A Model For Control Assessment For Credit Card Industry

A Model for Control Assessment for Credit Card
Industry
By
PR No: - 07030245017
Student Name: - Mohammad Mohsin Khan
Specialisation: - Systems (2007 – 2009)
Symbiosis Centre for Information Technology

(a constituent member of SIU Established under section 3 of the UGC Act 1956
vide notification No. F.9-12/2001-U.3 of the Government of India)
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
Acknowledgement
I would like to thank Ms. Shaila Kagal (Director, SCIT) for giving me this
opportunity to do Research & Development on “A Model for Control Assessment for
Credit Card Industry”
I am highly indebted to Professor Manoj Hudnurkar who as given me the opportunity
to do the research on the topic “A Model for Control Assessment for Credit Card
Industry”. In spite of the severe paucity of time, his valuable suggestions enabled me
to fulfil the objectives of my project. He has shown immense patience and
understanding in the face of testing difficulties and even kept my morale high. The
periodic inputs by such experts were instrumental in expediting my work. His
willingness to guide me at every turn spurred me on to put my best efforts.
I would also Like to thank Mr. Chaitanya V.K (Business Advisory, Ernst & Young),
Mr. Anil Bhandari (Founder, Director ANB Conssulting Pvt Co), without their help I
would not to be able to complete the research.
I also extend my gratitude to all faculties of SCIT for their support. They provided me
great help in understanding certain concepts. Their experience was of immense help
to me.
2
MBA Batch 2007-09
Table of Contents
1. Chapter 1:- Introduction _________________________________ 4
1.1. Brief on Research Topic ........................................................................... 4
1.2. Summary of Abstract:.............................................................................. 4
1.3. Objective:.................................................................................................. 5
1.4. Methodology: ............................................................................................ 5
2. Chapter 2:- Literature Review _____________________________ 6
2.1. Risk Assessment: ...................................................................................... 6
2.2. Steps for Process for Assessing and Managing Risk in SCM: ................ 7
2.3. CORAS approach to risk assessment: ..................................................... 7
2.4. Committee of Sponsoring Organizations of the Treadway Commission
(COSO) Model for Enterprise Risk Management (ERM): ................................ 8
2.5. COSO based Process Assessment Model:................................................ 9
2.6. Failure Modes, Effects and Criticality Analysis (FMECA): ................. 10
3. Chapter 3: Analysis of Work Done ________________________ 12
3.1. Analysis of Work Done: ................................................................................... 12
Risk Identification Process:............................................................................................. 12
It consist of the risk management process which involves ............................................. 12
COSO ERM Framework: ................................................................................................ 12
COSO based Process Assessment Model: ...................................................................... 13
Fig 4. COSO based Process Assessment ModelFailure Modes, Effects and Criticality
Analysis (FMECA): ........................................................................................................ 13
Failure Modes, Effects and Criticality Analysis (FMECA): ........................................... 14
3.2. The Model: .......................................................................................................... 15
Steps to Create the Model: .............................................................................................. 15
Identification of Process and Activities: ......................................................................... 15
Monitoring and Control Framework: .............................................................................. 15
Classifying Risk: ............................................................................................................. 16
Classification of Risk: ..................................................................................................... 17
Classifying Impact Level: ............................................................................................... 18
Construct the Hazard Totem Pole Chart (HTP): ............................................................. 20
3.3. Framework Pyramid (Proposed): .......................................................... 23
3.4. Possible applications in the industry ..................................................... 23
4. Chapter 4: Finding, Recommendations & Conclusion: ________ 24
4.1. Findings .................................................................................................. 24
4.2. Recommendation: .................................................................................. 25
4.3. Conclusion: ............................................................................................. 26
4.4. References: ............................................................................................. 27
3
MBA Batch 2007-09
1. Chapter 1:- Introduction

1.1. Brief on Research Topic
A Bank has varied processes under its Credit Card wing.
Control Assessment Plan provides proofs and evidences about their
processes and functions to the external auditors and will also serve them as
a guide to their processes i.e. whether a process is critical or what is the
level of criticality of a processes.
As there is no standardization of techniques to be followed while
evaluation of control in the industry. Every individual follows techniques
as per his convenience and understanding.
This creates a gap in understanding of Control, its severity, Gap analysis,
impact and also point of impact.
This creates a lot of confusion among stakeholders regarding the
effectiveness of controls applied to a process. As there is no model or
standard technique to measure the severity, different process owners have
their own severity level for a particular activity based on individual
understanding of processes.
This leads to a mismatch between risk and control leading to improper
control assessment.
Due to this a model is needed which is not individual dependent and also
not dependent on his cognitive skills wherein, the risk will be measured
against certain parameters and based on these parameters the severity will
be adjudged.
The control will be also measured against these parameters and the model
help evaluate a standard Control Assessment Plan which will generate
same result for a particular activity irrespective of the individual, in
organizations belonging to Credit Card Domain.
1.2. Summary of Abstract:

