Control of Risk Related with the Management of Customers Personal Data in Banks - Research Paper Example

Control of risk related with the management of customers’ personal data in banks. Use of risk management cycle for solving the specific problem. Table of contents 1. Introduction 3 2. Overview of disaster – description, characteristics 4 3. Risk management cycle in practice 4 3.1 Risk identification 6 3.2 Risk evaluation 6 3.3 Identification of responses 7 3.4 Select 7 3.5 Plan and Resource 8 3.6 Monitor and Report 9 4. Conclusion 9 References 11 1. Introduction Risk is part of all human activities. In the business sector risk is usually related with the interests of stakeholders. The appearance of risk cannot be excluded – in fact there is no mechanism or policy that can guarantee the elimination of risk in various social, scientific or business activities. However, it is necessary that measures are taken in advance for the limitation of risk - as possible – in order to minimize the damage from potential failures. At this point it should be noted that different approaches are used in theory in order to address the various aspects of risk; indicatively, risk theorists have referred to risk as an indication of ‘moral hazard or conflict of interest’ (Roy, 2008, 122); from another point of view, emphasis is given on the emergent character of risk (Guerden, 2003, 78) – in terms that if there is no appropriate plan of action the occurrence of a disaster can lead to severe damages. Current paper focuses on the examination of risk management in banks; a specific part of these businesses’ activities is examined – the management of personal data of customers. It is proved that the risk involved in the management of customers’ data in banks can be significant; however, with the implementation of appropriate policies this risk can be limited – the use of risk management cycle for the control of risk involved in the management of personal data of customers in banks has been proved to be the most appropriate solution for addressing the specific problem. Relevant literature is also used in order to highlight the various aspects of risk in the specific sector but also to evaluate the effectiveness of risk management cycle in relation with the specific business sector. 2. Overview of disaster – description, characteristics The management of data in banks is a demanding task; the management of personal data of customers – which is the issue under examination – often fails to meet all the standards set by the principles and rules governing the specific sector. The above failure is usually related with the high cost of systems required for the effective administration of the specific business activity; however, if appropriate risk management plans are implemented in advance the risk related with the management of data in banks is minimized. Quite often, personal data of customers are lost during the transactions developed in financial institutions – often the personal data of customers are lost even if no transaction takes place – i.e. while being stored in a bank’s database; therefore, the use of risk management cycle for assessing and addressing this risk is highly suggested – at the level that the plans developed are feasible – in terms of the resources required but also in terms of their common performance – referring to the effectiveness of similar plans used by firms operating in other industrial sectors. 3. Risk management cycle in practice The management of risk in the case under examination can be based on different theoretical and empirical frameworks; the choice of the most appropriate plan of action will be based on a series of criteria – like the business nature, the market trends, the volume of activities and so on. In any case, it would be important to understand the concept of risk – especially in relation with the business activities. In accordance with Sadgrove (2005) risk can be interpreted with reference to different actions or concepts, like the following ones:‘a) risk – the possibility that a hazard will cause loss or damage, b) risk assessment – defining what can go wrong, c) risk management – a discipline for dealing with uncertainty’ (Sadgrove, 2005, 5). Because of its multidimensional character, risk can be addressed by using different policies; the most common steps for assessing and facing risk are described by Reuvid (2005, 24):‘a) risk identification, b) risk management strategy, c) contingency planning, d) culture, training and awareness, e) exercising, maintenance and audit and f) implementation’. One of the most effective tools for managing risk – in all its aspects – is the risk management cycle – see Figure 1 below. The specific model guarantees the development of effective plans for managing risk – even if there is always chances for failure especially in business sectors with complex and demanding operational activities. Figure 1 – The risk management cycle (source: The Risk Management Guide, 2009) 3.1 Risk identification The development of business plans requires the identification of problems that are going to be addressed through these plans. In the case under examination, the identification of risk is mostly related with the identification of the aspects of the management of data in firms operating in the banking industry. In this context, when referring to risk in the management of data in banks, the following issues are likely to be examined: a) the risk of loss of personal data during the financial transactions, b) the risk of loss of personal data while being stored – i.e. failure in storing the personal data of customers, c) the risk related with the provision of personal data of customers in unauthorized organizations. At a next step, the risk in the management of personal data of customers – as described above – is going to be evaluated – so that appropriate solutions for minimizing this risk to be suggested. 3.2 Risk evaluation The evaluation of risk involved in various business activities can be based on different criteria – the nature of these activities but also the resources available are likely to be used in order to understand the actual framework of risk involved in a specific business activity. In theory also, different approaches have been used in order to evaluate the risk in various activities. In accordance with Febrian et al. (2006) ‘in measuring risk, practitioners have practiced one of the two extreme approaches for so long, i.e. historical simulation or risk metrics’; from a similar point of view, Bradford (2007) emphasized on the importance of the following criteria when having to evaluate the risk related with a specific activity: ‘balance, accuracy, security, integrity and communication are the key issues to be addressed’ (Bradford, 2007, 253). In the case under examination, the risk related with the management of personal data of customers can be characterized as: a) emergent – loss of data could lead to severe financial damages within a short period of time, b) important – in terms of its effects on a bank’s image in a particular market, c) demanding – referring to the resources required for the development of the relevant policies – not only in terms of the funds but also of the employees’ skills necessary for the success of any plan applied. 