Firms must hone 'cyber risk appetite' to win war against hackers

13 June 2018

Cybercrime is a continuous threat for organisations, and the protecting companies from highly motivated attackers is therefore a constant and on-going process. New analysis explores how businesses can harden their most valuable assets in line with achievable risk appetites, through the formulation of a clear and implementable strategy.

In recent years, cybercrime has gone from being considered a buzzword for security experts to worry about to an all-pervading problem which businesses and public entities of all shapes and sizes must prepare for. The increasingly intrusive problem for companies and customers has been amplified by the implementation of the GDPR, which could sting organisations that fail to safeguard sensitive information with hefty fines. It is impossible to know exactly how much cybercrime actually costs businesses, as some cases have a tendency to go un-noticed for long periods of time, and some businesses do not reveal when they have been hacked – though that in itself is an offence – however estimates in 2016 put the figure at close to $280 billion.

As a result of a number of high profile breaches, companies around the world are now allocating significant resources to bolster their defences against the dark art of hacking. However, the current landscape means that while businesses are onto the issue, complacency among those who have taken such steps means that sophisticated criminals or state actors can – through a combination of determination, skill and luck – still work their way through the defences. To this end, a new Oliver Wyman report has explored key factors for setting a company risk appetite in the cybersecurity space.

Cyber risk appetite challenges

The focus of every organisation needs to be to mitigate the risks, as far as possible, of a cybersecurity breach. However, with costs a factor – and the current landscape being so porous – some form of strategy to resolve measures around is proposed by the firm – under a so-called risk appetite policy. This puts the segment on par with other forms of risk setting within the organisation, while also creating a set of targets across the organisation to meet in terms of battening down the hatches.

Setting out a risk appetite in the space has various challenges. These cover four key areas, including quantification challenges, with no agreed on standard approach to quantifying cyber risks; data challenges, with little historic data from which to create risk maps – particularly as the nature of the risk can change rapidly; communication challenges, technical details can mean executives can fail to spot the woods for the trees, balance between detail and practice needs to be considered across various organisational levels; and the embedded challenge, whereby cyber risk is shown to be a multifaceted problem including not just IT but people, processes and technology – requiring a sometimes top-down statements to be broken into different steps for different aspects of the organisation.

Poorly articulated cyber risk appetite statement

The paper offers an example of a poorly structured risk appetite statement, including statements that are too broad and not tailored to the organisation, which can lead to different interpretations, and may not provide clear and meaningful guidance for risk-based business decisions; other times, statements can be too specific and focused on details, leading to unintended behaviours and incentives, and also makes it different to create lower-level general statements as they may be missed; too focused on controls rather than risks, which thereby lacks a clear statement of the risks faced by an organisation; and finally, statements can be too backward-looking and lagging, whereby fast changing on the ground situations may be missed, as well as a false sense of security if the organisation has in the past been spared intrusion.

According to the firm the construction of a risk appetite policy should involve measurability at the bottom, supporting a tailored programme at the reflects the organisation’s unique profile for attractiveness and attack surfaces. It needs to take a forward-looking view to risks, as the landscape changes, while also offering actionable insights that support business decision-making and risk mitigation.

Building blocks for an effective, measurable, and actionable cyber risk appetite

The policy needs to be cascaded throughout the organisation on the basis of identified needs at the more granular level – with board oversight at the highest level. It needs to be strategic in terms of the boundaries for cyber risk-taking in the institution. Finally, the result needs to be risk focused, rather than just measuring performance.


An 8-step framework for banks to prepare for FRTB changes

02 April 2019

With FRTB expected to come into force in 2022, it is critical that banks implementing necessary changes remain on track for their compliance timelines. Whether a company is aiming for the mandatory Standardised Approach (SA) or the voluntary Internal Models Approach (IMA), the programs often represent a significant investment, requiring process, systems and cultural change. 