As there is no set of standard techniques while evaluation of control in the Credit
Card industry. Every individual follows techniques as per his convenience and
understanding. This creates a gap in understanding of Control & its severity, Gap
analysis, impact and also point of impact.
This creates a lot of confusion among stakeholders regarding the effectiveness of
controls applied to a process, as different process owners have their own severity
level for a particular activity which is based on individual understanding of
processes. This leads to a mismatch between risk and control leading to improper
control assessment.
Due to this a model is needed which is not individual dependent and also not
dependent on his cognitive skills wherein, the risk will be measured against
certain parameters and based on these parameters the severity will be adjudged.
The control will be also measured against these parameters and the model help
evaluate a standard Control Assessment Plan which will generate same result for a
particular activity irrespective of the individual, in organizations belonging to
Services Domain.
4
MBA Batch 2007-09
1.3. Objective:
To prepare a model which will achieve a standardization of method and
techniques to be followed for preparing a Control Assessment plan as an output,
independent of individual capabilities.
1.4. Methodology:
Collecting data from secondary resources and analyzing for trends in
them for control assessment.
1. Collection of data about the various techniques used in preparation of Risk
Management Plan.
2. Collecting details about the various models which are currently being
applied in the industry.
3. Feasibility of the models as per industry.
4. Application area in the industry.
5. The technical as well as business environments for application.
6. Advantages and Disadvantages of the these models.
7. Comparison of the models and the various techniques that could be
amalgamated in this new model.
8. Preparation of the new model.
9. Possible application in the industry.
Getting inputs from Mentor and Guide regarding the progress and
ascertaining the right direction.
1. Validation of data from guide and mentor.
2. Charting out course of preparation of the new model.
3. Validation of the models and how to go about the techniques.
4. Using the mentors and guide industrial and well as domain experience in
model building.
5. Verifying of the final model.
Preparing a model for Control Assessment which can be used as standard

procedure to have similar output for preparing a Control Assessment
Plan.
5
MBA Batch 2007-09
2. Chapter 2:- Literature Review

2.1. Risk Assessment:
Risk assessment is a common first step in a risk management process. Risk
assessment is the determination of quantitative or qualitative value of risk
related to a concrete situation and a recognized threat. Quantitative risk
assessment requires calculations of two components of risk R, the magnitude
of the potential loss L, and the probability p that the loss will occur.
R = L*P
Fig1. Risk assessment overview

Risk assessment incorporates risk analysis and risk management, i.e., it
combines systematic processes for risk identification and determination of
their consequences, and how to deal with these risks. Many risk assessment
methodologies exist, focussing on different types of risks or different areas of
concern. The CORAS methodology builds on: HAZard and Operability study
(HazOp); Fault Tree Analysis (FTA); Failure Mode and Effect Criticality
Analysis (FMECA); Markov analysis (Markov); CCTA Risk Analysis and
Management Methodology (CRAMM).
The above mentioned all models may or may not be used for this research and
in due course of time new models can also be taken in purview but, currently
the models that are being viewed as a benchmark for creation of new model
for risk and control assessment for credit card industry are as follows.
6
MBA Batch 2007-09
2.2. Steps for Process for Assessing and Managing Risk in SCM:
Identify potential risk factors.
Assess the severity of the Consequences of the Identified Risk factors.
Assess the Likelihood of Occurrence of the Identified Risk Factors.
Classify the Identified risk factors.
Determine the cost of implementing risk response action plan.
Determine the risk priority indices.
Construct hazard totem pole chart.
2.3. CORAS approach to risk assessment:

