Page 116 - DMGT302_FUNDAMENTALS_OF_PROJECT_MANAGEMENT
P. 116
Unit 6: Social Cost Benefit Analysis
When banks fail to provide adequate control over information technology, they can expect to Notes
suffer operational damages from mass attacks launched against the Internet and the nation’s
critical infrastructure. In January 26, 2003, a “virus-like,” worm attack against MS-SQL Server
2000 slowed Internet traffic worldwide and caused technical problems that brought down 13,000
ATM machines of the Bank of American and at Canadian Imperial Bank of Commerce. While
these types of vulnerabilities often capture the negative attention of the public, they represent
only a small portion of the business risks financial institutions must control.
The Office of the Comptroller of the Currency (OCC) has identified four of the nine categories
in its risk framework to which technology-related products, services, delivery channels, and
processes are most frequently exposed:
1. Transaction risks: The risks to earnings or capital arising from problems with service or
product delivery, for example poorly configured or incompatible internal and external
systems and processes.
2. Strategic risks: The risks to earnings or capital arising from adverse business decisions or
improper implementation of those decisions.
3. Reputation: The risk to earnings or capital arising from negative public opinion.
4. Compliance: The risk to earnings or capital arising from violations or, noncompliance
with prescribed practices or ethical standards.
5. Failure to meet regulatory guidelines: It can result in severe penalties for financial
institutions. More recently the Office of Thrift Supervision (OTS), has grouped the
technology risks faced by financial institutions in three categories:
(a) Information Integrity risks: Information must be available, accurate, complete, valid
and secure.
(b) Business continuity risks: The institution’s ability to adequately prepare and execute
its responsibilities during a disaster.
(c) Vendor management risks: The risk that the service provider will not perform the
contract terms and conditions as specified causing undesirable consequences for the
institution’s operations.
This reflects the going requirement for financial institutions to provide Internet-based services,
utilize and oversee service providers, and prove, particularly the Board of Directors and Officers,
due diligence in protecting customer information and meeting other regulatory requirements.
“Management can reduce a bank’s risk exposure by adopting and regularly reviewing its risk
assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing
processes.”
Financial institutions are heavily reliant on external service providers for Web sites and other
core information systems. In addition financial institutions have a strong business requirement
to analysis daily financial transactions in order to spot portfolio, lending, and financial market
trends, customer requirements, and improve services. This requires moving data from multiple
transaction-based systems to analytical database applications or data warehouses. MS-SQL
server is often used by Service Providers because it is comparatively low in cost; more easily
scaled with the introduction of Windows 2000 Data Center, and can be deployed rapidly. Market
share for ISP and ASP of this product is on the rise. Additionally, financial institutions may find
it more efficient to use the MS-SQL Server internally to retain possession of certain business data
and make it easier to analysis legacy, historical or trend data, while contracting with an ASP to
run larger mainframe and multi-tier, integrated applications or Internet sites. The Data
Transformation Services (DTS) and other Back Office Products included with MSSQL Server
make it very efficient for use in this manner.
LOVELY PROFESSIONAL UNIVERSITY 111
