, it tries to bridge the gap in the current array of risk management frameworks for IT: there is no known framework that both includes a holistic look at risk management and, at the same time, provides an adequate depth and detail when covering IT.This might promote Risk IT as a unique tool offering a coverage that is missing in COSO ERM, AS/NZS 4360 and security-oriented IT risk management frameworks.
Risk IT complements ISACA's COBIT, which provides a comprehensive framework for the control and governance of business-driven, IT-based solutions and services.• high-level -Represents the same level of detail as Cobit (narrative description of the core characteristics for each level); • detailed version is built around the following attributes, each of which evolves through the levels: » awareness and communication; » responsibility and accountability; » goal setting and measurement; » policies, standards and procedures; » skills and expertise; and » tools and automation.
The Risk IT Practitioner Guide is divided into eight chapters and discusses topics such as defi ning a risk universe, how to defi ne risk appetite, how to describe risk, how to develop relevant risk scenarios, how to respond to risk, and how Cobit and Val IT can assist in mitigating risk.The guide contains several templates, as well as a comprehensive list of generic IT risk scenarios (Steuperaert, 2009, s. 16).
Considering the typical fi nancial institution, where an enterprise risk management approach (ERM) together with other frameworks (SOX, BASEL, ITIL, COBIT, ISO, etc.) have been established, but where IT risk management is treated and reported separately, the Risk IT process model can be used to start integration of IT risk management into the overall ERM system by assigning IT-related responsibilities to the roles defi ned in the Risk IT model and by implementing any additional process steps required as described by Risk IT's Risk Governance (RG) domain.This introduction of Risk IT Framework can be applied by most enterprises having an organized approach to risk management.