CORAS focuses on the integration of viewpoint oriented modelling in the risk
assessment process. The integration of this state-of-the-art modelling
technology in the risk assessment process, in the following referred to as
model-based risk assessment, is motivated by several factors. Model-based
risk assessment employs modelling technology for three main purposes:
a. Providing descriptions of the target of assessment at the right level of
abstraction.
b. As a medium for communication and interaction between different groups
of stakeholders involved in a risk analysis.
c. To document results and the assumptions on which these results depend.
CORAS framework.
7
MBA Batch 2007-09
2.4. Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Model for Enterprise Risk
Management (ERM):
COSO was formed in the year 1985 to sponsor the work of what became
commonly referred to as the Treadway Commission. COSO sponsors were
(and remain) American Accounting Association (AAA), Institute of
Management Accountants (IMA), Institute of Internal Auditors (IIA), AICPA
and the Financial Executives International (FEI).
Public Company Accounting Oversight Board (PCAOB) recommended the
COSO model as a way to evaluate and report on internal controls. Thus, AS2
entrenched the COSO model as a tool that auditors, internal and external,
needed to understand, especially in applying it to section 404 evaluations of
internal controls.
COSO defines internal controls as "a process, affected by an entity’s board of
directors, management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in (1) the effectiveness and
efficiency of operations, (2) the reliability of financial reporting and (3) the
compliance of applicable laws and regulations." The COSO Model of Internal
Controls uses five elements of internal controls: control environment, risk
assessment, information and communication, control activities, and
monitoring.
There are various important ERM frameworks, each of which describes an
approach for identifying, analyzing, responding to, and monitoring risks and
opportunities, within the internal and external environment facing the
enterprise. Management selects a risk response strategy for specific risks
identified and analyzed, which may include:
a. Avoidance: exiting the activities giving rise to risk.
b. Reduction: taking action to reduce the likelihood or impact related to the
risk.
c. Share or insure: transferring or sharing a portion of the risk, to reduce it.
d. Accept: no action is taken, due to a cost/benefit decision.
The COSO ERM Framework has eight Components and four objectives
categories. It is an expansion of the COSO Internal Control-Integrated
Framework published in 1992 and amended in 1994. The eight components -
additional components highlighted - are:
a. Internal Environment.
b. Objective Setting.
c. Event Identification.
d. Risk Assessment.
e. Risk Response.
f. Control Activities.
g. Monitoring.
The four objectives categories - additional components highlighted - are:
a. Strategy - high-level goals, aligned with and supporting the organization's
mission.
b. Operations - effective and efficient use of resources.
c. Financial Reporting - reliability of operational and financial reporting.
d. Compliance - compliance with applicable laws and regulations.
8
MBA Batch 2007-09
2.5. COSO based Process Assessment Model:
The Process Assessment Model defines a two-dimensional model of process
capability. In one dimension i.e. the process dimension, the processes are
defined and classified into process categories. In the other dimension, the
capability dimension, a set of process attributes grouped into capability levels
is defined. The process attributes provide the measurable characteristics of
process capability.
Fig 2. COSO based Process Assessment Model

The Process Assessment Model is based on the principle that the capability of
a process can be assessed by demonstrating the achievement of process
attributes on the basis of evidences related to assessment indicators.
There are two types of assessment indicators: process capability (generic)
indicators, which apply to capability levels 2 to 5 and process performance
(specific) indicators, which apply exclusively to capability level 1.
The process attributes in the capability dimension have a set of process
capability indicators that provide an indication of the extent of achievement of
the attribute in the instantiated process. These indicators concern significant
9
MBA Batch 2007-09
activities, resources or results associated with the achievement of the attribute
purpose by a process.
The first three capability levels are focusing on the instance or activity view of
the processes, while from level 3 the attributes are focusing on the corporate
entity view. This observation helps us to understand how the COSO Internal
Control and ERM frameworks fit into this assessment model. The Internal
Control framework third dimension is the Unit/Activity, while in ERM the
third dimension is the corporate structure.
Fig 3. Process Improvement and Organization Level (COSO ERM)
2.6. Failure Modes, Effects and Criticality Analysis (FMECA):

