Study And Practice Of Information Technology Risk Assesment In Finance And Banking Industry

The operation of large numbers of information systems in finance and banking industry has made bank information technology risk attract plenty of attention, the notice of "twelfth five-year development planning for China financial industry information construction" published by people’s bank of China in2011, also reflects the importance attached to financial banking’s information construction. However, as financial and banking industry is relying increasingly on information technology, information technology risk has brought many hidden dangers to bank business development. Recent years, frequent information security events in financial and banking industry, cause heavy loss of the business. Therefore information technology researchers have to face the serious issue of identifying and avoiding risks.The current risk assessment lacks a comprehensive assessment system and a unified quantification standard, thus the uncertainty of the assessment scope and the lack of quantification lead to a large number of high level risk identification omissions. Therefore, this paper takes commercial banks-a typical representative of the financial and banking industry as research object, constructs a risk assessment model for bank information technology, which is based on division of risk domain, then quantify the risks of each points and domains by combining conformance analysis, asset-based valuation and weight valuation, and get the result of overall risk distribution. A model-based risk assessment system is developed, and a risk assessment for a provincial commercial bank is practiced to verify the feasibility of the model and system. Positioning the high risk points rapidly is beneficial to reasonably allocating resources, promoting the efficiency of disposal, and finally promoting the risk’s classification control and supervision, as follow are the paper’s main works:1. The paper researches the current security circumstance, special security requirements and related standards of financial and banking industry information technology. By analyzing bank information technology risk and its current assessment situation, the paper puts forward the basic idea of conducting the risk assessment in three aspects:management, business process, business system, and then identifies assessment method of risk domain division and risk quantification.2. The paper constructs a bank information technology risk assessment model based on the above three aspects. In accordance with "the commercial bank information technology risk management guidelines "and "the banking and financial institutions information technology risk supervision inspection manual on-site", the paper summarizes all possible risks of management and business process domain, then establishes conformity result quantification rules to quantify risk points. For the domain of business system, assets-based risk is quantified by using judgment of matrix and multiplication methods. Finally the paper gets risk points and risk domains calculation results and ratings by weight valuation.3. The paper designs and implements a system which is suitable for its risk assessment. The system has the function of inputting conformance quantitative risk points, calculating risk based on assets and evaluating the overall risk level etc.4. The paper takes a provincial commercial bank’s actual business system as the object, conducts a complete implementation work of bank risk assessment project. Finally the practical example indicates the feasibility of the model and system.