Standards and Regulations
Impact of standards and regulations on operational risk
Whether they are new or older, regulations (often following high profile cases) have required companies to apply IAS - IFRS standards since 2005.
However, not all companies have today implemented an authorisation management system that ensures that they are compliant and can carry out governance.
New technologies and the tools related to them can help to integrate these new standards, particularly when it comes to consolidating accounts.
To approve accounts, companies must be able to demonstrate that they know at any given point "Who has permission for what? How and why?”.
Below are some of the standards and regulations currently in force:
-
Basel 3
Pillar 2 of this law is highly restrictive and set new governance :
Internal governance aims at ensuring that an institution’s management body (both
the supervisory and management function) is explicitly and transparently responsible
for its business strategy, organization and internal control.
Also, Operational risks are defined by the Basel Committee as "The risk of loss resulting
from inadequate or failed internal processes, people and systems or from external
events.".
This definition means that the risk of loss can come from :
- A failure of the Information system where an employee or any person in the financial
institution works,
- Internal fraud from a mistake, a faint or an intentional mislead...
-
ISO 27001
As the Security Manager of the Information System, you vouch for the quality of
the data, their integrity, their origin, their exploitability. This new standard
brings its approach.
-
French law LSF
The french « Loi de Sécurité Financière » also called Loi Mer applies
to all corporations (or companies with Limited partnership) that call for Public
offerings since January 1st, 2003.
As the Sarbanes-Oxley law, the « Loi de Sécurité Financière » mainly concerns :
- The growing responsibilities of the Executives and Directors,
- Intern controls that strengthen,
- Reduction of sources of conflicts of interests.
So far, the Sarbanes-Oxley law applies to the financial risks. The LSF goes further
with a report of intern controls applying at all levels the company, including the
security of the information system.
-
PCI DSS
PCI DSS (Payment Card Industry Data Security Standard)) is a security standard
aimed at businesses that store, process or transmit payment card data.
In order to protect such data against piracy and fraud, PCI DSS recommends a set
of control points (around 900, both technical and organizational) divided by 12
regulations, to which companies handling credit card data must comply via certification
audits.
-
Solvency 2
Following Basel III, Solvency II is the new regulation for insurance firms
operating in Europe.
Intern controls and governance have a major place. Any kind of human failure needs
to be detected and treated. Access controls to the Information system need to be
strengthened.
-
SOX
Any company, American or not, at the NY Stock-Exchange listed, is, since July 31st,
2002, subject to new legal restrictions and financial transparency.
Chairmen, CEO, Financial Directors have individually to attest the accounts, and
name independent Administrators. Different elements have to be checked :
- In the general organization, the information system concerned with the business
follow-up, the financial reporting, the safety of data processing,
- In the organization of the financial department, identification process and risk
management connected with the activity and with the process of financial information.
- The way documents are proceeded and generated.
In other words, the Human factor has to be audited constantly; check-up points have
to be automated, rules and procedures defined and risks managed.
Against this backdrop, Kleverware offers innovative, flexible solutions that help operational staff and security managers to carry out duties that are not always simple,
are often tedious and that require an overview of authorisations.
Top of page