It is designed to identify potential failure modes for a product or process, to
assess the risk associated with those failure modes, to rank the issues in terms
of importance and to identify and carry out corrective actions to address the
most serious concerns.
FMECA requires the identification of the following basic information:
a. Item(s).
b. Function(s).
c. Failure(s)
d. Effect(s) of Failure.
e. Cause(s) of Failure.
f. Current Control(s).
g. Recommended Action(s).
h. Plus other relevant details.
The basic steps for performing an FMEA/FMECA analysis include:
a. Assemble the team.
10
MBA Batch 2007-09
b. Establish the ground rules.
c. Gather and review relevant information.
d. Identify the item(s) or processes’ to be analyzed.
e. Identify the function(s), failure(s), effect(s), cause(s) and control(s) for
each item or process to be analyzed.
f. Evaluate the risk associated with the issues identified by the analysis.
g. Prioritize and assign corrective actions.
h. Perform corrective actions and re-evaluate risk.
i. Distribute, review and update the analysis, as appropriate
Risk Evaluation Methods: A typical FMEA incorporates some method to
evaluate the risk associated with the potential problems identified through the
analysis. The two most common methods, Risk Priority Numbers and
Criticality Analysis.
Risk Priority Numbers: To use the Risk Priority Number (RPN) method to
assess risk, the analysis team must:
a. Rate the severity of each effect of failure.
b. Rate the likelihood of occurrence for each cause of failure.
c. Rate the likelihood of prior detection for each cause of failure (i.e. the
likelihood of detecting the problem before it reaches the end user or
customer).
d. Calculate the RPN by obtaining the product of the three ratings:
RPN = Severity x Occurrence x Detection
Criticality Analysis (quantitative and qualitative): To use the quantitative
criticality analysis method, the analysis team must:
a. Define the reliability/unreliability for each item, at a given operating time.
b. Identify the portion of the item’s unreliability that can be attributed to each
potential failure mode.
c. Rate the probability of loss (or severity) that will result from each failure
mode that may occur.
d. Calculate the criticality for each potential failure mode by obtaining the
product of the three factors:
Mode Criticality = Item Unreliability x Mode Ratio of
Unreliability x Probability of Loss
e. Calculate the criticality for each item by obtaining the sum of the
criticalities for each failure mode that has been identified for the item.
Item Criticality = SUM of Mode Criticalities
To use the qualitative criticality analysis method to evaluate risk and
prioritize corrective actions, the analysis team must:
a. Rate the severity of the potential effects of failure.
b. Rate the likelihood of occurrence for each potential failure mode.
c. Compare failure modes via a Criticality Matrix, which identifies severity
on the horizontal axis and occurrence on the vertical axis.
11
MBA Batch 2007-09
3. Chapter 3: Analysis of Work Done

3.1. Analysis of Work Done:
Risk Identification Process:
Risk Assessment Risk Management
“What can go wrong?” “What can be done?”
“What is the likelihood that something “What are the available options and
will go wrong?” their associated tradeoffs?”
“What are the associated “What are the impacts of current
consequences?” decisions to future options?”
It consist of the risk management process which involves
a. Establishing Context: This includes an understanding of the current
conditions in which the organization operates on an internal, external and
risk management context.
b. Identifying Risks: This includes the documentation of the material threats
to the organization’s achievement of its objectives and the representation
of areas to the organization may exploit for competitive advantage.
c. Analyzing/Quantifying Risks: This includes the calibration and, if
possible, creation of probability distributions of outcomes for each
material risk.
d. Integrating Risks: This includes the aggregation of all risk distributions,
reflecting correlations and portfolio effects, and the formulation of the
results in terms of impact on the organization’s key performance metrics.
e. Assessing/Prioritizing Risks: This includes the determination of the
contribution of each risk to the aggregate risk profile, and appropriate
prioritization.
f. Treating/Exploiting Risks: This includes the development of strategies
for controlling and exploiting the various risks.
g. Monitoring and Reviewing: This includes the continual measurement and
monitoring of the risk environment and the performance of the risk
management strategies.
COSO ERM Framework:

The COSO ERM Framework has eight Components and four objectives
categories. The eight components are:
1. Internal Environment
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information and Communication
8. Monitoring
The Four Objective Categories are:
1. Strategy - high-level goals, aligned with and supporting the organization's
mission
12
MBA Batch 2007-09
2. Operations - effective and efficient use of resources
3. Financial Reporting - reliability of operational and financial reporting
4. Compliance - compliance with applicable laws and regulations.
COSO based Process Assessment Model:

The Process Assessment Model defines a two-dimensional model of process
capability. In one dimension, the process dimension, the processes are defined
and classified into process categories.
In the other dimension, the capability dimension, a set of process attributes
grouped into capability levels is defined.
Fig 4. COSO based Process Assessment Model
13
MBA Batch 2007-09
Failure Modes, Effects and Criticality Analysis (FMECA):
FMECA requires the identification of the following basic information:
1. Item(s)
2. Function(s)
3. Failure(s)
4. Effect(s) of Failure
5. Cause(s) of Failure
6. Current Control(s)
7. Recommended Action(s)
8. Plus other relevant details
The basic steps for performing an FMEA/FMECA analysis include:
1. Assemble the team.
2. Establish the ground rules.
3. Gather and review relevant information.
4. Identify the item(s) or process(es) to be analyzed.
5. Identify the function(s), failure(s), effect(s), cause(s) and control(s) for
each item or process to be analyzed.
6. Evaluate the risk associated with the issues identified by the analysis.
7. Prioritize and assign corrective actions.
8. Perform corrective actions and re-evaluate risk.
9. Distribute, review and update the analysis, as appropriate.
14
MBA Batch 2007-09
3.2. The Model:
Steps to Create the Model:
Identification of the common steps in all the models mentioned above
The common steps are
1. Identify potential risk factors
2. Assess the severity of the Consequences of the Identified Risk factors.
3. Assess the Likelihood of Occurrence of the Identified Risk Factors.
4. Classify the Identified risk factors.
5. Determine the cost of implementing risk response action plan.
6. Determine the risk priority indices.
7. Construct hazard totem pole chart.
Identification of Process and Activities:

