AC3104

Risk Mgmt. Control & Ethics

Seminar 8.1
Group 5
Keck Teng Hong
Huang Lina
Low Guan Hong
Tay Yiren
Tan Ying Jie 1
Presentation prerequisite:
Gather the background information of DBS Group Holdings Ltd (DBS) before
answering the following questions. Make reasonable assumptions where necessary.

2
DBS is a leading financial services group in Asia
Operates over 280 branches across 18 markets
Headquartered and listed in Singapore, with a growing presence in three key
Asian regions:
Greater China
South East Asia
South Asia
Well capitalized; top long-term credit rating in APAC

Moodys (1 Jun16) S&P Fitch

Aa1 AA- (stable outlook) AA-

UOB Aa1 AA- AA-

OCBC Aa1 AA- AA-

3
DBS is a strategically important financial institution in Singapore

Designated as a domestic systemically

important bank (D-SIBs)
Assessed to have a significant impact
on the stability of the financial system
and proper functioning of the broader
economy

4
Sources of crisis
DBS1
incidents such as technology incidents having enterprise-wide impact on essential banking
services, natural disasters with wide geographical area impact, safety-at-risk incidents (e.g.
terrorism) and other events leading to significant business disruption...
UOB2
The Group has a business continuity and crisis management programme in place to ensure
prompt recovery of critical business functions should there be unforeseen events
OCBC3
2015 was a challenging year for banks. Financial markets were volatile due to several factors,
including slow global economic growth, the collapse in oil pricesincreased expectations from
regulators on capital, liquidity and compliance requirements

Source: Company
Notes:
(1)Annual Report 2015, page 101
(2)Annual Report 2015, page 102
(3)Annual Report 2015, page 62
5
Q1. Identify major crises the bank should prepare for. Explain.

Applying the PESTLE model

for macro-environment,

6
Political / Legal
Increase in expected standards from regulators after recent events
BSI
MAS directs BSI Bank to shut down in Singapore

...serious breaches of anti-money laundering requirements, poor management oversight of the banks operations, and gross

misconduct by some of the banks staff..

MAS decision to withdraw BSI Banks status as a merchant bank takes into account the repetitive lapses as well as the

2015 inspection findings

Source: MAS - News & Publications 7

Political / Legal
Singapore takes tough stance on financial crime: MAS

MAS AML/CFT regime comprises four key elements, namely, strict regulation, rigorous supervision, effective
enforcement, and close cross-border co-operation.

Source: Channel NewsAsia - Business 8

Political / Legal
Consequence of tighter regulations:

Environment for bankers has been made so suffocating

- disincentivizing of talented investment bankers.

High compliance costs, increased capital requirements

and disproportionate penalties.

Source: Financial Times 9

Economic
Financial/ liquidity crisis - Bank Runs
Investopedia;
when a large number of bank or other financial institution's customers
withdraw their deposits simultaneously due to concerns about the bank's
solvency the probability of default increases, thereby prompting more
people to withdraw their deposits... a bank run is typically the result of panic,
rather than a true insolvency on the part of the bank
High profile failures:

Source: Investopedia 10
Economic

Bank run incident at Chung Kiaw Bank, October 1974

Majority shareholder: United Overseas Bank

Source: remembersingapore.org, The Straits Times 11

 Social
Terrorism threat
Peace and stability is key to our thriving financial services industry.
Singapore is a well-established premier financial hub for Asia, offering
robust economic and financial fundamentals within a socio-politically
stable environment; Credit Suisse

Increasing country risk Volatile and possibly

Capital outflows
premium1 / risk-free rate depreciating SGD

Source: Credit Suisse

Notes:
(1) A higher country risk premium will generally increase the required rate of return of investors through a higher cost of equity for equity
investors and larger spread (and cost of debt) for debt investors 12
Social
Terrorism

Source: The Straits Times 13

Technology
Susceptible to cyber attacks

14
Technology
Which leads to:
Loss of customer data
Financial loss
Legal liability
Loss of trust
PWC survey:
Of the 175 bosses (of financial institutions) polled by PwC, 79% said they were concerned
or extremely concerned about cyber threats affecting their companys growth prospects.
This compares to 61% of chief executives across all industries who said they were worried
about online attacks

