SlideShare a Scribd company logo

Improving operational risk management systems by formalizing the basel ii regulation with goal models and the isoiec 15504 approach

L
Luxembourg Institute of Science and Technology

Improving operational risk management systems by formalizing the basel ii regulation with goal models and the isoiec 15504 approach

Related slideshows

Mathematical concepts applied to operations management
Mathematical concepts applied to operations managementMathematical concepts applied to operations management
Mathematical concepts applied to operations management
 
System integration complexity
System integration complexitySystem integration complexity
System integration complexity
 
The Mathematics Behind Project Management
The Mathematics Behind Project ManagementThe Mathematics Behind Project Management
The Mathematics Behind Project Management
 
1 of 7
Download to read offline
Improving Operational Risk Management Systems by Formalizing the Basel II Regulation with Goal Models and the ISO/IEC 15504 Approach André Rifaut1 and Christophe Feltus1 1 Centre de Recherche Public Henri Tudor, 29, Avenue John F.Kennedy, L-1855 Luxembourg-Kirchberg, Luxembourg {Andre.Rifaut, Christophe.Feltus}@tudor.lu http://www.tudor.lu Abstract. The bankruptcy of financial institutions shows the rapid changes in the risks profiles of financial systems and processes. Although financial institu- tions have always managed the operational risks, the profile of this kind of risks is changing due to the increasing international competitive pressure and the evolution of the financial institutions’ operational systems relying more and more on IT systems. This paper reports the results of the joint research with the CSSF [1] focusing on the formalization of both the Basel II Accord and com- pliant operational risk management (ORM) systems implementations. This for- malization uses concepts of the ISO/IEC 15504 process assessment standard and the concepts of strategy and policy. This structure of the model ensures the traceability between the Basel II Accord and compliant ORM systems imple- mentations, improves the formal validation of those systems and is more ade- quate to represent all organizational levels of financial institutions. 1 Introduction In Luxemburg, the stability of the financial system is at the core of the economic stability of the country. The CSSF [1], which is the official authority for financial institutions supervision, has the responsibility to define financial regulations and en- sure their fulfillment. This task is not easy because more and more international regu- lations are introduced, such as the IFRS [2], Sarbanes-Oxley Act (SoX) [2] and the Basel II Accord [3]. Audit managers, risk managers (including security managers), and compliance managers have developed standards addressing those regulations. For instance, Coso [2], CobIT [2], ITIL [18] and ERM [2] are governance and risk man- agement standards. However, up to now there is nearly no integration between the regulations themselves and also between those standards. A joint research with the CSSF aims at defining a method for ensuring a correct implementation of financial systems compliant to Basel II regulation. The results [20,5] are based on quality methods and techniques, mainly goal-based models and analyses used in goal- oriented requirements engineering (GORE) [4]. The originality of the work lies in the formalization of the Basel II Accord and Operational Risk Management (ORM) sys- tems by using concepts of the ISO/IEC 15504 process assessment standard [6] and the concepts of strategy and policy. This gives an adequate structure of the models at Page 1 of 7
all organizational levels of financial institutions, ensures the formal traceability be- tween the Basel II Accord and ORM systems, and improves their formal validation. This paper summarizes and extends the results of the joint research with the CSSF, focusing on the formalization of both Basel II Accord and compliant (ORM) systems implementations. More information on the research results, the ISO/IEC 15504 stan- dard, the Basel II Accord, and other standards such as ITIL are freely available on the CSSF website [1]. The next section presents the main goals of this research and the preliminary results. Section 3 shows the technique that has been created in the context of the real case study concerning the Basel II Accord regulation and its implementa- tion in financial institution. The last section summarizes the main results of this pro- ject and presents the future works that will be done within the follow-up research projects. 2 The Implementation of ORM Systems compliant to Basel II. The Basel Committee has defined the operational risk as follows: it is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. (§644 in [1]). As such, the operational risk encompasses all risks oc- curring at the operational and technical levels (see Fig. 1), in particular, all risks of the IT Software Engineering Processes (risks that concern project management, re- quirements analysis, design, security, ...). The methods used in IT Software Engineer- ing (e.g. for safety and security analyses) do not cover the analysis of this very broad scope of risks. The need for practical techniques is critical in order to help business units’ man- ager to efficiently implement the core business processes that are under their respon- sibility. Indeed, not only the Basel II Accord is imposing constraints on those core financial processes, but also the other regulations (e.g. SoX, IFRS) are interfering on the same processes. Moreover, each regulation stresses the importance on a different but inter-related aspect. For instance, SoX stresses the importance on the reporting system also concerned by the ORM of Basel II Accord. In addition to that decisions about ORM system implementation must be made at the strategic, tactical, opera- tional and technical levels. This increases the complexity of modeling and implement- ing ORM systems, taking into account also that operational risks exist in every busi- ness processes implying their strong relationships with new ORM systems. Last but not least, those regulations are hard to understand due to their lack of structure and lack of completeness. For instance, in the Basel II Accord there is no definition of important concepts such as “ORM system”, “loss”, “loss event”, “expected loss”, “unexpected loss”, ... Page 2 of 7
Requirements engineering and goal-oriented methods. The GORE methods can overcome the difficulties presented in the preceding section by formalizing the Basel II Accord and the implementation of ORM systems. These methods can be used to analyze and model systems at all organizational level, from Business Models up to architectures [4]. Goal-oriented modeling languages are appropriate for that broad range of models and they support formal analyses. However, in the case of the ORM system, it is difficult to manage all of those large models and complex analyses. Moreover, for validation purposes, it is important to refer to the concepts used in organizations, such as strategic objectives, strategies and plans, key indicators, poli- cies, SLAs, ... Within the Basel II Accord context, additional structuring mechanisms has to be created on top of the usual goal-oriented concepts. Technicallevel Operationallevel Tacticallevel Strategiclevel E.g. in the IT domain: applications, components, …Procedures Business processes Business value Objectives Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Standard view of organizational layers Concepts and artifacts of organizational layers Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Technicallevel Operationallevel Tacticallevel Strategiclevel E.g. in the IT domain: applications, components, …Procedures Business processes Business value Technicallevel Operationallevel Tacticallevel Strategiclevel Technicallevel Operationallevel Tacticallevel Strategiclevel E.g. in the IT domain: applications, components, …Procedures Business processes Business value E.g. in the IT domain: applications, components, …Procedures Business processes Business value Objectives Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Standard view of organizational layers Concepts and artifacts of organizational layers Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Fig. 1. The pyramid is used in management methods (e.g. [7]). The lowest 4 artifacts are de- fined with GORE models [4]. 3 Formalizing Basel II and ORM with goal models and the ISO/IEC 15504 approach The general framework given in the Figure 1, represented by the pyramid, is a stan- dard view of the organization [7] used in financial institutions (and other institutions). The four organizational layers [8] – strategic, tactical, operational and technical levels – use concepts adapted to handle decisions at their corresponding abstraction level – that are mainly (respectively) business value [9], business processes, procedures and technical artifacts ([10]) such as IT applications in the IT domain. Page 3 of 7
ISO/IEC 15504 process assessment model. A first part of the structure is given by separating the description of the core activities of the business processes from the activities related to the capabilities of the business process (e.g. planning, work product control, process documentation, performance measurement, performance improvement, ...). As explained in [5], the benefits of this separation of concerns has proven to be very useful during the verification and the validation of the goal models. When describing process models with the ISO/IEC 15504 standard this separation of concerns is imposed. This new standard has been designed to be applicable for any business processes and is no longer limited to software engineering processes [20]. Objectives, strategies, policies and indicators. Those concepts (bottom of Figure 1) detail complementary aspects needed for designing business processes, procedures and technical artifacts. They are similar to organizational concepts needed in order to structure and formalize the links between each of the organizational levels [11]. When designing lower-level artifacts from higher level ones and when verifying the link between two organizational levels, one has to distinguish between the main objectives to be fulfilled, the strategy describing the approach to fulfill these objec- tives, the roles and responsibilities (policies) of the resources that will implement the strategies. Indicators are defined when there is a need for some monitoring, control, supervision or measurement concerning objectives, strategies or policies. Strategies and policies must be complementary and consistent with each other and they must fulfill the objectives. Page 4 of 7