Drawing from its experience in helping banks meet the milestone set in their compliance timelines, Capco – a management and technology consultancy for the financial services industry – has developed an eight-point prioritisation framework for FRTB preparation and implementation. Natasha Leigh Giles, a Managing Principal at the consultancy, outlines the main dimensions of the framework: 

Prioritisation framework for FRTB

1. Front office operating model

For those who have already implemented the Volcker rule, the desks are well defined with monitoring and governance frameworks. However, for companies that have not been required to adhere to the U.S. regulation, there may be additional work involved in implementing desk-level controls as required under FRTB. The trading desk structure is especially important for banks planning to implement IMA, as this regime is applied at the desk level and requires that the full flow of the selected desk is able to pass the IMA requirements (including the modelability test for the risk factors). Key business decisions may be required if a desk trades complex products that are more aligned for SA treatment. 

2. Product scope

In order to reach the IMA status, products are required to be supported with additional data sets including historical market and reference data as well as risk factor pricing evidence. The opportunity for 2019 lies in refining the assessment on the feasibility of each product type to ensure a clear scope is agreed for the IMA environment. If the challenges are too complex or costly to overcome, such as access to historical market data, availability of price verification for the risk factors or significant enhancements to support computational capacities, then these products should be scoped out of the IMA program as soon as possible in order to save time and effort on continuing analysis. 

3. Client & trading activities

There is no need to wait until the FRTB implementation timeframe to undertake a holistic review of client and trading profitability – including the capital impacts. For example, running training and awareness campaigns within the front office can help the traders to understand the impacts of their activities and encourage changes in the way that they trade. By considering this holistically as a business and operational change, it can help keep the focus and resources on the primary (profitable) business in preparation for the compliance deadline. 

4. Internal controls

Methodology, reporting, auditability, and process governance for internal controls also need to be monitored in detail. We recommend having clearly defined processes accompanied by effective training across front-to-back office. For some banks, it will be beneficial to audit existing capital adequacy processes to ensure that findings are highlighted in advance of the implementation timeline and the appropriate focus is achieved within senior management.

5. Data & metrics

Financial institutions need to consider their overarching governance and ongoing management for the data (including ownership, quality control, golden source storage solutions, etc.) and the ongoing control framework for ensuring the data remains accurate and relevant for capital adequacy modeling. If there has not been a data lineage exercise already applied, this is a great opportunity to deliver business benefit, even in 2019. By creating agreed definitions, preferred sources, ownership and workflows for managing data quality, the benefits of more accurate data can already be applied to existing capital calculation models. 

Framework for FRTB

6. Model management & validation framework

In preparation for the FRTB regime, an opportunity for 2019 is to understand if there are gaps or control concerns to manage immediately. Model enhancements across SA and IMA will need to be productionized for output accuracy and refinement, however, these need to be maintained alongside existing Basel 2.5 BAU models and other concurrent changes e.g. LIBOR Transition. Business process optimization, testing environments and automation tools, documentation and model validation can all be reviewed for immediate benefits and prepare the process for a smooth implementation of the future FRTB models. 

7. Technology platform & testing environments

With regards to technology planning, the opportunity in 2019 is focusing on gaining agreement of the front-to-back FRTB future state architecture including the use of vendors as applicable. By ensuring a disciplined focus upon design and solution definition across all requirements, it provides a clear baseline for implementation planning and scheduling. Establishing a technology architecture which allows for FRTB data feeds, model enhancements, control definitions and accurate capital calculation outputs will provide the program with essential data and metrics needed for decision making. 

8. Leverging synergies

Once a baseline plan has been established, it is possible to identify synergies across other programs – such as the SA-CCR (Standardized Approach for Counterparty Credit Risk) or the IMM (Internal Models Methodology) – that could deliver overlapping benefits at reduced effort. Understanding requirements, defining the future state architecture, and implementing the change in a complex environment requires a mix of strategic principles and program management. Therefore, we consider it an opportunity for 2019 to take a centralized approach for data lineage and requirements gathering as this would be beneficial for optimizing capital costs across both the market and credit risk environment.


By considering each topic strategically in 2019, benefits such as data quality enhancements, strengthened internal controls and flexible test environments will not only bring immediate business value, but also set a solid foundation for a comprehensive FRTB implementation in the years to come. 

For more information on Capco’s model and the its approach in helping banks plan for FRTB, download the full whitepaper on the firm’s website.