Source: Telegraph, PWC, The Telegraph

15
Environment
Natural Disasters -
a major adverse event resulting from natural processes of the Earth; examples
include floods, volcanic eruptions, earthquakes, tsunamis, and other geologic
processes. A natural disaster can cause loss of life or property damage.
Over the last 30 years, Asia has borne the brunt of natural catastrophe losses,
accounting for almost half of the worlds estimated economic losses from natural
disasters

Source: Wikipedia, EM-Dat The international disaster database

16
Environment
Are banks affected significantly?

Majority of business conducted Electronic functions run on

in-person physical servers / data centers

Source: Wikipedia, EM-Dat The international disaster database

17
Micro-environment - People & Processes
People
Fraudulent misdeeds
E.g. unauthorized or insider trading, misappropriation of funds

Ex-DBS Bank employee pleads guilty to cheating,

forgery
A former DBS Bank employee pleaded guilty on Tuesday (Apr 19 2016) to a number of charges for cheating the
banks customers of almost S$690,000.
Eng, whose job included selling financial products to the banks customers, would use their personal particulars and
forge their signatures to authorise the transfer of monies to the bank accounts of his former girlfriend, mother and
friends.

Source: Channel NewsAsia - Singapore News

18
Micro-environment - People & Processes
Processes (internal lapses)
Compliance issues
Incorrect transaction capture, execution & settlement
All of these can result in massive losses for the bank.
MAS Takes Supervisory Action Against DBS Bank Ltd For Breakdown
of the Banks Mainframe-Storage Area Network
(MAS) has taken supervisory action against DBS Bank Ltd for the service outage of its online and branch banking
systems on 5 July 2010 which caused significant inconvenience to the banks customers.DBS Banks systems
breakdown arose in part from the failure of the bank to put in place a robust technology risk management framework
DBS Bank did not exercise sufficient oversight of the maintenance, functional and operational practices and
controls employed by IBM.

Source: Monetary Authority of Singapore - News & Publications

19
 2. Based on publicly available information, what is your assessment
of the banks business continuity and crisis management strategies?
Justify.

MAS Business Continuity Management

Guidelines - 7 Principles
Primary source of information about DBSs BCM
from- DBSs risk management annual report
(2015)

20
PRINCIPLE 1: BOARD OF DIRECTORS AND SENIOR MANAGEMENT SHOULD BE
RESPONSIBLE FOR THEIR INSTITUTIONS BUSINESS CONTINUITY MANAGEMENT.
Senior management should demonstrate that they have sufficient awareness of the
risks, mitigating measures and state of readiness by way of an attestation to the Board
of directors.

The attestation should state clearly the:

Preparedness of the institution and

Extent of alignment with the guidelines that is commensurate with the
institutions nature, scale and complexity of business activities
Residual risk (Encouraged to include)

21
PRINCIPLE 1: BOARD OF DIRECTORS AND SENIOR MANAGEMENT SHOULD BE
RESPONSIBLE FOR THEIR INSTITUTIONS BUSINESS CONTINUITY MANAGEMENT

Senior management provides an attestation to the BRMC on an annual basis

including the state of business continuity readiness, extent of alignment to regulatory
guidelines and disclosure of residual risks
DBS Annual Report 2015 pg 101

ASSESSMENT
Complied with this guideline
22
PRINCIPLE 2: INSTITUTIONS SHOULD EMBED BUSINESS CONTINUITY
MANAGEMENT INTO THEIR BUSINESS-AS- USUAL OPERATIONS, INCORPORATING
SOUND PRACTICES.

Units are responsible for the day-to-day management of operational risk in their
products, processes, systems and activities in accordance with the various frameworks
and policies. - DBS Annual Report 2015 pg 100

23
PRINCIPLE 2: INSTITUTIONS SHOULD EMBED BUSINESS CONTINUITY
MANAGEMENT INTO THEIR BUSINESS-AS- USUAL OPERATIONS, INCORPORATING
SOUND PRACTICES.

24
PRINCIPLE 2: INSTITUTIONS SHOULD EMBED BUSINESS CONTINUITY
MANAGEMENT INTO THEIR BUSINESS-AS- USUAL OPERATIONS, INCORPORATING
SOUND PRACTICES.

