Discovery Discovery –– The Next Generation!: The Next Generation!:

Business Context of Risk Business Context of Risk

Presentation to the Presentation to the

North London BranchNorth London Branch

British Computer Society British Computer Society

19 March, 200819 March, 2008

Dr. Victoria LemieuxDr. Victoria Lemieux

Credit SuisseCredit Suisse

IT RiskIT Risk

About Credit SuisseAbout Credit Suisse Credit Suisse is a leading global bank headquartered Credit Suisse is a leading global bank headquartered

in Zurichin Zurich Credit Suisse Group reported income from continuing Credit Suisse Group reported income from continuing

operations of CHF 8,549 million for the full year 2007operations of CHF 8,549 million for the full year 2007 It is focussed on serving its clients in three business It is focussed on serving its clients in three business

lines: investment banking, private banking and asset lines: investment banking, private banking and asset managementmanagement

Total staff worldwide is 45,000Total staff worldwide is 45,000 Credit Suisse operates in approximately 50 countries Credit Suisse operates in approximately 50 countries

globallyglobally

About IT RiskAbout IT RiskBusiness continuity preparedness, readiness, oversight & crisis resolutionBusiness continuity preparedness, readiness, oversight & crisis resolutionDevelop and implement the tools, framework, capability and testing program to enable successful Develop and implement the tools, framework, capability and testing program to enable successful recovery in the event of a crisis or similar planned outagerecovery in the event of a crisis or similar planned outage

Improved response and Improved response and reduced impactreduced impact

Risk advisory, assessment, and oversightRisk advisory, assessment, and oversight

Leverage techniques such as risk assessments and metrics tracking to assist clients in evaluating Leverage techniques such as risk assessments and metrics tracking to assist clients in evaluating risks and developing mitigation strategies based on risk appetiterisks and developing mitigation strategies based on risk appetite

Effective and efficient Effective and efficient resource allocationsresource allocations

Training and awarenessTraining and awarenessDisseminate risk guidelines, build risk awareness, and develop the required behavior across Disseminate risk guidelines, build risk awareness, and develop the required behavior across Credit SuisseCredit Suisse

Minimize issues resulting from Minimize issues resulting from unknowledgeable staffunknowledgeable staff

Regulatory & audit servicesRegulatory & audit servicesAssist IT Division in meeting legal, audit and regulatory obligationsAssist IT Division in meeting legal, audit and regulatory obligations

Improved compliance Improved compliance resulting in lower operational resulting in lower operational

costscosts

IT forensic investigationsIT forensic investigationsThe use of IT investigation and digital forensics methods to investigate data security The use of IT investigation and digital forensics methods to investigate data security and integrity issuesand integrity issues

Limit damage to the firmLimit damage to the firm

Risk management methodology, policies, and standardsRisk management methodology, policies, and standardsDevelop & maintain BCM, information security & IT risk policies, standards, methodologies & Develop & maintain BCM, information security & IT risk policies, standards, methodologies & metrics metrics

Risk assessment and Risk assessment and mitigationmitigation

Risk reduction initiatives Risk reduction initiatives

Prioritize, plan, support and execute regional, divisional and global projects for risk avoidance Prioritize, plan, support and execute regional, divisional and global projects for risk avoidance and risk mitigation and risk mitigation

Reduction of risks in the Reduction of risks in the environmentenvironment

IT environment protectionIT environment protectionMonitor, assess, and respond to attacks on the Credit Suisse infrastructure, prioritizing response by Monitor, assess, and respond to attacks on the Credit Suisse infrastructure, prioritizing response by threat levelthreat level

Minimize impact from attacksMinimize impact from attacks

The Legal and Regulatory The Legal and Regulatory Landscape Landscape Bank for International

Settlements (Basel II)

Financial Services Authority

EBK/Swiss

BankingSecrecy

Data Protection Act

International Standards Organisation

Sarbanes Oxley

Federal Financial Institution Examiners Council

GrammLeachBliley

Patriot Act

Federal Information Security Management Act

California SB1386

Monetary Authority of Singapore

JapaneseFinancial Services Agency

Drivers / Business Drivers / Business BenefitBenefit

– Reduced legal and Reduced legal and regulatory risk regulatory risk exposureexposure

– Reduced costs for Reduced costs for retrievalretrieval

A Balanced Risk ViewA Balanced Risk View

Drivers / Business BenefitDrivers / Business Benefit– Reduced legal and regulatory Reduced legal and regulatory

risk exposurerisk exposure– Reduced costs for retrievalReduced costs for retrieval

£50,000 x ? Cases = millions£50,000 x ? Cases = millions

Avoidance of regulatory finesAvoidance of regulatory fines

Avoidance of adverse legal rulingsAvoidance of adverse legal rulings

Avoidance of reputational damageAvoidance of reputational damage

Downside RisksDownside Risks

– Barriers to realising business Barriers to realising business benefitsbenefits

» Poor organisation of doocumentsPoor organisation of doocuments» Lack of governanceLack of governance» Lack of contextLack of context

– Introduction of new risksIntroduction of new risks» Cross border data accessCross border data access» Data confidentialityData confidentiality» Intellectual Property protectionIntellectual Property protection

A Balanced Risk ViewA Balanced Risk View