To complicate matters, distinctions between different types of risk factors aren't yet clear. Different departments will need to understand how risks flow through the organisation - what the dependencies and correlations are. An electronic attack on a bank's IT system might halt a bank's operations and damage its reputation; if the reputational impact - risk one - coupled with disruption to the bank's operations - risk two - affects the share price, there is a third risk category. How do you separate these out and measure them?
This is not speculation; Basel II encourages an integrated risk management approach - information will need to be reported as an aggregate measure and across different business functions. However, it is no use measuring performance if you haven't agreed parameters which reflect the scope of the bank's different operations or the interdependence of different departments. Risk is now a matter for all departments of the banking operation.
While Basel II embodies the banking community's ongoing commitment to improving its governance and operational procedures, it is clear that banks' IT departments will need to work very closely with colleagues in many disciplines to develop the necessary systems for achieving compliance. IT Directors will need to show strong leadership; but they will need understanding and backing from the boardroom to meet this vital requirement.
QinetiQ Trusted Information Management is a business security specialist.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.