A robust crisis management and business continuity management programme is in

place within essential business services during unforeseen events. Planning for business
resilience includes identification of key business processes via Business Impact Analysis
as well as the documentation and maintenance of Business Continuity Plan (BCP).
- DBS Annual Report 2015 pg 100

ASSESSMENT
Incorporated most of the guidelines.
Limited information on budget of BCM, succession plans, training programmes
Should include external parties in their BCM (E.g. IBM, DBSs outsourcing vendor)
25
PRINCIPLE 3: INSTITUTIONS SHOULD TEST THEIR BUSINESS CONTINUITY PLAN
REGULARLY, COMPLETELY, AND MEANINGFULLY.

Exercises are conducted annually, simulating varying scenarios to test the BCPs and
crisis management protocol.

ASSESSMENT

Regular intervals 1 year Sufficient

26
PRINCIPLE 3: INSTITUTIONS SHOULD TEST THEIR BUSINESS CONTINUITY PLAN
REGULARLY, COMPLETELY, AND MEANINGFULLY.
The crisis management structure encompasses an incident management process from
the point of incident to crisis declaration and activation of the relevant committees or
teams to manage the crisis

RMG Operational Risk monitor the effectiveness of operational risk management,

assess key operational risk issues with the units to determine the impact across DBS,
report key operational risks to relevant senior management and board-level
committees with recommendations on appropriate risk mitigation strategies.

ASSESSMENT

All relevant components of business process tested and recommendations on the

27
current risk mitigating strategies made
PRINCIPLE 4: INSTITUTIONS SHOULD DEVELOP RECOVERY STRATEGIES AND SET
RECOVERY TIME OBJECTIVES FOR CRITICAL BUSINESS FUNCTIONS.

A bank shall establish a recovery time objective (RTO) of not

more than 4 hours for each critical system.
- MAS NOTICE TO BANKS BANKING ACT, CAP 19 21/6/2013

ASSESSMENT

Limited information on RTO of DBS

RTO for each critical business functions could differ but
should fall within 4 hours
DBS could also set and assess ability of outsourcing vendors
to meet RTO, RPO 28
PRINCIPLE 5: INSTITUTIONS SHOULD UNDERSTAND AND APPROPRIATELY
MITIGATE INTERDEPENDENCY RISK OF CRITICAL BUSINESS FUNCTIONS.

ASSESSMENT

Participated in 21 November 2014 Industry-Wide Business Continuity Exercise

Banking along with other D-SIBs (domestic systemically important banks)=>
reduce interdependency risk with other financial institutions

Should have included outsourcing vendor (IBM) in its BCM and review their
ability to meet the service and support criteria set by the bank

29
PRINCIPLE 6: INSTITUTIONS SHOULD PLAN FOR WIDE-AREA DISRUPTIONS.

it would not be appropriate nor practical, to standardise on a criteria that defines a

zone that could be applied equally across the financial sector

Planning parameters: geographical concentration of institutions, transactional

processing activities, and dependencies on internal or external service providers

ASSESSMENT

- Banks segmentise the different branches as based on the location and amount of
transactions to be taken place
- Outage of services in 2010 Extension of bank operating hours

30
PRINCIPLE 7: INSTITUTIONS SHOULD PRACTISE A SEPARATION POLICY TO
MITIGATE CONCENTRATION RISK OF CRITICAL BUSINESS FUNCTIONS.
Decentralising the critical business functions in order to mitigate the risk of losing
multiple critical business functions from a single-zone disruption

Further guidance: Include business continuity measures such as alternate work

arrangements, crisis management and communication, and corporate duty of care
towards employees

ASSESSMENT

- Separates primary and secondary functions (depositing vs granting loans)

- Server storage in different branches to facilitate data management

New initiative: Inclusion of cloud-based services (Amazon Cloud) for its services (first
31
of which for financial instruments)
Overall assessment
- Has sufficiently complied with the BCM guidelines
- Continuous improvement for the better through new initiatives - Cloud services

Areas for improvement:

