Research On IT Risk Identification&Risk Assessment Of Commercial Banks

Commercial banks are of the high level information application, and their businesses highly depend on information technology application. By the first half year of2011, the total financial assets operated by IT systems in home commercial banks have reached RMB80billion. In2009, the trades of financial business operated by commercial banks have been more than400million.Information technology is a "double-edged sword"! It brings commercial banks not only business innovation and changes, but brings the business operation risks and safety hazards. According to the statistical data in2009from China Banking Regulatory Commission, the system service of important IT systems in various home banks broke off for more than3000times in2009. Information technology has become an important factor influencing the steady operation, information safety and normal economic activities of clients and the public in our home commerical banks.Assessing IT risks scientifically and precisely is the important as well as tough work in IT risk management. However, effective and comprehensive IT risk recognition as well as the establishement of a scientific, reasonable and effective IT risk assessment index system are the foundation of IT risk assessment.The paper addresses three key issues about commercial bank IT risk assessment:(1) commercial bank IT risk recognition,(2) construction of commercial bank IT risk assessment system,(3) IT risk quantitative assessment of commercial bank. The explorable and innovative researches include:(1) The present situation is that IT risks are hard to recognize and their source is wide. The factors of IT risks are complicated and uncertain. After studying commercial bank IT risk recognition methods, the paper applies scenario analysis and SWOT analysis into commercial bank IT risk recognition. Samples are also used to describe the feasibility and effectiveness of the application analysis. The research found that IT risk recognition is difficult to handle and recognize, IT application, management environment and business environment of the enterprise should be combined, meanwhile, multiple methods are adopted in order to effectively recognize IT risk factors.(2) Mind map tools are used to study commercial bank "IT risk formation mechanism" and construct "IT risk factors relation model". Commercial bank IT risk formation mechanism is regarded as the starting point to study the recognition and source of commerical bank IT risks; the IT risks are classified and recognized from8aspects:IT governance, IT staff, information safety, application software, physical safety, network security, outsourcing service and system variation.(3) Based on the studies of commercial bank IT risk recognition and classification, the construction of commercial bank IT risk assessment index system is studied. Questionares are used as researching tool;15commercial banks in a south-western province are used as the research targets. Meanwhile, SPSS statistical software is used to quantitatively analyze key IT risk factors in order to construct commercial bank IT risk quantitative assessment index system.(4) The commercial bank IT risk quantitative assessment methods and their application are studied. The constructed commercial bank IT risk quantitative assessment index system is used to analyze one commercial bank. The IT risks of this commercial bank are quantitatively assessed by using cloud model and membership cloud gravity center (MCGC). Then the assessment model, methods, working thoughts and implementation process are described.In addition, the paper also studies related issues about IT risk management of commercial bank:(5) The paper summarizes the risk or IT risk related research literature, results of theoretical studies, IT risk management standards and framework, practice guide of the industry, etc. The content of the research and the research results have been analyzed and summarized comprehensively. The connotation and denotation of risk and IT risk are defined and analyzed. The paper analyzes features of risks, as well as the difference between IT risk and other risks, laying a foundation for other related researches.(6) According to the ERM integration framework based on COSO and IT life cycle theory, the paper gives the model and framework of IT risk control baseline and discusses its constituents and construction methods, from the angle of IT risk management demands of commercial bank and inner environmental factors of IT risk management. The IT risk control baseline model is applied in IT risk management in commercial bank, making itself a strong tool in enterprise IT risk management.