Specifics of IS/IT risk management in banking industry
It is becoming increasingly apparent that information systems and technologies significantly infl uence business processes in the banking industry.The value of IS/IT depends widely on the way IS/IT are implemented and related to the banking activities.The IS/IT as such represent an important factor of competitiveness and commercial success of individual fi nancial institutions.
IS/IT affect the banking business and its economic results in the following ways:    contribution of IS/IT to the business productivity;    making use of IS/IT as a tool for banking innovations4 ; and    IS/IT as a banking risk mitigating (increasing) factor.In accordance with the main focus of this article, we will hereafter highlight the relationship between IS/IT and risk.This role of IS/IT matters very much since drawbacks in risk control might lead not only to fi nancial losses and a failure of individual institutions or threat to clients' deposits, but also to a negative impact on the whole economy both nationally and globally.
From this point of view, we can observe two relationships between risk management and IS/IT:    IS/IT support risk management in banks, e.g., databases enabling recording and analysing of risk events, systems supporting models for risk quantifi cation, credit scoring applications, etc.;    IS/IT penetration into the banking processes causes dependency of business activities on IS/IT, which increases the signifi cance of IS/IT risk management.Risk management is an inseparable part of business on fi nancial markets.The core of an effi cient and effective risk management lies in determining an optimal level of risks that are to be tolerated whereas risks above this level are suitable to be controlled. 5he ability to fi nd the right balance between an inclination to risk and a tendency to its elimination is the very way to reach stable economic results.6Therefore, investment in risk management does not automatically mean a negative item in a profi t and loss statement, but it might (and should) signifi cantly contribute to the profi tability of a bank.A bank's economic result is thus a common denominator of the business activity on the one hand and an effi cient risk management on the other.
With regard to the aforementioned dependency of business on IS/IT and due to the advanced stage of their penetration into the banking activities and products, the importance of IS/IT risk management is growing.This fact is refl ected by banks themselves and obviously also by regulators.Leading regulators pay adequate attention to IS/IT in banks and many of them, including the Czech National Bank, have published prudential rules and carried out systematic supervision in this area.Regulatory requirements on IS/IT in banks refl ect the unique role of the banking industry for the national economy, general principles of banking risk management and the importance of IS/IT in banking as such.Although this basis stresses the specifi cs mentioned above, IS/IT regulation complies with the best practices and generally respected standards such as ISO 2700x, COBIT, ITIL etc. Except these general standards on IS/IT, there are other relevant frameworks specifi c to banking, Basel II being the most important one.This framework has promoted operational risk among the three main banking risks besides credit and market risk, thus also highlighting IS/IT risk as an integral part (substantial subset) of operational risk.The Basel II defi nition of operational risk regards systems as one of four operational risk drivers; however, the coverage of IS/IT issues within Basel II is not deep. 7Although Basel II sets down only general principles and methods for operational risk capital requirement quantifi cation, it establishes operational risk management as a separate risk discipline.However, no global operational standard, including guidance for the implementation of a bank's operational risk framework and particular operational risk management methods, has been established yet.
There have been some attempts to resolve this situation.An example is the methodology RMA-KRI Framework8 .This metodology is a product of the Risk Management Association, which in conjunction with RiskBusiness International Limited launched an initiative aimed at furthering the use of KRIs across the fi nancial services industry.This followed the publication of several white papers by international rating agencies regarding the inclusion of operational risk effectiveness capabilities into an organisation's credit rating, as well as the publication of the then draft Basel II guidelines, which suggested that standardised indicators could be used to adjust an organisation's calculated capital reserve requirement under the Advanced Measurement Approach9 (IOR, 2010, page 37).
Another approach to how IT risk management is treated within the banking industry is the implementation of the so-called Operational Risk Management Framework (ORM).The main aim of this framework is to rethink the way of risk management and integrate it with business processes.There is no "one-size-fi ts-all" approach to ORM.It is not merely Basel-compliant or Cobit-compliant, but it should also provide the bank with mechanisms for improving its overall risk culture and behaviour towards operational risk management.The concept of the ORM Framework is often supported by specialized software, which is periodically evaluated using e.g.Gartner Magic Quadrant 10 (Gartner, 201As concerns banks in the Czech Republic, the following paragraph tries to summarize trends regarding the application of the above mentioned frameworks and their integration into banks' general risk management strategies.The overview is based on the author's long years of experience and knowledge in the fi eld of the Czech National Bank's IS/IT banking supervision.It is necessary to mention that it is not a snapshot of a certain time because the Czech National Bank performs the IS/IT supervision in the form of on-site examinations, which requires a few years to go through the whole banking sector.Therefore, it is not possible to get complete numbers of entities employing this or that framework.Although the following statement does not represent an exact survey, it can certainly illustrate the knottiness of the situation. The form of the ORM is determined by the CNB regulation that stipulates not only Basel II requirements on the ORM, but also specifi c regulation on IS/IT risk management.11These regulatory requirements are not understood as separate groups of principles.On the contrary, the CNB's regulation aims towards the integration of IS/IT risk into the overall ORM.However, the regulation stipulates the requirements in the form of general principles.It neither stipulates detailed rules nor makes banks apply particular IS/IT risk management standards.This gives banks a considerable room for their own way to comply with the regulations.As regards the ORM as such, its form and sophistication is determined primarily by the chosen approach of capital requirement calculation for operational risk, which leads to the use of different operational risk management tools.From this point of view, most Czech banks using or implementing Advanced Measurement Approaches (AMA) and several other banks refl ect, to some extent, Basel II IT Control Objectives.This helps integrate their IS/IT risk management into their overall operational risk management frameworks.This linkage is more often initiated by IT people since they are more familiar with ISACA's frameworks.Although IT Control Objectives proved useful in banking practice, they do not fully cover the needs of IS/IT risk management.Therefore, most Czech banks use one or a combination of several IT-oriented risk management frameworks that have been adjusted and incorporated into their internal methodologies (in-house methodologies).The ISO 2700n family is the leading IS/IT risk management framework among Czech banks.Its implementation refl ects the internal risk management processes including parent company methodologies.On the contrary, CRAMM, which used to be relatively popular, is no longer used as it proved to be too sophisticated and not fl exible enough.Other IS/IT risk management frameworks are used singularly.Furthermore, ITIL is worth mentioning.Although it is not a framework primarily focused on IS/IT risk management, it refl ects several security issues.Its signifi cance lies in the fact that ITIL undoubtedly belongs among the most frequent IT frameworks in the Czech banking sector.
Figure 4 should help you roughly understand the level of relevance of all the above discussed frameworks to the banking industry.
The particular form of the methods thus remains vague, so the form of operational risk management differs from one bank to another and its unifi cation advances mostly by experience.This state yields many possible combinations and as such it repre-sents a great challenge for both banks and regulators.It makes IS/IT risk management integration into operational risk management frameworks more diffi cult.Operational risk is a specifi c type of risk in comparison to the traditional banking risks.While credit, market and liquidity risks are derived from fi nancial portfolios, operational risk is primarily related to processes (transactions) and as such it is an i mplicit risk.Unlike credit and market risks, operational risk requires decentralization and continuous involvement of business units.
Operational risk is defi ned as the risk of loss from inadequate or failed internal processes, people and systems or from external events.According to the Basel II defi nition, it includes legal risk, but excludes strategic and reputational risks.
The position of IS/IT risk within a bank's risk management framework should logically result from this defi nition and from the fact that IS/IT risk forms a signifi cant subset of operational risk, which is attributed in particular to an increasing IS/IT penetration into the banking processes.As a large portion of the whole operational risk falls under IS/IT risk, it should theoretically be an integral part of the operational risk framework.However, the practice still frequently differs from this assumption, which is due to the following reasons.The fi rst one is a lingering barrier between IT and non-IT departments, where IT managers prefer to deal with "their" problems on their own on the one hand, and business management does not seem to be interested in "technicalities" on the other.Such a situation preserves differences between IT risk management and management of other risks including operational.It prevents us from looking for analogous features and upsets a convergence of risk management techniques.The other reason impeding the integration of IT risk management into the operational risk management framework is that authors of modern and currently used operational risk frameworks ignored the existence and long track record of IT risk management techniques.They ironically overlook the fact that these techniques are not only elaborated but also implemented and functioning.However, things are slowly but surely looking up as we can witness signs of a convergence of the above mentioned risk management approaches, e.g., by way of initiatives such as IT Control Objectives for Basel II (see Chapter 2.3).On the other hand, operational risk managers accept IS/IT as an important risk driver and mostly also understand its specifi cs.To some extent, they deal with the same issues as IT security managers.Examples may include physical security, business continuity, third-party issues, incident management, etc.The advanced measurement approaches (AMA) require and lead to considering all operational risk drivers, including IS/IT.Moreover, the four basic elements of AMA (internal data, external data, scenario analyses, and business environment and internal control factors) highlight the points of view analogous to the traditional IT -security-oriented frameworks dealing with assets, threats, vulnerabilities, impacts and probability.Therefore, we can fi nd a lot of similarities.
Another considerable problem is that all elements of operational risk (processes, people, systems and external events) are present and relevant to risk management of the aforementioned fi nancial risks.It causes diffi culties in determination of an unambiguous separation between operational risk and these risks, which is a hot and still intensively discussed issue.