- Integration of outside vendors into the contingencies

- Better management of customer-communication process during the crisis itself

32
3. What measures should the bank take to reduce the likelihood and
impact of IT systems failure that can result in a banking service
downtime?
- Implement a disaster response & recovery plan
a) Perform scenario analysis
b) Establish recovery objectives and Recovery Time Objective (RTO) in accordance with
governmental regulations eg. MAS Notice 644
c) Inform customers of downtime ASAP

33
3. What measures should the bank take to reduce the likelihood and
impact of IT systems failure that can result in a banking service
downtime?
- Proper implementation of disaster response plan
Include employees from various departments in the design of the response plan
Inform staff with regards to their roles in carrying out the response plan
Conduct rehearsals on a regular basis (eg. once every year)
Periodic reviews of disaster response plan and ways to improve it

34
- Hire an In-house IT support team
- Greater familiarity with banks IT system
- Able to resolve IT issues faster
- Systems Availability
- Develop built-in redundancies to ensure that failures in any particular area does not disable the
entire network
- Ensure there are spares/backups to replace failed components
- Regularly conduct maintenance & analysis of IT systems
- Ensure that IT systems are running properly
- IT system reviews to identify any potential weaknesses that can be exploited

35
Cyberattacks

36
 Measures to prevent Cyber attacks
Type of Measures Measures Effect

Preventive - Work with Internet Service Providers to detect and Reduces likelihood
prevent any DDoS attacks
- Scale up bandwidth to better cope with increased
website traffic

Preventive - Set up firewalls and configure routers to detect and Reduces likelihood and
Detective block unauthorised traffic impact

37
Internal Causes of
IT Systems Failure

38
 Measures to prevent internal sabotage of IT systems
Type of Measures Measures Effect

Preventive - Intrusion detection and prevention systems to guard Reduces likelihood and
Detective against network intrusion attacks impact
- Monitoring of activities by staff, especially in in critical
IT systems

User Access - Restrict employee access to IT functions which are Reduces likelihood
Management relevant to their work via username & password

Preventive - Inform staff of IT systems guidelines eg. Dos & Donts Reduces likelihood
- Implement penalties on employees who breach said
guidelines

39
4. Drawing from the Marks & Spencers the Manchester Experience,
discuss how the bank should prepare for, respond to, and manage a
similar crisis.

Crisis: Terrorism

Bombing incident at Manchester

40
4 key learning points from the Manchester Experience

41
SS540 PDCA Cycle BCM Implementation

42
1. Plan - Prepare for
Establish objectives & processes

Business Impact Analysis: identifies the impacts of loss or interruption over time

Elements Strategic objectives

People Management Team to agree the recovery activities to be followed and

implement the Recovery Action Plan.

Press Conduct sufficient media-training for staff to handle crisis

Product Maintain close relationship with dependent institutions and communicate

recovery plans with critical stakeholders
Learn and adopt industry best practices in BCM

Premise Identify and separate critical business functions and assets

salvage efforts at premises and minimize potential losses
43
2. Do - Prepare for
Implement recovery strategies
Conduct exercises to identify any weaknesses before a disaster takes place

People Recovery strategies

(M&S: They counted the staff at the evacuation sites)
Establish specific roles and responsibilities in managing the crisis
E.g. Management Team to check that all staff are accounted for and safe, etc
M&S: Ensured that each member sent to the hospital was accompanied by a
carer. Management was constantly updated on staffs condition.
Establish a buddy system to ensure that all staffs are responsible for each others safety

M&S: Small change/phone cards for people to call their families . Gave Money for locksmiths
Establish a helpline for staff and their family to keep in contact
Establish an ongoing crisis support team for each branch
Emergency box containing key documentation and resources, such as cash and medical
supplies
44
2. Do - Prepare for
People Recovery strategies

M&S: Major incident management exercise for its corporate team in London
simulating the loss of one Computer Centre

Hold evacuation drills 4 times a year to simulate different scenarios and damage
level assessments to increase crisis preparedness
Highlight the importance of such drills to the employees

M&S: Had a predetermined secondary evacuation point which staff vacated to after
the first option was unavailable. However, they did not have a third option when the
second one was cordoned off

Establish contingency evacuation sites in case any venue is inaccessible.