Recommended for you

10120130405008 2
10120130405008 210120130405008 2
10120130405008 2

This document discusses integrating project portfolio management approaches, including Front End Loading (FEL), the Project Management Institute's Standard for Portfolio Management, and the UK government's PRINCE2 methodology. It proposes a model for managing an IT project portfolio that uses six phases aligned with FEL: FEL I analyses organizational strategy; FEL II selects feasible projects; FEL III completes basic engineering. Projects then enter the execution and operation phases. The model filters initiatives through these phases and gates to advance only those strategically aligned with business objectives and likely to maximize return on investment. Integrating FEL, portfolio standards, and PRINCE2 aims to strengthen portfolio management and better achieve organizational goals.

 
by IAEME Publication
E0312020029
E0312020029E0312020029
E0312020029

The document discusses computer game modeling of organizational structures of enterprises and industrial associations. It proposes using formalized representations of technological processes and queuing network modeling to assess temporal characteristics. This allows implementing mechanisms to model and parameterize local environments of individual processes. In addition, a Petri net was developed for compatibility of logical conditions to technological process implementation using an event approach. The methods were tested and implemented in various companies to model technological processes included in organizational management structure simulation systems.

 
by inventy
Earned Value Management - Intent 32 Guidelines Summary
Earned Value Management - Intent 32 Guidelines SummaryEarned Value Management - Intent 32 Guidelines Summary
Earned Value Management - Intent 32 Guidelines Summary

For Engineers who are preparing for EVP Certification , This is the 32 Guidelines Summary in ANSI/EIA 748 Intent Guide REF: ANSI/EIA 748 Intent Guide