List down all the Processes and their Sub-Processes
List Down all the Activities and their Owners
List all the Sub-Activities and their WCGW (what could go wrong) scenarios.
E.g.
S Process Sub Activity Activity Sub Activity WCGW/Risk
No Process Owner
1 Credit Credit APPLICATION Credit Team 1. The Sales team 1. Delay in

RECEIPT procures the Collection of forms
PROCESS applications from
following channels:
Existing KMB group
company customers
Open market
Employee referral
2. Different Application
forms are filled for
each type of credit
card.
Monitoring and Control Framework:
15
MBA Batch 2007-09
Classifying Risk:
One technique is to identify the level of processes i.e. w.r.t to COSO ERM
Framework
Fig 5. Depiction of various Levels of Improvement

The probability of problem occurrence is derived from the extent of process
attribute gaps and from the capability level where they occur. Capability level
gaps are categorized as follows:
1. None - No major or minor gaps
2. Slight - No gap at Level 1, and only minor gaps at higher levels
3. Significant - A minor gap at Level 1, or a single major gap above
4. Substantial - A major gap at Level 1, or more than one major gap above
The process related risk depends on both the probability of problem arising
from the identified gap and the potential consequence. In general the
consequences depend on the capability levels where the gaps occur.
The Figure Below depicts high risk arises from a substantial gap at a lower
capability level
16
MBA Batch 2007-09
Classification of Risk:
Different techniques to Quantify Risk:
1. The first sets of factors are related to the threat agent involved. The goal here
is to estimate the likelihood of a successful attack by this group of threat
agents. Use the worst-case threat agent.
a. Skill level
b. Motive
c. Opportunity
d. Size
2. Vulnerability Factors:
a. Ease of discovery
b. Ease of exploit
c. Awareness
3. Using FMECA to Calculate COPQ (Cost of Poor Quality):
a. Step 1: Identify the potential causes of failures using the inputs from an
input-output diagram and import them into the FMEA tool. Avoid any
initial prioritization of inputs such as through a cause-and-effect matrix, to
ensure that all possible failure modes are included in the COPQ analysis.
Include only controlled factors (inputs) in the analysis. This is important,
as existing costs for uncontrolled factors cannot be calculated with
confidence.
b. Step 2: After importing the inputs, review the list with the team to ensure
all potential failures are identified. Include every possible failure even if
the process has not experienced it. If there is a risk for failure, the team
must identify it and include the potential cost of failure in the COPQ
calculation.
17
MBA Batch 2007-09
c. Step 3: Perform the risk prioritization calculation for each individual
potential failure mode by using the FMECA tool. Record the Risk Priority
Number values as a calculation of severity, occurrence and detection
scores as follows:
Risk Priority Number = Severity x Occurrence x Detection
d. Step 4: Using team inputs and any available estimation tools, calculate the
average cost to resolve (ACR) for each potential cause of failure. The cost
will be a multiple of estimated effort hours to resolve (EHR) and the
average cost per effort hour (ACH). Note that the estimation in this step
tends to have a 90- to 95-percent confidence level, which is an acceptable
level for isolating the COPQ.
ACRi = EHRi x ACHi
Where: ACRi = Average cost to resolve incident i
EHRi = Effort hours to resolve incident i
ACHi = Average cost per hour for incident i
i = 1 to n (n being the total number of failures)
e. Step 5: Calculate the average effort cost required to resolve a random
incident by using the weighted average of time to resolve the failure
weighted by the risk priority of each failure.
Weighted Average Cost to Resolve (WACR) = [Sum of (RPNi x
ACRi) / Sum of (RPNi)]
f. Step 6: Calculate the COPQ for the process by multiplying the random
incident cost and the potential reduction in incidents (per year) as
identified in the past process data.
COPQ = WACR x Reduction in Events Due to the Project
Classifying Impact Level:

There are two types of impact Technical Impact and Business Impact
Technical Impact:
a. Loss of confidentiality
b. Loss of integrity
c. Loss of availability
d. Loss of accountability
Business Impact:
a. Financial
b. Reputation
c. Non-compliance
d. Privacy violation
e. Quality / Customer Service
f. Information security / Data loss
g. Delay in TAT / Deviation in SOP
h. Defective product
18
MBA Batch 2007-09
Based on the above impact the necessary level have been provided to the
impacts
Classication Score
F Financial 5
Q Quality / Customer Service 4
S Information security / Data loss 3
D Delay in TAT / Deviation in SOP 2
P Defective product 1
Now we classify the probability of occurrence

Classification Score
L Likely 3
U Un-likely 2
R Remote 1
Now find out the Criticality Score

Criticality Score = Probability Score * Impact Score
Now we classify the Criticality

Classication Score
VH Very High 12 - 15.
H High 9 - 11.9
M Medium 5 - 8.9
L Low 3 - 4.9
VL Very Low 0 - 2.9
Now, Determine the Cost of Implementing Risk Response Plan. Here the cost
is dependent on the Company Revenue, Size and Other parameters that define
how the organization determines the cost based on the following parameters.
Cost Strategies Implementation Cost* Cost Index
Substantial Cost More than $100000 4

High Cost Between $10000 and 3
$100000
Low Cost Between $1000 and 2
10000
Trivial Cost Less Than $1000 1
*Dependent on company to classify the cost
19
MBA Batch 2007-09
Construct the Hazard Totem Pole Chart (HTP):
HTP analysis provides a method for systematic analysis of Risk
It is pyramidal in shape, with most significant risk at the top(Sharply Pointed
for Immediate Management Attention) and less significant risk at the bottom.
The risks at top of HTP represent catastrophic consequences that can be
eliminated or contained for a small amount of money. As we go down the
HTP chart the impact of ranked risk diminishes.
Since no firm can afford to eliminate all the risk, one can find a level in HTP
chart below which management appears to accept the risk, instead of
implementing risk response plan for removing them. This level is known as
“Cut off Level”.
Here we rate each risk with three letter number Risk (Impact Score, Probablity
Score, Cost Index) E.g. a risk with code (3,1,2) is (Info Security / Data loss,
Remote, Low Cost)
20
MBA Batch 2007-09
Hazard Cumulative
Code Preventive Cost ($)
1
2
Significant (3,2,1) 5000
Code 3
(3,3,3) 10000
4
(2,2,1) 70000
5
(2,2,1) 140000
6
(3,3,4) 170000
7
8
(2,4,4) 175000
9
(2,2,2) 200000
Cut-Off
10 Level (2,2,2) 240000
11 (1,4,3) 260000
12 (3,1,3) 370000
13
(3,1,3) 380000
14
(4,4,1) 390000
Fig 6. HTP analysis of Risk

Based on the HTP we construct the Control Assessment Sheet it should be merged
with the Risk Assessment sheet.
Control Questions Manual/IT P/D H/M/L F/S/Q/D/P IMPACT SCORE L/U/R PROBABILITY SCORE CRITICALITY
The template for the Sheet will be as follows:

Activity Activity Sub WCGW/Risk Impact Control Questions Manual/IT P/D H/M/L F/S/Q/D/P IMPACT L/U/R PROBABILITY CRITICALITY
Owner Activity SCORE SCORE
21
MBA Batch 2007-09
Then based on the above sheet and the HTP analysis we can prepare a
checklist and Audit Plan based on which the Stake Owners can assess the
process control for effectiveness.
Fig 7. Framework process improvement based on above Control

Framework Model
22
MBA Batch 2007-09
3.3. Framework Pyramid (Proposed):
The Pyramid below will help the Organization to evolve and manage
processes based on COSO ERM methodology.
Framework Pyramid
Fixing Group-
Wide Strategy,
Industry Change Group
5
Group-Wide Efficiencies, Appetites,

Shifting Resources 4
Aggregation, Models 3
BU
Local Efficiency Gains, Internal
Losses, Forward-Looking 2
Mapping, Control Self-Assessment, Heat Maps

1
We should expect lots of small benefits; with really big but fewer benefits as we
reach the top of the pyramid.
3.4. Possible applications in the industry