45
2. Do - Prepare for
Press Recovery strategies

M&S: Media were seeking information about the situation, especially how they are
handling people issues.
Operations Manager to contact people in charge to add message to website.
Hold press conferences/social media releases after the crisis to assuage stakeholders
negative sentiments and provide prompt updates on the situation.

M&S: Store manager had to undergo media training 3 hours prior to the interview with
Good Morning Britain Programme on TV
Provide regular media training workshops for staffs annually to prepare and handle
interviews/media coverage during a crisis
may affect corporate reputation as well

46
2. Do - Prepare for
Product Recovery strategies

M&S: Divert calls for the affected stores to helpline at the customer ordering centre at
Warrington
Alternative telecommunication links at recovery sites with regular testing
Address customers queries promptly, find out what services were disrupted.
Upholds their reputation even during times of crisis

M&S: Required staff to go back to work on the 3rd day of the incident at the nearest
store to them to ensure that operations were ongoing.
Communicate the recovery plan to other branches
Sharing of staff information between branches
Clear guidelines for staff relocation and job duties

47
2. Do - Prepare for
Product Recovery strategies

M&S: Within almost a month, M&S Chairman announced that they will open 2 sites in
Manchester to re-establish trading position.
The quick response gave the opportunity to focus the efforts to get the Manchester
team together again

Recover operations as quickly as possible and publicise the operational

recovery actions
Retain investors and customers confidence

Ensure a robust data protection IT systems and proper data backup to recover
data

Conduct stringent security monitoring to prevent intrusion of IT system by

hackers, protecting customers data

48
2. Do - Prepare for
Premise Recovery strategies

M &S: All the computer equipment had been removed and

sent to a specialist for cleaning and recovery of data. The CCTV equipment was
recovered and examined.

Create a clear map of the premise, e.g. location of cash & documents
Timely recovery of important data and prevent leakage of confidential
information.

M&S: Have different branches and warehouses elsewhere so it still can satisfy its
delivery orders

Establish separation policy of critical assets and systems, functions to minimize

concentration risks

49
3. Check - Respond to
Monitor & measure process and outcomes against policies, objectives and
requirements for the products

Set up a BCM steering committee to oversee BCM efforts

Comprise representatives from various business units and headed by a member of Executive
Management
Proper documentation of procedure and reviews from exercises and risk mitigating
measures

50
3. Check - Respond to
Lessons learnt from M&S
2 people went missing while moving the staff from one evacuation point to another
Staff did not followed instructions or not prepared well for crisis situation
The evacuation plan may not be clear enough

The 2nd evacuation point was caught up within the wider police cordon and one was
too near to the building
2 evacuation plans are not sufficient
Assembly areas not thoroughly assessed, resulting in disruption

The store manager had to go through a 3 hour training for media interviews
Insufficient training, prevent timely updates of the situation
Result in bad reputation and low confidence in critical stakeholders

Emergency contact list was not updated

M&S does update contact list frequently
Incomplete next-of-kin contact details
51
4. Act - Manage
Take actions to continually improve process performance
E.g. Implement corrective controls to address non-conformity identified in
checking process. i.e. performance evaluation

52
4. Act - Manage
Improve process performance
2 people went missing while moving the staff from one evacuation point to another
Divide people into smaller groups & appoint people to do headcounts
Buddy system get people be responsible for each other

The 2nd evacuation point was caught up within the wider police cordon and one was too near to
the building
Predetermine sufficient evacuation points after thorough assessment
e.g. Large assembly areas if there are large volume of people; not too near to bombing
sites and stay out of police cordon

The store manager had to go through a 3 hour training for media interviews
Regular media training workshops to handle interviews during a crisis
Should involve all staff, not just the store manager

Emergency contact list was not updated

Make it compulsory for staff to fill in next-of-kin contacts details when joining the
company
Frequent emails to remind staff to update their contact, clear guideline is given.
53
4. Act - Manage
Embedding BCM in the organisation culture

Designing and delivering education training throughout the organisation

Develop a BC promotion campaign e.g. posters, web pages, newsletter
Run exercises with your key partners
Awareness raising activities for staff e.g. BC as part of the induction process

54
55