Completeness of risk management scope and regulation in banking industry
A bank's risk management has to deal with two tasks: 1. to ensure compliance with regulatory requirements; and 2. to manage risks according to the risk appetite set down by executive management and stakeholders.
Ideally, there would be no difference between the aforementioned groups of requirements.However, such a state would apply only if both banks and regulators were perfect at risk quantifi cation and at the ability to fi nd the adequate level of risk tolerance and effective measures to control risks above this level.In other words, the regulation should ensure the banking sector stability, but not hobble its business on the one hand.On the other hand, a bank's risk management should ensure not only an adequate risk control, but stable economic results as well.
However, the situation differs in the real world.Banks tend to be as profi table as possible.Return on Equity (ROE) is one of the most important indicators for their stakeholders.From their point of view, having the highest ROE requires them to keep as little capital as possible, focus on selling products as much as possible and economize on expenses on non-business processes, including risk management.Such an approach might cause negative impacts ranging from losses to bankruptcy.
While banks stress the microeconomic point of view, regulators should take into consideration risks in the entire banking sector with regard to individual peer groups at most.Their main interest is the fi nancial sector stability and as such they are supposed to be conservative in order to restrain excessive risk appetite.Although regulators usually have information about the banking sector in question and as such they can identify the main risks involved, they are not able to identify all the potential risks and quantify them exactly.This makes the regulatory role very diffi cult.Regulation may at best refl ect available information and take into account identifi ed risks.However, in practice, there are other two factors that affect the fi nal form and content of regulatory requirements:    As regulation addresses a number of various institutions differing in size, range of activities, focus and organization, it should fi t all entities so it sets down general principles rather than particular rules.
   The role of international regulatory standards is permanently increasing.It leads to a harmonization and codifi cation of regulatory frameworks.We can illustrate this trend on the adoption of Basel II framework in EU law, which narrows the space for individual national regulators.This state has its pros and cons.Principle-based regulation gives banks a wide range of risk management approaches and does not force them to keep many restrictive rules.On the other hand, this makes getting assurance regarding compliance with regulation much more diffi cult.Another benefi t consists in the fact that the current leading banking regulation12 offers a compact framework, including a list of risks to be managed and a specifi cation of methods, techniques and principles to be used.
Although this regulation implicitly assumes the necessity to manage IS/IT risk (as a subset of operational risk), IT risk is not mentioned as a risk discipline at all.Major regulators identifi ed this important gap a long time ago.Therefore, they issued regulation on IS/IT in banks at the national level.They have also been performing supervision focused on this area for long.It has a logical implication that these national regulations are not unifi ed and are differently integrated into the regulatory framework as such.In spite of that, we can fi nd a lot of similarities not only concerning particular regulatory requirements but also with regard to the entire concept of IS/IT regulation.The reason is that advanced regulators are familiar with best practices and IS/IT (security) standards, are aware of the spread of their use in banks, see benefi ts related to their use for banks, and on that account, they tend to keep regulation in compliance with them.They predictably refl ect especially standards addressing regulatory objectives that are typically formulated in IT security-oriented standards.