The framework with the techniques mentioned will be applicable to the Credit
Card industry or Payment Card industry. The various processes where it could
be applicable is
a. Sales: Process deals with sales of the credit cards. It contains finalizing
vendor for sales & alternate sales process
b. Pre-Issuance: Process containing detailed steps to follow before issuing
credit cards e.g. procurement of plastic, embossing, ATM PIN generation,
c. Post-Issuance: Process to be followed once the credit card is issued to the
customer. It contains statement process, repayment process, interchange &
settlement process, charge back, auto-debit, Zeroisation, cut – card &
reconciliation.
d. Credit: The process of accepting applications for new credit cards,
Screening, Scoring, Risk evaluation and setting credit limits is performed
by the Credit function in coordination with the Risk team.
e. Products: Related to various products and add on services offered by the
respective bank.
f. Contact Management: Process of handling customer request or
complaints when he/she contacts Kotak Mahindra Bank
g. Collections: - As the name suggest the process is all about collections.
Keeping track of collections, cycle date, interest calculation, late charges
& etc.
23
MBA Batch 2007-09
4. Chapter 4: Finding, Recommendations & Conclusion:

4.1. Findings
Here there is a comparison among various techniques that are being used in
the industry for various risk management activities, some of these techniques
are implemented in various models
Some models have one or more techniques missing which are present in other
model, thus making it not fully capable of handling various risks.
Many models are missing the process improvement part and well as raising the
level of Organization as well as business units i.e. from Level 1 to 5.
Below the table summarizes all those activities and shows the capability of
various models to support that activity.
In all the models not all the factors are considered for Impact
Risk Management General COSO COSO FMECA CORAS Proposed

Activities Risk ERM based Model*
Assessment PAM
Identify Context
Identify Risk
Analyze Risk
Severity of the
Consequences*
Likelihood of
Occurrence
Criticality Analysis
Cost of implementing
risk response action
plan
Risk priority indices
Heat Maps
Hazard Totem Pole
chart
Control Activities
Risk Assessment sheet
Audit Plan
Audit Checklist
Compliance
Monitoring
Review and Update
Communication
among stakeholders
Documentation of
assumptions and
results
Process Improvement
Aggregation
Group and Business
Unit Level Strategic
Addition
Table1: Depiction of various models w.r.t Risk Management Activities
*Not all factors are considered for Impact except for the proposed model
24
MBA Batch 2007-09
4.2. Recommendation:
This proposed model cannot always cover and guarantee against all the risk
that an organization faces, but it also try to cover all the risk which are
inherent or not.
Thus it acts as risk mitigation plan which not only help u avoid, mitigate or
transfer risk but helps to improve your processes, which indirectly helps in
raising the organizational level as well as business units level upto a certain
limit
As it a mixture of all the models that are generally being used it therefore
covers all the risk management activities.
This model can also be used for other industries such as Manufacturing,
Services, Hospitality, and Automobiles etc.
This models has a generic approach thus it can be applies to any industry.
As the model is not yet tested against cost for processes thus this will be a
future work that has to be done wherein, the processes will be modelled in a
modeller to analyze cost and then same processes will checked with our model
for knowing the cost.
This cost should be similar else there is a problem in process or model, so yet
work needs to be done in this area.
This model will cover an wide area of Risk Assessment, Management and
Control activities for various industries mentioned.
1. Establishing Context.
2. Identify the item(s) or process(es) to be analyzed
3. Identifying Risks.
4. Analyzing/Quantifying Risks
5. Integrating Risks
6. Assessing/Prioritizing Risks
7. Treating/Exploiting Risks
8. Monitoring and Reviewing
9. Control Activities
10. Information and Communication
11. Monitoring
12. Perform corrective actions and re-evaluate risk.
13. Distribute, review and update the analysis, as appropriate.
14. Strategy - high-level goals, aligned with and supporting the organization's
mission
15. Operations - effective and efficient use of resources
16. Financial Reporting - reliability of operational and financial reporting
17. Compliance - compliance with applicable laws and regulations
This model helps us to develop a Monitoring and Control Framework
which helps us to improve our controls and processes with elimination of risk
thus reduction of controls.
25
MBA Batch 2007-09
4.3. Conclusion:
The model will help us to measure risk and activities and it will help evaluate a
standard Control Assessment Plan which will generate same result for a particular
activity irrespective of the individual, in organizations belonging to Credit Card
Domain. The model will achieve a standardization of method and techniques to be
followed for preparing a Control Assessment plan as an output, independent of
individual capabilities.
26
MBA Batch 2007-09
4.4. References:
[1] ISO/IEC 15504-1:2004 Information technology -- Process assessment -- Part 1:
Concepts and vocabulary
ISO/IEC 15504-2:2003 Information technology -- Process assessment -- Part 2:
Performing an assessment
ISO/IEC 15504-2:2003/Cor 1:2004
Guidance on performing an assessment
Guidance on use for process improvement and process capability determination
ISO/IEC 15504-5:2006 Information technology -- Process Assessment -- Part 5: An
exemplar Process Assessment Model
[2] www.wikipedia.com
[3] CORAS, “CORAS: A platform for risk analysis of security critical systems”,
2000.
[4] R. Winther, O.-A. Johnsen, and B. A. Gran, “Security Assessments of Safety
Critical Systems Using HAZOPs,” presented at 20th International Conference
on Computer Safety, Reliability and Security, SAFECOMP 2001, Budapest, Hungary,
2001.
[5] Calculating COPQ Using Weighted Risk of Potential Failures by Pankaj Sharma
www.isixsigma.com
[6] www.coso.org
[7] Implementing Process Assessment Model of Internal Financial Control By János
Ivanyos, Memolux Ltd. (H), IIA Hungary
[8] Model-based Risk Assessment to Improve Enterprise Security by Jan Øyvind
Aagedal*, Folker den Braber*, Theo Dimitrakos§, Bjørn Axel Gran#, Dimitris
Raptis‡, Ketil Stølen
[9] Stoneburner, Gary, Alice Goguen, and Alexis Feringa. Risk Management Guide
for Information Technology Systems. Recommendations of the National Institute of
Standards and Technology. NIST Special Publication 800–30. (Washington, D.C.:
U.S. Government Printing Office, January 2002),
http://csrc.nist.gov/publications/nistpubs/800–30/sp800–30.pdf.
[10] Control Self-assessment for Information and Related Technology By Sunil
Bakshi, CISA, CISM, AMIIB.
[11] A whitepaper on Meeting the Requirements of the Payment Card Industry (PCI)
Data Security Standard by Consul an IBM Company
[12] Credit Risk Modeling and the Term Structure of Credit Spreads by Li Chen and
H. Vincent Poor
[13] NASA RISK ASSESSMENT AND MANAGEMENT ROADMAP by Student
Team: Jacob Burns, Jeff Noonan, Laura Kichak, and Beth Van Doren
[14] The Institute of Internal Auditors (The IIA): The International Standards for the
Professional Practice of Internal Auditing
[15] The COSO Model: How IT Auditors Can Use It to Evaluate the Effectiveness of
Internal Controls by By Tommie Singleton, CISA
[16] INTOSAI: Guidelines for Internal Control Standards for the Public Sector, 2004
http://www.intosai.org/Level3/Guidelines/3_InternalContrStand/3_GuICS_PubSec_e.
pdf
27
MBA Batch 2007-09
[17] Risk based internal auditing - an introduction, David M Griffiths, 30 January
2006 http://www.internalaudit.biz/files/introduction/Internalauditv2_0_3.pdf
[18] OWASP Risk Rating Methodology by OWASP
28

