| The rapid development of modern technology has changed the roadmap and operation of financial industry. Information technology (IT) has been playing an increasingly important role in banking industry. From front desks to senior management, electronic banking to management information system, IT has become an integral part of infrastructure that sustains banks'operation and improves banks'efficiency greatly, and therefore turned into an key part of banks' core competitiveness. However, with the increasing application of IT system, IT risk events happen frequently. According to BIS statistics (2002,2003a), over 90% of risk events and over 50% of the reported loss events are related to information technology, respectively.On the side of bank management, banks are characterized by their complex and complicated IT frameworks and equipments which integrate operational system, application system, database, intranet, and etc, and any deficiencies of them or force majeure may impact the sound operation of the whole bank. On the side of bank supervision, IT risk has been the supervisory focus for supervisors worldwide since IT is vital to banks'operation and deficiencies of it may cause systemic risks and negatively impact the financial and economic stability.In China, IT infrastructure of banks is in the process of rapid development. Compared to traditional risk categories, the IT risk management and supervision lag behinds due to limited knowledge and less focus. Therefore, as a regulator, the author intends to make systemic analysis on IT risk supervision in light of international principles and conducts special research on its core areas, so as to enhance the theoretical research and the supervision of IT risks.Part I of the thesis is basic theoretical analysis. Firstly, the thesis uses economics analytical methods to study IT application and finds out the application of IT makes contributions to operational costs reducing, information exchange and risk management improvement, and becomes am important tool for customer maintenance. Theoretical analysis also shows that IT has become an indispensable part of banks'infrastructure, changed and extended the functions of banks. Secondly, the thesis demonstrates the theoretical and practical basis of IT risk supervision by studying the impact of IT risk on traditional financial theories, such as the theory of Market Break Down,the theory of Financial Fragility and the theory of Consumer Protect.Basic theoretical analysis indicates that IT risk magnifies the externalities and financial fragility of commercial banks, sharpens the internal information asymmetry and brings challenges for traditional financial supervisory theory and practice. Therefore, supervisory guidelines should be developed by drawing from international practices to measure IT risk, construct comprehensive risk rating system to assess IT risk management capacities of commercial banks and conduct special research on key areas of IT risk.Partâ…¡provides responses to the question of what kind of supervision is needed from the perspective of international supervisory standards and practices and work out principles for IT risk management at the basis of studying internationally accepted guidelines, such as COBIT and Basel principles for operational risk management. In addition, the thesis conducts a complete comparative analysis of international supervisory practices covering supervisory ideas, organizational structures, supervisory approaches and institutional settings.Partâ…¢aims to address the problem of "how shall we supervise" and conducts research on IT risk measurement and supervision. IT risk measurement has always been a difficult problem for supervisors. The Baselâ…¢incorporates IT risk into operational risk. Drawing from Baselâ…¢, the thesis makes analysis on IT risk measurement, studies the VaR for information safety risk within IT risk, and provides a complete measuring method and cases for study, and thus lays down basis for regulatory capital requirement for IT risk.With regard to IT risk rating, drawing from international standard of URSIT, the thesis builds an IT rating system. Firstly, the rating indicators is in line with the Guidelines on IT risk supervision of commercial banks issued by the CBRC in 2009, and thus not only meet the compliance requirements, but are also convenient for regulators. Secondly, examination questions are designed for all indicators and a comprehensive score card is also designed, which enable supervisors to assess and assign rating to banks through examinations. Thirdly, the author assigns appropriate weighting to each indicators based on careful research and discussions with banks and supervisors.With regard to the supervision of IT outsourcing, the thesis makes analysis of the sources of IT outsourcing risk and studies international practices on IT outsourcing supervision. As the current supervision focuses on bank risk management and do not cover IT service provider, the thesis suggests that extending supervision from banks to cover IT service provider is the and design the pattern and procedures on the supervision of IT service provider.With regard to the supervision on business continuity, the thesis discusses the development and drill of business continuity plans of commercial banks and designs examination procedures of business continuity for commercial banks comprising procedures for management exanimation and technology, which is of some value in the absence of special guidelines on business continuity.Finally, this thesis takes into account the current supervisory practice of IT risk and provides policy recommendations for enhancing IT risk supervision of the banking sector, which can be summarized as follows:1) IT risk should be integrated into the bank's overall risk management, be assessed and assigned rating separately and subject to regulatory capital requirement; 2) supervision should be extended to cover technical service providers by giving regulators legal authorities; 3) guidelines on business continuity should be made for guiding commercial banks to develop business continuity plans and conduct emergency drills; 4) more advanced techniques and instruments should be developed to supervise IT risk by establishing IT laboratories and strengthening research on new technology; 5) the specialist expertise for IT risk of regulatory authorities should be enhanced by cultivating and attracting IT risk experts and encouraging them to obtain professional qualifications such as CISA and CISSP.
|
PDF Full Text Request