 
by Muhammad El-Chammakh , PMP , PMI-SP
real estatecontrolproject
Fig. 2. Basel II ORM (left side) partially implemented (right side). Upside-down arrows shows that the implementation contributes to the each level of ORM. The formal definition of those 4 concepts uses goal-oriented techniques [4,5]. For the indicators, our work is based on the Goal-Question-Metric method (GQM) [12]. Policies give a description of the roles and responsibilities (in accordance with [13] and policy management [14,15,16]) and allow detailing the authorizations, obliga- tions (and their delegations), accountabilities, and separations of duties. Strategies give a description of the main approach or steps to fulfill given objectives. Our work follows [17] where strategies are integrated with goal-oriented analysis. For the sake of separation of concerns, responsibilities (and related aspects) are not defined in strategies but only in policies. Note that in financial institutions, the description of policies recalls its related objectives and strategies. This is also sometimes the case of strategies that gives a short description of their corresponding policies (i.e. descrip- tion of roles and responsibilities). However, it is found essential to separate those descriptions when designing and analyzing those policies and strategies. For instance, in the Figure 2, the diagram shows the model of the strategic level (topmost) and operational level (bottom). Only objectives are shown for those two levels. In between, at the tactical level, the objectives and indicators of business proc- esses are shown. The left part of the diagram shows the Basel II Accord formalization of ORM. The right part presents a partial ORM system implementation using ITIL [18]. The links between the two models are formally analyzed [5]. Page 5 of 7
4 Conclusions and Future Works Building upon a method that has been defined within the setting of a real-case study in financial institutions, the Basel II Accord, new results are presented in this paper aiming at giving a simple but integrated set of concepts – goals, indicators, policies and strategies – which can be used to design financial systems compliant to regulations and structure their analysis in relationship with the artifacts commonly used in financial institutions – business models, business processes models, proce- dures and more technical artifacts. The formalization of goals, indicators, policies and strategies independently from each other allows analyzing and recording the design decisions across all organizational levels, making easier the link with the regulation. The main advantage of this method is that it keeps the structuring power of the ISO/IEC 15504 capability model that can be used to discover weaknesses and opera- tional risks in the business process implementation with the method explained in [19]. Based on the same techniques as in [15], a prototype implementation is under devel- opment. The current and future works of the authors focus on a constructive method aiming at giving an effective support for financial business process design (compliant to regulations), establishment, assessment, improvement, governance and benchmarking [5]. In particular, a risk and value analysis method is under development adapted to process assessment, improvement and governance. Some support is also given to an- other research made by experts in DPM [21]. The aim of those experts is to ground digital policy management in sound non-federated distributed IT systems that en- forces policies fulfillment even outside the traditional IS frontier of each institution. Finally, the current project with the CSSF is still in progress with results that are ex- tended to the IFRS [2] concerning the management of unquoted assets (IFRS-IAS39) [2]. In addition to model this regulation and the systems compliant to it, the relation- ship between IFRS-IAS 39 and Basel II can be analyzed and alternative compliant implementations of integrated systems can also be designed. References 1. CSSF: Commission de Surveillance du Secteur Financier. The firsts results of the joint pro- ject are freely downloadable at http://www.cssf.lu/index.php?id=130 . 2. IFRS: International Financial Reporting Standards, IASCF, USA. SoX: Sarbanes Oxley Act of 2002, USA. COSO: Internal Control – Integrated Framework, CSOTC, USA. CobiT®: Control Objectives for Information and related Technology, ISACA, USA. ERM: Enterprise Risk Management – Integrated Framework, CSOTC, USA. 3. Basel Committee on Banking Supervision, “International Convergence of Capital Measure- ment and Capital Standards”; BIS; Basel, June 2004. 4. A. van Lamsweerde, "Goal-Oriented Requirements Engineering: A Guided Tour". Invited minitutorial, Proc. RE'01 - International Joint Conference on Requirements Engineering, Toronto, IEEE, August 2001, pp.249-263. 5. André Rifaut, “Goal-Driven Requirements Engineering for Supporting the ISO 15504 As- sessment Process”, EuroSPI 2005, Budapest 6. ISO/IEC 15504, “Information Technology – Process assessment”, (parts 1-5), 2003-2006 (see website [1] for details about this standard). Page 6 of 7
7. Anthony, R. N. Planning and Control Systems: A Framework for Analysis. Harward Univer- sity, Boston, USA, 1965 8. Henderson, J. and Venkatraman, N., “Strategic alignment: Leveraging technology for trans- forming organizations”. IBM Systems Journal, 1999, 38. 9. Osterwalder and Pigneur. An Ontology for e-business models. In “Value Creation from E- Business Models”, Wendy Currie ed., Butterworth-Heinenmann. Apr 2005. 10. Robson W, Strategic Management and Information Systems, Pitman, 1997. 11. Chaffey et al. (2005) - Business Information Systems: Technology, Development and Man- agement for the E-business, Prentice Hall. 12. Van Solingen, “The Goal/Question/Metric Method: A Practical Guide For Quality Im- provement of Software Development”, McGraw-Hill, Jan. 1999 13. René Wies, “Using a Classification of Management Policies for Policy Specification and Policy Transformation”. In Proc. ISINM '95, Santa Barbara, California, May 1995. 14. N. Damianou, N. Dulay, E. Lupu, and M. Sloman, “The ponder policy specification lan- guage” In Morris Sloman, (ed), Proc. of Policy Worshop, 2001, Bristol UK, January 2001. 15. A. Schaad and J. Moffett. “Delegation of obligations.” In IEEE Policy Workshop, 2002 16. Qingfeng He and Annie I. Antón, “Deriving Access Control Policies from Requirements Specifications and Database Designs”, ICSE 2005. 17. Rolland C., N. Prakash, A. Benjamen, “A multi-model view of process modelling.” Re- quirements Engineering Journal, p. 169-187,1999. 18. ITIL: IT Infrastructure Library – Service Support, Service Delivery, published by OGC, London. (see website [1] for details about this standard). 19. A. Rifaut, M. Picard and B. Di Renzo, “ISO/IEC 15504 Process Improvement to Support Basel II Compliance of Operational Risk Management in Financial Institu- tions”,International Conference SPiCE 2006. 20. B. Di Renzo, M. Hillairet, M. Picard, A. Rifaut, C. Bernard, D. Hagen, P. Maar, D. Re- inard, “Operational Risk management in Financial Institutions: Process Assessment in Con- cordance with Basel II”, International Conference SPiCE 2005. 21. J.-H. Morin and M. Pawlak, “Towards a Global Framework for Corporate and Enterprise Digital Policy Management”, SoftWars conference, Las Vegas, USA, Dec 11, 2005. Page 7 of 7

More Related Content

What's hot

Mathematical concepts applied to operations management
Mathematical concepts applied to operations managementMathematical concepts applied to operations management
Mathematical concepts applied to operations management
Rakesh Kariholoo
 
System integration complexity
System integration complexitySystem integration complexity
System integration complexity
Sergey Tozik
 
The Mathematics Behind Project Management
The Mathematics Behind Project ManagementThe Mathematics Behind Project Management
The Mathematics Behind Project Management
systred
 
10120130405008 2
10120130405008 210120130405008 2
10120130405008 2
IAEME Publication
 
E0312020029
E0312020029E0312020029
E0312020029
inventy
 
Earned Value Management - Intent 32 Guidelines Summary
Earned Value Management - Intent 32 Guidelines SummaryEarned Value Management - Intent 32 Guidelines Summary
Earned Value Management - Intent 32 Guidelines Summary
Muhammad El-Chammakh , PMP , PMI-SP
 
10 project management approach on the adaptive enterprise resource planning
10 project management approach on the adaptive enterprise resource planning10 project management approach on the adaptive enterprise resource planning
10 project management approach on the adaptive enterprise resource planning
INFOGAIN PUBLICATION
 

What's hot (7)

Mathematical concepts applied to operations management
Mathematical concepts applied to operations managementMathematical concepts applied to operations management
Mathematical concepts applied to operations management
 