Level of balance between risk-focused vs. control-focused approaches in banking industry
The key interest of supervisory authorities is an assurance that the fi nancial institutions in question carry out their business prudently.Prudent behaviour consists in being aware of taking risk, which requires the ability to: The bank regulation typically deals with all the aforementioned risk management processes and combines both the risk-oriented and control-oriented approaches.It results from the fact that banks are under a regulatory obligation to quantify and allocate adequate capital to identifi ed risks as well as to have in place controls in order to mitigate risks.Therefore, we can state that regulatory requirements for each risk management process usually encompass both points of view: risks and controls.Risk monitoring, for example, includes not only obtaining information about risk exposure but also check whether all the set controls are in place and effective.
Table 1 Examples of the most popular frameworks for risk assessment

Users Target Organizations
• COSO ERM • Committee of Sponsoring Organizations of the Treadway Commission • www.coso.org/Publications/ERM/COSO_ERM COSO issued Internal Control -Integrated Framework to help businesses and other entities assess and enhance their internal control systems.Recent years have seen heightened concern and focus on risk management.In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations' enterprise risk management.COSO ERM views enterprise risk management as a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
IT defi nes essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.

• Executive management • Internal auditors
All organizations that are to be compliant with strict internal control regulations: • Sarbanes-Oxley Act for US SEC registrants and its affi liates, • au/ The standard provides a generic guide to managing risk and specifi es the elements of the risk management process.The standard does not propose a uniform risk management systems, rather the standard proposes that the design and implementation of the risk management system should be infl uenced by the varying needs of the organisation, its products and services, and the processes and specifi c practices employed.
• Management SPRINT is a relatively quick and easy-to-use methodology for assessing business impact and for analyzing information risk in important but not critical information systems.
• Management • Operational • Technical • Government agencies • Large companies • Commercial CIO • Non-commercial CIO • Specifi c sector: N/A

