Million-dollar fine for UBS: The Consequences of Insufficient Risk Management Structures
UBS, one of the world's leading investment banks and financial services companies, has paid over 380 million dollars in fines in the USA and the UK for its recently acquired competitor, Credit Suisse. This happened due to insufficient risk management, inexperienced employees, and failure to address previously identified deficiencies.
This case serves as a prime example of the importance of corporate governance structures. We have already written an article on this topic, which can be read at the following link.
Consequently, taking preventive measures and complying with legal requirements are necessary to protect oneself from potential consequences.
Compliance with IT regulatory requirements (BAIT) for banks
In 2017, BaFin (Germany's Federal Financial Supervisory Authority) issued a circular that defines specific IT requirements. This catalog now comprises 12 chapters covering governance and organizational duties, as well as technical measures. The background of BAIT is Paragraph 25a of the German Banking Act (KWG), which outlines specific organizational responsibilities for financial institutions concerning risk management and the establishment of internal control procedures.
Introduction of the project management method: PRINCE2
PRINCE2 stands for "Projects In Controlled Environments." This approach involves 7 principles, 7 themes, and 7 processes. The method uses a comprehensive waterfall approach and defines different phases within a project. An essential aspect of this model is risk management, which is considered, continued, and documented from the beginning. A risk register is established to identify, assess, and delegate all risks comprehensively. As a result, this method is suitable for conducting various projects and gaining an overview of all risks.
Consideration of identified risks according to OWASP
OWASP stands for "Open Web Application Security Project" and is an organization of experts focused on web application security. The group annually publishes a report on the "Top 10 list of the most common attacks and major risks in web applications." This should prompt companies to examine whether their own applications are protected against such attacks or to take measures to protect against them. Additionally, OWASP has developed a method to assess and prioritize risks. A detailed description and implementation can be found at the following link.
Conclusion
In summary, meeting legal requirements, conducting effective risk analyses, and making sustainable decisions remain challenging. However, they can be managed through suitable processes and IT support.
Striving for transparency, clear reporting, and independent decision-makers is a response to this problem. Introducing professional documentation with the help of innovative technical solutions also contributes to achieving this goal.
We look forward to connecting with you on social media!