System integration complexity
System integration complexitySystem integration complexity
System integration complexity
 
The Mathematics Behind Project Management
The Mathematics Behind Project ManagementThe Mathematics Behind Project Management
The Mathematics Behind Project Management
 
10120130405008 2
10120130405008 210120130405008 2
10120130405008 2
 
E0312020029
E0312020029E0312020029
E0312020029
 
Earned Value Management - Intent 32 Guidelines Summary
Earned Value Management - Intent 32 Guidelines SummaryEarned Value Management - Intent 32 Guidelines Summary
Earned Value Management - Intent 32 Guidelines Summary
 
10 project management approach on the adaptive enterprise resource planning
10 project management approach on the adaptive enterprise resource planning10 project management approach on the adaptive enterprise resource planning
10 project management approach on the adaptive enterprise resource planning
 

Viewers also liked

Пасха
Пасха Пасха
Пасха
deutschonline
 
Joy-n-Freedom
Joy-n-FreedomJoy-n-Freedom
Joy-n-Freedom
Open.Embedded
 
Customer centric sales process
Customer centric sales processCustomer centric sales process
Customer centric sales process
Anton Dewantoro
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
Luxembourg Institute of Science and Technology
 
Brand Protection
Brand Protection Brand Protection
Brand Protection
NEW Momentum
 
El forense de tu iPhone en la nube
El forense de tu iPhone en la nubeEl forense de tu iPhone en la nube
El forense de tu iPhone en la nube
Eventos Creativos
 
Open.embedded intro
Open.embedded introOpen.embedded intro
Open.embedded intro
Open.Embedded
 
Mein computer russisch
Mein computer russischMein computer russisch
Mein computer russisch
deutschonline
 
Enterprise architecture enhanced with responsibility to manage access rights ...
Enterprise architecture enhanced with responsibility to manage access rights ...Enterprise architecture enhanced with responsibility to manage access rights ...
Enterprise architecture enhanced with responsibility to manage access rights ...
Luxembourg Institute of Science and Technology
 
Giving \'Til It Hurts
Giving \'Til It HurtsGiving \'Til It Hurts
Giving \'Til It Hurts
Claire McIntosh
 
La nueva FOCA 2.7
La nueva FOCA 2.7La nueva FOCA 2.7
La nueva FOCA 2.7
Eventos Creativos
 
What your clients really want is you!
What your clients really want is you!What your clients really want is you!
What your clients really want is you!
Smart Simple Marketing
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
Luxembourg Institute of Science and Technology
 
Pentesting con metasploit framework
Pentesting con metasploit frameworkPentesting con metasploit framework
Pentesting con metasploit framework
Eventos Creativos
 
Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...
Luxembourg Institute of Science and Technology
 
IMA Sondeo de Opinion Agosto FLASH 2010
IMA Sondeo de Opinion Agosto FLASH 2010 IMA Sondeo de Opinion Agosto FLASH 2010
IMA Sondeo de Opinion Agosto FLASH 2010
IMA - Opinión y Mercado
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
Luxembourg Institute of Science and Technology
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
Luxembourg Institute of Science and Technology
 
Dynamic responsibilities assignment in critical electronic institutions
Dynamic responsibilities assignment in critical electronic institutionsDynamic responsibilities assignment in critical electronic institutions
Dynamic responsibilities assignment in critical electronic institutions
Luxembourg Institute of Science and Technology
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
Luxembourg Institute of Science and Technology
 

Viewers also liked (20)

Пасха
Пасха Пасха
Пасха
 
Joy-n-Freedom
Joy-n-FreedomJoy-n-Freedom
Joy-n-Freedom
 
Customer centric sales process
Customer centric sales processCustomer centric sales process
Customer centric sales process
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
 
Brand Protection
Brand Protection Brand Protection
Brand Protection
 
El forense de tu iPhone en la nube
El forense de tu iPhone en la nubeEl forense de tu iPhone en la nube
El forense de tu iPhone en la nube
 
Open.embedded intro
Open.embedded introOpen.embedded intro
Open.embedded intro
 
Mein computer russisch
Mein computer russischMein computer russisch
Mein computer russisch
 
Enterprise architecture enhanced with responsibility to manage access rights ...
Enterprise architecture enhanced with responsibility to manage access rights ...Enterprise architecture enhanced with responsibility to manage access rights ...
Enterprise architecture enhanced with responsibility to manage access rights ...
 
Giving \'Til It Hurts
Giving \'Til It HurtsGiving \'Til It Hurts
Giving \'Til It Hurts
 
La nueva FOCA 2.7
La nueva FOCA 2.7La nueva FOCA 2.7
La nueva FOCA 2.7
 
What your clients really want is you!
What your clients really want is you!What your clients really want is you!
What your clients really want is you!
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
 
Pentesting con metasploit framework
Pentesting con metasploit frameworkPentesting con metasploit framework
Pentesting con metasploit framework
 
Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...Conceptualizing a responsibility based approach for elaborating and verifying...
Conceptualizing a responsibility based approach for elaborating and verifying...
 
IMA Sondeo de Opinion Agosto FLASH 2010
IMA Sondeo de Opinion Agosto FLASH 2010 IMA Sondeo de Opinion Agosto FLASH 2010
IMA Sondeo de Opinion Agosto FLASH 2010
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Dynamic responsibilities assignment in critical electronic institutions
Dynamic responsibilities assignment in critical electronic institutionsDynamic responsibilities assignment in critical electronic institutions
Dynamic responsibilities assignment in critical electronic institutions
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
 

Similar to Improving operational risk management systems by formalizing the basel ii regulation with goal models and the isoiec 15504 approach

An ontology for requirements analysis of managers’ policies in financial inst...
An ontology for requirements analysis of managers’ policies in financial inst...An ontology for requirements analysis of managers’ policies in financial inst...
An ontology for requirements analysis of managers’ policies in financial inst...
Luxembourg Institute of Science and Technology
 