3.3 Identification of responses After evaluating the risk related with the management of personal data of customers in banks it is necessary to identify the measures/ plans available for minimizing – as possible – the specific risk. In this context, the following measures/ resources would be used in order to reduce risk related with the specific sector/ activity: a) upgrade of the firm’s IT systems – implementation of advanced security features, b) increase the control over the daily transactions – introduction of codes for accessing the customers’ data, c) by setting specific criteria for delegating the relevant tasks to employees the relevant risk would be decreased – for example, development of a specific team of employees that will handle the personal data of customers, d) study of relevant practices of competitors or of firms that operate in different industrial sectors. 3.4 Select The practices used for the limitation of risk involved in the specific business sector would be reviewed using specific criteria. In theory, different views seem to exist regarding the hierarchy of criteria employed in the choice of risk management plans that are going to be implemented in modern organizations. In accordance with a relevant view ‘risk management strategies should be developed with holistic, broad views of business operations, and tailored to accommodate the different types of exposure specific to an individual business or operation’ (Olson, 2005, 45); on the other hand, it is noted that when having to deal with risk in the financial services industry, the measures taken need to respond primarily to the needs of the specific sector. The specific view is supported by Gabbi (2004) who supports that ‘financial flows control systems must be adopted that can measure performance and liquidity risks consistent with the models often used for credit and market risks’ (Gabbi, 2004, 44). Under these terms, the selection of the plans that would be used for the limitation of risk related with the management of personal data of customers in banks should be based on the following criteria: a) ability of these plans to perform well in real time transactions, b) effectiveness in handling high volume of data, c) cost of plans chosen – both in the short term and the long term – i.e. cost not only of the implementation but also of the monitoring of the relevant schemes, d) potential needs for update/ upgrade. 3.5 Plan and Resource The development of plans related with the achievement of specific business goals has to follow specific rules: apart from existing legal and ethical principles – related with the initiative under development – there are also other issues that need to be taken into consideration: the market trends, the expected response of customers and the potential effects of a failure. In any case, it is important that the level of communication and cooperation in the internal organizational environment is high (Koskosas, 2008). The following tasks would be likely to be developed at the specific phase of the risk management cycle: a) design of a detailed plan of action – its phases should be clearly presented and justified, b) identification of the resources required – monetary and physical, c) identification of the expected benefits – as possible, d) examination of the effectiveness of similar plans in the particular market, e) development of alternative plans of action – in case of failures in the implementation of one or more parts of the initially chosen plan. 3.6 Monitor and Report One of the most important parts of business plans in various industrial sectors is the monitoring phase – it is the phase of a business plan, which refers to the control of the operational aspects of the specific plan, i.e. its performance in practice. Usually, the responses of customers to the specific policy are used as a criterion for characterizing this policy as effective (Xue et al., 2002, 253). The monitoring of the plan suggested for avoiding a potential disaster when handling the personal data of customers in banks would include the following steps/ activities: a) implementation of appropriate IT system – potential upgrade of existing IT systems, b) provision of necessary training to the bank’s employees, c) development of a team of employees that will work exclusively on the specific sector, d) regular reporting on the performance of the plan implemented; additional activities would be included in the specific phase if necessary – in accordance with the volume of work, the bank’s position in its market and the availability of resources. 4. Conclusion The success of business projects of various types is depended primarily on the commitment of the leader and the managers who are involved in the realization of these projects. The specific view is also supported by Brown (2006) who noted that ‘management’s commitment and involvement with IT development at the senior management level, the IT management level, and the project management level significantly enhances the probability of success’ (Brown, 2006, 140). The characteristics of the industry in which a firm operates is also likely to affect the structure and the performance of projects implemented in a particular business; in this context, the development of risk management plans in the banking industry should be based on specific criteria and rules – as explained above; however, the necessity of these plans in the particular industry could be evaluated using different criteria – other plans would be considered as having major importance for the specific sector; as noted by Cebenoyan et al. (2004, 19) ‘the benefits of advances in risk management in banking may be greater credit availability, rather than reduced risk in the banking system’. The hierarchy of needs in banks would be therefore evaluated taking into consideration the current market trends, the customer preferences and needs, the bank’s potential to provide funds and staff required for the development of specific projects and the conditions in the local and the international financial system. The use of the risk management cycle for avoiding the disaster related with the potential loss of customer personal data during banking activities proved that the above disaster could be avoided but only under the terms that specific guidelines are followed; potential failures could appear but their effects on the customers’ interests and rights would be limited. References Brown, W. (2006) IT governance, architectural competency, and the Vasa. Information Management & Computer Security, Vol 14, Issue 2, 140-154 Cebenoyan, A., Strahan, P. (2004) Risk management, capital structure and lending at banks. Journal of Banking and Finance, 28(1): 19-43 Febrian, E., Herwany, A. (2006) Volatility Model For Financial Market Risk Management : An Analysis on JSX Index Return Covariance Matrix. University of Padjadjaran, available from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1150384 Gabbi, G. (2004) Measuring liquidity risk in a banking management framework. Managerial Finance, Vol 30, Issue 5, 44-58 Guerden, W. (2003) Opportunity Lost: Evaluating the Long-Term Implications of Technology Decisions. ABA Banking Journal, Vol 95, Issue 10, 78 Koskosas, I. (2008) Trust and Risk Communication in Setting Internet Banking Security Goals. Risk Management, 10: 56–75. Olson, E. (2005) Strategically managing risk in the information age: a holistic approach. Journal of Business Strategy, Vol 26, Issue 6, 45-54 Reuvid, J. (2005) Managing business risk: a practical guide to protecting your business. Kogan Page Publishers Roy, A. (2008) Organization Structure and Risk Taking in Banking. Risk Management, 10: 122–134 Sadgrove, K. (2005) The complete guide to business risk management. 2nd Edition. Gower Publishing, Ltd Xue, M., Harker, P. (2002) Customer Efficiency - Concept and Its Impact on E-Business Management. Journal of Service Research, Vol. 4, No. 4, 253-267 Online Sources The Risk Management Guide (2009), available at http://www.ruleworks.co.uk/riskguide/risk-cycle.htm Read More