ARMReN Seminar
Thursday, 13 September 2007
Balancing Access and Privacy:
Using Risk Management to Walk the
Tightrope
Dr. Victoria Lemieux
13 September, 2007
ARMRen research workshop on Access and Impact
Liverpool University, Foresight Centre
©Vicki Lemieux 2007
Free flow of information: A
competitive imperative

Global investment banking relies on the
free flow of information across borders
and institutions
– Trading
– Fund transfers
– Global mergers & acquisitions
– Asset management
– Other business activities executed on a
global scale
©Vicki Lemieux 2007
Credit Suisse: A Case in Point





Credit Suisse is a leading global bank
headquartered in Zurich
It is focussed on serving its clients in three
business lines: investment banking, private
banking and asset management
For the second quarter of 2007, net income
totalled CHF 3.2 billion and had CHF 1,629
billion worth of assets under management
Total staff worldwide is 45,000
Credit Suisse operates in approximately 50
countries globally
©Vicki Lemieux 2007
The Legal and Regulatory
Landscape
&
Climate
Federal Information Security
Bank for International Settlements
Management Act
Data Protection Act
(Basel II)
EBK/
Swiss
Banking
Secrecy
Gramm
Leach
Bliley
Japanese
Financial
Services
Agency
California
SB1386
Patriot Act
Sarbanes
Oxley
Federal Financial Institution Examiners
Council
Financial Services
Authority
International Standards
Organisation
©Vicki Lemieux 2007
Monetary
Authority of
Singapore
Data Privacy Regulation: A
Growth Market


Almost every country in which Credit Suisse
now operates has some form of data
privacy/data protection legislation or
regulation
Data privacy legislation/regulation is on the
rise
– Growing public concern about data security
– Recent examples
*Facebook
*Monster
*Wikipedia
*J.P Morgan Chase
*Nationwide
*Bank of America
©Vicki Lemieux 2007
Information Management Compliance –
What Could be Easier?
Achieving information management compliance
boils down to three simple steps:
1. Identify relevant laws and regulations
2. Identify records to which
laws/regulations apply
3. Ensure records are created & handled
in accordance with applicable
laws/regulations
It’s not as easy as it seems!
©Vicki Lemieux 2007
Which Records?
IM
Email
Web
Content
Rich Media
©Vicki Lemieux 2007
Which Devices?
©Vicki Lemieux 2007
Which Solutions
Information
ECM
EDRMS
Document
Content
Digital Rights
Management
Centralised
Device Management
Data
Storage Solutions
Knowledge
Records
©Vicki Lemieux 2007
Encryption
Challenge/Response

How the RM community support
financial services firms in meeting the
IM compliance challenge:
Support a risk-based approach
©Vicki Lemieux 2007
What is risk management?
Risk Management is an ongoing process used to:




Identify potential risks associated with business activity
Identify the potential impact and severity associated with the risk
Identify strategies and activities that can implemented to
mitigate or eliminate the risk
Assign responsibilities and track progress of risk management
activities
•





Why is risk management important?
Rise of the ‘Risk Society’
Rise of accountability frameworks (e.g., SOX, COSO) in which
risk management figures prominently
Rise of RIM-related threats
Compliance complexity
Risk management as an appraisal tool
©Vicki Lemieux 2007
How Risk Management can
help Strike the Right Balance

Identify the risks.
– Lack of clarity re: application of law to different
records
– Absence of controls for particular devices
– Technical weaknesses in recordkeeping solutions





Categorize the risks.
Rank the risks.
Accept or look for ways to mitigate the risks
Develop risk mitigation action plan
Track and monitor plan
©Vicki Lemieux 2007
Identifying risks

Risk assessment
– Business context + business
functions/activities
Business Context
Threats
Business Activities
Risk
Vulnerabilities
©Vicki Lemieux 2007
Categorizing risk





Operating Risks:
Those risks associated with business process and technical operations
and the challenges of providing service delivery globally – including
Loyalty Risk addressing any staff related exposure.
Legal Risk addressing any risks around non-compliance with
legal/regulatory requirements, or risk of litigation
Technology Risks:
Those risks associated with the ability to control future technology
direction and to use technology to provide a competitive edge.
Financial Risks:
Those risks that have an adverse effect on the financial condition of the
company or the achievement of Credit Suisse’s sourcing objectives.
Business Risks:
Those risks that have an adverse effect on Credit Suisse’s business
operations or competitive position in the marketplace – including
Reputation Risk.
©Vicki Lemieux 2007
Ranking risk

Probability is the likelihood that a risk will occur

Impact is the consequences of a given risk once it occurs

Risk management entails estimating probability and impact

The measurement of probability and impact can be
qualitative, quantitative, or a combination of the two

It is important to assess the inter-dependency of risks as
well as assessing each risk independently
©Vicki Lemieux 2007
Risk treatment options
Avoid
 Accept
 Transfer
 Reduce

©Vicki Lemieux 2007
Risk mitigation
•theMitigation
Plans reduce
level of risk. Risks are
7
Impact
mitigated either by
stabilizing or limiting the
impact of the underlying
assumption or
desensitizing the outcome.
Action Required
to
Desensitize
•beSimilar
techniques can
used to identify risk
mitigation strategies as
can be used to identify
risks
8
9
Action Required
to Stabilize
4
5
6
1
2
3
Probability
©Vicki Lemieux 2007
Risk
Tracking and monitoring

Measure that risk treatment strategies have had the intended results

Monitor risks over time to detect increases or decreases in their ranking

Monitor that procedures and information gathered during the risk
identification, risk measurement and risk treatment phases were
accurate and complete

Identify where improved knowledge would have helped to reach better
decisions


Identify lessons to be learned from the risk management process
Assess whether risk management processes are adequate and being
fully implemented.
©Vicki Lemieux 2007