An ontology for requirements analysis of managers’ policies in financial inst...
An ontology for requirements analysis of managers’ policies in financial inst...An ontology for requirements analysis of managers’ policies in financial inst...
An ontology for requirements analysis of managers’ policies in financial inst...
christophefeltus
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
Nancy Ideker
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
christophefeltus
 
Governance and risk in information technology.pdf
Governance and risk in information technology.pdfGovernance and risk in information technology.pdf
Governance and risk in information technology.pdf
bkbk37
 
The Room | Innotrain systematization
The Room | Innotrain systematization The Room | Innotrain systematization
The Room | Innotrain systematization
Graphic Design Sydney
 
ACC 675 Final Project Guidelines and Rubric Overvie.docx
ACC 675 Final Project Guidelines and Rubric Overvie.docxACC 675 Final Project Guidelines and Rubric Overvie.docx
ACC 675 Final Project Guidelines and Rubric Overvie.docx
nettletondevon
 
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
IRJET Journal
 
Be aers-fara-modellinginsolvency-nov2010
Be aers-fara-modellinginsolvency-nov2010Be aers-fara-modellinginsolvency-nov2010
Be aers-fara-modellinginsolvency-nov2010
Dodi Mulyadi
 
Implementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance FrameworkImplementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance Framework
IJCSIS Research Publications
 
Chapter 6Information Governance policy developmentDr. Sand.docx
Chapter 6Information Governance policy developmentDr. Sand.docxChapter 6Information Governance policy developmentDr. Sand.docx
Chapter 6Information Governance policy developmentDr. Sand.docx
mccormicknadine86
 
40411923 business-analyst
40411923 business-analyst40411923 business-analyst
40411923 business-analyst
Har Da
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzah
Rizkie Hafizzah
 
A Framework For Information Security Risk Management Communication
A Framework For Information Security Risk Management CommunicationA Framework For Information Security Risk Management Communication
A Framework For Information Security Risk Management Communication
Justin Knight
 
A Model Supporting Business Continuity Auditing And Planning In Information S...
A Model Supporting Business Continuity Auditing And Planning In Information S...A Model Supporting Business Continuity Auditing And Planning In Information S...
A Model Supporting Business Continuity Auditing And Planning In Information S...
Cynthia King
 
Modern CFO in control with integrated software CPM-GRC
Modern CFO in control with integrated software CPM-GRCModern CFO in control with integrated software CPM-GRC
Modern CFO in control with integrated software CPM-GRC
Mario Halfhide
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
Gene Kim
 
Business process compliance
Business process compliance Business process compliance
Business process compliance
Hugo Andrés López
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007
Slava Gorbunov
 

Similar to Improving operational risk management systems by formalizing the basel ii regulation with goal models and the isoiec 15504 approach (20)

An ontology for requirements analysis of managers’ policies in financial inst...
An ontology for requirements analysis of managers’ policies in financial inst...An ontology for requirements analysis of managers’ policies in financial inst...
An ontology for requirements analysis of managers’ policies in financial inst...
 
An ontology for requirements analysis of managers’ policies in financial inst...
An ontology for requirements analysis of managers’ policies in financial inst...An ontology for requirements analysis of managers’ policies in financial inst...
An ontology for requirements analysis of managers’ policies in financial inst...
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Governance and risk in information technology.pdf
Governance and risk in information technology.pdfGovernance and risk in information technology.pdf
Governance and risk in information technology.pdf
 
The Room | Innotrain systematization
The Room | Innotrain systematization The Room | Innotrain systematization
The Room | Innotrain systematization
 
ACC 675 Final Project Guidelines and Rubric Overvie.docx
ACC 675 Final Project Guidelines and Rubric Overvie.docxACC 675 Final Project Guidelines and Rubric Overvie.docx
ACC 675 Final Project Guidelines and Rubric Overvie.docx
 
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
 
Be aers-fara-modellinginsolvency-nov2010
Be aers-fara-modellinginsolvency-nov2010Be aers-fara-modellinginsolvency-nov2010
Be aers-fara-modellinginsolvency-nov2010
 
Implementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance FrameworkImplementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance Framework
 
Chapter 6Information Governance policy developmentDr. Sand.docx
Chapter 6Information Governance policy developmentDr. Sand.docxChapter 6Information Governance policy developmentDr. Sand.docx
Chapter 6Information Governance policy developmentDr. Sand.docx
 
40411923 business-analyst
40411923 business-analyst40411923 business-analyst
40411923 business-analyst
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzah
 
A Framework For Information Security Risk Management Communication
A Framework For Information Security Risk Management CommunicationA Framework For Information Security Risk Management Communication
A Framework For Information Security Risk Management Communication
 
A Model Supporting Business Continuity Auditing And Planning In Information S...
A Model Supporting Business Continuity Auditing And Planning In Information S...A Model Supporting Business Continuity Auditing And Planning In Information S...
A Model Supporting Business Continuity Auditing And Planning In Information S...
 
Modern CFO in control with integrated software CPM-GRC
Modern CFO in control with integrated software CPM-GRCModern CFO in control with integrated software CPM-GRC
Modern CFO in control with integrated software CPM-GRC
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
 
Business process compliance
Business process compliance Business process compliance
Business process compliance
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007
 

More from Luxembourg Institute of Science and Technology

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Luxembourg Institute of Science and Technology
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
Luxembourg Institute of Science and Technology
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Luxembourg Institute of Science and Technology
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
Luxembourg Institute of Science and Technology
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
Luxembourg Institute of Science and Technology
 
Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
Luxembourg Institute of Science and Technology
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
Luxembourg Institute of Science and Technology
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
Luxembourg Institute of Science and Technology
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
Luxembourg Institute of Science and Technology
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Luxembourg Institute of Science and Technology
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
Luxembourg Institute of Science and Technology
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
Luxembourg Institute of Science and Technology
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
Luxembourg Institute of Science and Technology
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
Luxembourg Institute of Science and Technology
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
Luxembourg Institute of Science and Technology
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
Luxembourg Institute of Science and Technology
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
Luxembourg Institute of Science and Technology
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
Luxembourg Institute of Science and Technology
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it company
Luxembourg Institute of Science and Technology
 