Conclusion
The current fi nancial crisis may be regarded as an opportunity to correct certain aspects of fi nancial systems, namely those that had led to it.As the crisis proved to be very serious and has defi nitely not fi nished, its reasons are being intensively discussed.They are often identifi ed as the shortcomings of risk management systems on the one hand and insuffi cient regulation on the other.Although this statement is not surprising and seems to be true, we doubt whether both the aforementioned aspects have been suffi ciently analysed.In this situation, in our opinion, fi nancial institutions and regulatory bodies should have provided a deep and thorough analysis of the current risk management systems, their effectiveness and effi ciency.
Anyway, with regard to the topic of this article, the risk management systems in the banking industry have failed in many cases due to inadequate corporate governance procedures rather than the inadequacy of the IT systems as such.On the other hand, the entire corporate governance includes IT governance as well since business and IT are communicating vessels.An attempt at explaining these mutual relationships has been made in this article.Generally speaking, the supervisory boards and senior managers failed in their responsibilities for implementation and control of risk management systems.They very often approved their risk management strategies in a formal way without establishing suitable metrics and monitoring lines assuring that a risk management system is implemented in accordance with the strategy, up to date, effi cient and effective.
In spite of that, the principal improvements in banking governance and risk management have not been signifi cant.The banks that have survived do not seem to refl ect the lesson much.This does not seem rational as we suppose that next time, they will not be able to rely on fi nancial assistance from the state in the same extent as during this crisis.On top of that, the banking industry's risk exposure has not been reduced.However, to be honest to banks' top managers, their role is not easy.This article introduced the risk management approaches, standards and regulations relevant for risk management in the banking industry with an emphasis on IS/IT risk management.Although the wide range of these frameworks seems to be an advantage, ironically it makes their effective use harder for a bank's management.The more approaches exist, the more complicated it is to choose the right ones especially when we take into account the above described differences between these frameworks regarding the completeness of risk management, depth of IT coverage, risk vs. control-focused orientation, and compliance with the regulation.
Banking regulation has generally been supposed to be the other cause of the crisis.
We have already noticed some activities in this fi eld.The fi rst example is the announcement of the Council of the European Union ("EU") that it has endorsed an agreement made with the EU Parliament on 2 September 2010 on reforming the EU fi nancial supervisory framework.Another example is the Basel Committee's agreement on key design elements of the reform package.The preparation of the Basel III documents is an important part of this effort.The common aim of all these activities is to improve risk management and governance.However, we fi nd these activities questionable as the establishment of the new EU supervisory body and the ongoing update of , the different levels (scopes) of risk management are shown together with examples of risk management frameworks.

F igure 1
Different levels (scopes) of risk management 2.3 Level of balance between risk-focused vs. control-focused approaches Figure 2International risk management frameworks

Figure 4 IT
Figure4IT risk management frameworks for banking industry Figure 5Elements of operational risk


 identify the risk;    assess/measure the risk;    monitor the risk;    report about the risk; and    control the risk (reject, accept, transfer or mitigate the risk).

Risk Governance Business Objectives Communication Risk Response Risk Evaluation
from Cobit, which includes a maturity model at the process level).For each Risk IT domain, two versions of maturity models are provided: an international standard published by the Basel Committee on Banking Supervision in June 2004.It gives recommendations for banking regulators with regard to capital standards and risk management in banks.Basel II sets down risk and capital management principles to ensure a bank holds capital reserves appropriate to its risk exposure.It aims to make capital allocation more risk sensitive and gives wider range of approaches for risk and capital adequacy quantifi cation.Unlike Basel I the Basel II framework includes operational risk (except credit and market risks).Basel II consists of three pillars:(i) minimum capital requirements, (ii) supervisory review process and (iii) market discipline.The EU adopted Basel II framework into the Capital Requirements Directive (CRD) that came into force on 1 January 2007.As a part of European law, it refl ects the Basel II rules on capital measurement and capital standards.ITControl Objectives for Basel II provides a framework for managing operational and information risk in the context of Basel II.It presents an outline of risk under Basel II, the links between operational risk and IT risk, and an approach for managing information risk.The executive summary states that fi nancial services organizations using the framework presented are able to apply recognized IT control objectives and management processes to address the role of IT in operational risk.Offi ce of Government Commerce (OGC).A tool having the same name supports the method: CRAMM.The CRAMM method is rather diffi cult to use without the CRAMM tool.The fi rst releases of CRAMM (method and tool) were based on best practices of British government organizations.At present CRAMM is the UK government's preferred risk analysis method, but CRAMM is also used in many countries outside the UK.CRAMM is especially appropriate for large organizations, like government bodies and industry.