A Model For Control Assessment For Credit Card Industry

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Model For Control Assessment For Credit Card Industry

Uploaded by

Copyright:

Available Formats

A Model for Control Assessment for Credit Card

Symbiosis Centre for Information Technology

1. Chapter 1:- Introduction

1.2. Summary of Abstract:

Preparing a model for Control Assessment which can be used as standard

2. Chapter 2:- Literature Review

Fig1. Risk assessment overview

2.3. CORAS approach to risk assessment:

Fig 2. COSO based Process Assessment Model

Fig 3. Process Improvement and Organization Level (COSO ERM)

2.6. Failure Modes, Effects and Criticality Analysis (FMECA):

3. Chapter 3: Analysis of Work Done

COSO ERM Framework:

COSO based Process Assessment Model:

Fig 4. COSO based Process Assessment Model

Identification of Process and Activities:

1 Credit Credit APPLICATION Credit Team 1. The Sales team 1. Delay in

Monitoring and Control Framework:

Fig 5. Depiction of various Levels of Improvement

Classifying Impact Level:

Now we classify the probability of occurrence

Now find out the Criticality Score

Now we classify the Criticality

Substantial Cost More than $100000 4

Fig 6. HTP analysis of Risk

The template for the Sheet will be as follows:

Fig 7. Framework process improvement based on above Control

Group-Wide Efficiencies, Appetites,

Mapping, Control Self-Assessment, Heat Maps

3.4. Possible applications in the industry

4. Chapter 4: Finding, Recommendations & Conclusion:

Risk Management General COSO COSO FMECA CORAS Proposed

You might also like