Metamodel for reputation based agents system – case study for electrical dist...
Metamodel for reputation based agents system – case study for electrical dist...Metamodel for reputation based agents system – case study for electrical dist...
Metamodel for reputation based agents system – case study for electrical dist...
Luxembourg Institute of Science and Technology
 

More from Luxembourg Institute of Science and Technology (20)

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
 
Joint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forumJoint workshop on security modeling archimate forum and security forum
Joint workshop on security modeling archimate forum and security forum
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
 
Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it company
 
Metamodel for reputation based agents system – case study for electrical dist...
Metamodel for reputation based agents system – case study for electrical dist...Metamodel for reputation based agents system – case study for electrical dist...
Metamodel for reputation based agents system – case study for electrical dist...
 

Recently uploaded

gastrointestinal hormonese I 45678633134668097636903278.pptx
gastrointestinal hormonese I 45678633134668097636903278.pptxgastrointestinal hormonese I 45678633134668097636903278.pptx
gastrointestinal hormonese I 45678633134668097636903278.pptx
muralinath2
 
Electrostatic force class 8 ncert. .pptx
Electrostatic force class 8 ncert. .pptxElectrostatic force class 8 ncert. .pptx
Electrostatic force class 8 ncert. .pptx
yokeswarikannan123
 
CONSOLSCI8_Lesson1. presentation for NLC
CONSOLSCI8_Lesson1. presentation for NLCCONSOLSCI8_Lesson1. presentation for NLC
CONSOLSCI8_Lesson1. presentation for NLC
ROLANARIBATO3
 
Summer program introduction in Yunnan university
Summer program introduction in Yunnan universitySummer program introduction in Yunnan university
Summer program introduction in Yunnan university
Hayato Shimabukuro
 
Science grade 09 Lesson1-2 NLC-pptx.pptx
Science grade 09 Lesson1-2 NLC-pptx.pptxScience grade 09 Lesson1-2 NLC-pptx.pptx
Science grade 09 Lesson1-2 NLC-pptx.pptx
JoanaBanasen1
 
GIT hormones- II_12345677809876543235780963.pptx
GIT hormones- II_12345677809876543235780963.pptxGIT hormones- II_12345677809876543235780963.pptx
GIT hormones- II_12345677809876543235780963.pptx
muralinath2
 
Dalghren, Thorne and Stebbins System of Classification of Angiosperms
Dalghren, Thorne and Stebbins System of Classification of AngiospermsDalghren, Thorne and Stebbins System of Classification of Angiosperms
Dalghren, Thorne and Stebbins System of Classification of Angiosperms
Gurjant Singh
 
Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...
Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...
Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...
Sérgio Sacani
 
Bragg Brentano Alignment for D4 with LynxEye Rev3.pptx
Bragg Brentano Alignment for D4 with LynxEye Rev3.pptxBragg Brentano Alignment for D4 with LynxEye Rev3.pptx
Bragg Brentano Alignment for D4 with LynxEye Rev3.pptx
Lisandro Cunci
 
Computer aided biopharmaceutical characterization
Computer aided biopharmaceutical characterizationComputer aided biopharmaceutical characterization
Computer aided biopharmaceutical characterization
souravpaul769171
 
Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking ...
Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking ...Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking ...
Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking ...
University of Maribor
 
A slightly oblate dark matter halo revealed by a retrograde precessing Galact...
A slightly oblate dark matter halo revealed by a retrograde precessing Galact...A slightly oblate dark matter halo revealed by a retrograde precessing Galact...
A slightly oblate dark matter halo revealed by a retrograde precessing Galact...
Sérgio Sacani
 
lipids_233455668899076544553879848657.pptx
lipids_233455668899076544553879848657.pptxlipids_233455668899076544553879848657.pptx
lipids_233455668899076544553879848657.pptx
muralinath2
 
Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...
Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...
Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...
Sérgio Sacani
 
MACRAMÉ-ChiPs: Patchwork Project Family & Sibling Projects (24th Meeting of t...
MACRAMÉ-ChiPs: Patchwork Project Family & Sibling Projects (24th Meeting of t...MACRAMÉ-ChiPs: Patchwork Project Family & Sibling Projects (24th Meeting of t...
MACRAMÉ-ChiPs: Patchwork Project Family & Sibling Projects (24th Meeting of t...
Steffi Friedrichs
 
Electrostatic force class 8 physics .pdf
Electrostatic force class 8 physics .pdfElectrostatic force class 8 physics .pdf
Electrostatic force class 8 physics .pdf
yokeswarikannan123
 
Comparison of RNA Viruses. docx
Comparison of RNA Viruses. docxComparison of RNA Viruses. docx
Comparison of RNA Viruses. docx
Dr Sumitha Jagadibabu
 
poikilocytosis 23765437865210857453257844.pptx
poikilocytosis 23765437865210857453257844.pptxpoikilocytosis 23765437865210857453257844.pptx
poikilocytosis 23765437865210857453257844.pptx
muralinath2
 
ScieNCE grade 08 Lesson 1 and 2 NLC.pptx
ScieNCE grade 08 Lesson 1 and 2 NLC.pptxScieNCE grade 08 Lesson 1 and 2 NLC.pptx
ScieNCE grade 08 Lesson 1 and 2 NLC.pptx
JoanaBanasen1
 
SCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptx
SCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptxSCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptx
SCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptx
JoanaBanasen1
 

Recently uploaded (20)

gastrointestinal hormonese I 45678633134668097636903278.pptx
gastrointestinal hormonese I 45678633134668097636903278.pptxgastrointestinal hormonese I 45678633134668097636903278.pptx
gastrointestinal hormonese I 45678633134668097636903278.pptx
 
Electrostatic force class 8 ncert. .pptx
Electrostatic force class 8 ncert. .pptxElectrostatic force class 8 ncert. .pptx
Electrostatic force class 8 ncert. .pptx
 
CONSOLSCI8_Lesson1. presentation for NLC
CONSOLSCI8_Lesson1. presentation for NLCCONSOLSCI8_Lesson1. presentation for NLC
CONSOLSCI8_Lesson1. presentation for NLC
 
Summer program introduction in Yunnan university
Summer program introduction in Yunnan universitySummer program introduction in Yunnan university
Summer program introduction in Yunnan university
 
Science grade 09 Lesson1-2 NLC-pptx.pptx
Science grade 09 Lesson1-2 NLC-pptx.pptxScience grade 09 Lesson1-2 NLC-pptx.pptx
Science grade 09 Lesson1-2 NLC-pptx.pptx
 
GIT hormones- II_12345677809876543235780963.pptx
GIT hormones- II_12345677809876543235780963.pptxGIT hormones- II_12345677809876543235780963.pptx
GIT hormones- II_12345677809876543235780963.pptx
 
Dalghren, Thorne and Stebbins System of Classification of Angiosperms
Dalghren, Thorne and Stebbins System of Classification of AngiospermsDalghren, Thorne and Stebbins System of Classification of Angiosperms
Dalghren, Thorne and Stebbins System of Classification of Angiosperms
 
Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...
Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...
Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...
 
Bragg Brentano Alignment for D4 with LynxEye Rev3.pptx
Bragg Brentano Alignment for D4 with LynxEye Rev3.pptxBragg Brentano Alignment for D4 with LynxEye Rev3.pptx
Bragg Brentano Alignment for D4 with LynxEye Rev3.pptx
 
Computer aided biopharmaceutical characterization
Computer aided biopharmaceutical characterizationComputer aided biopharmaceutical characterization
Computer aided biopharmaceutical characterization
 
Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking ...
Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking ...Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking ...
Deploying DAPHNE Computational Intelligence on EuroHPC Vega for Benchmarking ...
 
A slightly oblate dark matter halo revealed by a retrograde precessing Galact...
A slightly oblate dark matter halo revealed by a retrograde precessing Galact...A slightly oblate dark matter halo revealed by a retrograde precessing Galact...
A slightly oblate dark matter halo revealed by a retrograde precessing Galact...
 
lipids_233455668899076544553879848657.pptx
lipids_233455668899076544553879848657.pptxlipids_233455668899076544553879848657.pptx
lipids_233455668899076544553879848657.pptx
 
Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...
Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...
Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...
 
MACRAMÉ-ChiPs: Patchwork Project Family & Sibling Projects (24th Meeting of t...
MACRAMÉ-ChiPs: Patchwork Project Family & Sibling Projects (24th Meeting of t...MACRAMÉ-ChiPs: Patchwork Project Family & Sibling Projects (24th Meeting of t...
MACRAMÉ-ChiPs: Patchwork Project Family & Sibling Projects (24th Meeting of t...
 
Electrostatic force class 8 physics .pdf
Electrostatic force class 8 physics .pdfElectrostatic force class 8 physics .pdf
Electrostatic force class 8 physics .pdf
 
Comparison of RNA Viruses. docx
Comparison of RNA Viruses. docxComparison of RNA Viruses. docx
Comparison of RNA Viruses. docx
 
poikilocytosis 23765437865210857453257844.pptx
poikilocytosis 23765437865210857453257844.pptxpoikilocytosis 23765437865210857453257844.pptx
poikilocytosis 23765437865210857453257844.pptx
 
ScieNCE grade 08 Lesson 1 and 2 NLC.pptx
ScieNCE grade 08 Lesson 1 and 2 NLC.pptxScieNCE grade 08 Lesson 1 and 2 NLC.pptx
ScieNCE grade 08 Lesson 1 and 2 NLC.pptx
 
SCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptx
SCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptxSCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptx
SCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptx
 

Improving operational risk management systems by formalizing the basel ii regulation with goal models and the isoiec 15504 approach

  • 1. Improving Operational Risk Management Systems by Formalizing the Basel II Regulation with Goal Models and the ISO/IEC 15504 Approach André Rifaut1 and Christophe Feltus1 1 Centre de Recherche Public Henri Tudor, 29, Avenue John F.Kennedy, L-1855 Luxembourg-Kirchberg, Luxembourg {Andre.Rifaut, Christophe.Feltus}@tudor.lu http://www.tudor.lu Abstract. The bankruptcy of financial institutions shows the rapid changes in the risks profiles of financial systems and processes. Although financial institu- tions have always managed the operational risks, the profile of this kind of risks is changing due to the increasing international competitive pressure and the evolution of the financial institutions’ operational systems relying more and more on IT systems. This paper reports the results of the joint research with the CSSF [1] focusing on the formalization of both the Basel II Accord and com- pliant operational risk management (ORM) systems implementations. This for- malization uses concepts of the ISO/IEC 15504 process assessment standard and the concepts of strategy and policy. This structure of the model ensures the traceability between the Basel II Accord and compliant ORM systems imple- mentations, improves the formal validation of those systems and is more ade- quate to represent all organizational levels of financial institutions. 1 Introduction In Luxemburg, the stability of the financial system is at the core of the economic stability of the country. The CSSF [1], which is the official authority for financial institutions supervision, has the responsibility to define financial regulations and en- sure their fulfillment. This task is not easy because more and more international regu- lations are introduced, such as the IFRS [2], Sarbanes-Oxley Act (SoX) [2] and the Basel II Accord [3]. Audit managers, risk managers (including security managers), and compliance managers have developed standards addressing those regulations. For instance, Coso [2], CobIT [2], ITIL [18] and ERM [2] are governance and risk man- agement standards. However, up to now there is nearly no integration between the regulations themselves and also between those standards. A joint research with the CSSF aims at defining a method for ensuring a correct implementation of financial systems compliant to Basel II regulation. The results [20,5] are based on quality methods and techniques, mainly goal-based models and analyses used in goal- oriented requirements engineering (GORE) [4]. The originality of the work lies in the formalization of the Basel II Accord and Operational Risk Management (ORM) sys- tems by using concepts of the ISO/IEC 15504 process assessment standard [6] and the concepts of strategy and policy. This gives an adequate structure of the models at Page 1 of 7
  • 2. all organizational levels of financial institutions, ensures the formal traceability be- tween the Basel II Accord and ORM systems, and improves their formal validation. This paper summarizes and extends the results of the joint research with the CSSF, focusing on the formalization of both Basel II Accord and compliant (ORM) systems implementations. More information on the research results, the ISO/IEC 15504 stan- dard, the Basel II Accord, and other standards such as ITIL are freely available on the CSSF website [1]. The next section presents the main goals of this research and the preliminary results. Section 3 shows the technique that has been created in the context of the real case study concerning the Basel II Accord regulation and its implementa- tion in financial institution. The last section summarizes the main results of this pro- ject and presents the future works that will be done within the follow-up research projects. 2 The Implementation of ORM Systems compliant to Basel II. The Basel Committee has defined the operational risk as follows: it is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. (§644 in [1]). As such, the operational risk encompasses all risks oc- curring at the operational and technical levels (see Fig. 1), in particular, all risks of the IT Software Engineering Processes (risks that concern project management, re- quirements analysis, design, security, ...). The methods used in IT Software Engineer- ing (e.g. for safety and security analyses) do not cover the analysis of this very broad scope of risks. The need for practical techniques is critical in order to help business units’ man- ager to efficiently implement the core business processes that are under their respon- sibility. Indeed, not only the Basel II Accord is imposing constraints on those core financial processes, but also the other regulations (e.g. SoX, IFRS) are interfering on the same processes. Moreover, each regulation stresses the importance on a different but inter-related aspect. For instance, SoX stresses the importance on the reporting system also concerned by the ORM of Basel II Accord. In addition to that decisions about ORM system implementation must be made at the strategic, tactical, opera- tional and technical levels. This increases the complexity of modeling and implement- ing ORM systems, taking into account also that operational risks exist in every busi- ness processes implying their strong relationships with new ORM systems. Last but not least, those regulations are hard to understand due to their lack of structure and lack of completeness. For instance, in the Basel II Accord there is no definition of important concepts such as “ORM system”, “loss”, “loss event”, “expected loss”, “unexpected loss”, ... Page 2 of 7
  • 3. Requirements engineering and goal-oriented methods. The GORE methods can overcome the difficulties presented in the preceding section by formalizing the Basel II Accord and the implementation of ORM systems. These methods can be used to analyze and model systems at all organizational level, from Business Models up to architectures [4]. Goal-oriented modeling languages are appropriate for that broad range of models and they support formal analyses. However, in the case of the ORM system, it is difficult to manage all of those large models and complex analyses. Moreover, for validation purposes, it is important to refer to the concepts used in organizations, such as strategic objectives, strategies and plans, key indicators, poli- cies, SLAs, ... Within the Basel II Accord context, additional structuring mechanisms has to be created on top of the usual goal-oriented concepts. Technicallevel Operationallevel Tacticallevel Strategiclevel E.g. in the IT domain: applications, components, …Procedures Business processes Business value Objectives Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Standard view of organizational layers Concepts and artifacts of organizational layers Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Technicallevel Operationallevel Tacticallevel Strategiclevel E.g. in the IT domain: applications, components, …Procedures Business processes Business value Technicallevel Operationallevel Tacticallevel Strategiclevel Technicallevel Operationallevel Tacticallevel Strategiclevel E.g. in the IT domain: applications, components, …Procedures Business processes Business value E.g. in the IT domain: applications, components, …Procedures Business processes Business value Objectives Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Standard view of organizational layers Concepts and artifacts of organizational layers Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Goals Indicators StrategiesPolicies Fig. 1. The pyramid is used in management methods (e.g. [7]). The lowest 4 artifacts are de- fined with GORE models [4]. 3 Formalizing Basel II and ORM with goal models and the ISO/IEC 15504 approach The general framework given in the Figure 1, represented by the pyramid, is a stan- dard view of the organization [7] used in financial institutions (and other institutions). The four organizational layers [8] – strategic, tactical, operational and technical levels – use concepts adapted to handle decisions at their corresponding abstraction level – that are mainly (respectively) business value [9], business processes, procedures and technical artifacts ([10]) such as IT applications in the IT domain. Page 3 of 7
  • 4. ISO/IEC 15504 process assessment model. A first part of the structure is given by separating the description of the core activities of the business processes from the activities related to the capabilities of the business process (e.g. planning, work product control, process documentation, performance measurement, performance improvement, ...). As explained in [5], the benefits of this separation of concerns has proven to be very useful during the verification and the validation of the goal models. When describing process models with the ISO/IEC 15504 standard this separation of concerns is imposed. This new standard has been designed to be applicable for any business processes and is no longer limited to software engineering processes [20]. Objectives, strategies, policies and indicators. Those concepts (bottom of Figure 1) detail complementary aspects needed for designing business processes, procedures and technical artifacts. They are similar to organizational concepts needed in order to structure and formalize the links between each of the organizational levels [11]. When designing lower-level artifacts from higher level ones and when verifying the link between two organizational levels, one has to distinguish between the main objectives to be fulfilled, the strategy describing the approach to fulfill these objec- tives, the roles and responsibilities (policies) of the resources that will implement the strategies. Indicators are defined when there is a need for some monitoring, control, supervision or measurement concerning objectives, strategies or policies. Strategies and policies must be complementary and consistent with each other and they must fulfill the objectives. Page 4 of 7
  • 5. Fig. 2. Basel II ORM (left side) partially implemented (right side). Upside-down arrows shows that the implementation contributes to the each level of ORM. The formal definition of those 4 concepts uses goal-oriented techniques [4,5]. For the indicators, our work is based on the Goal-Question-Metric method (GQM) [12]. Policies give a description of the roles and responsibilities (in accordance with [13] and policy management [14,15,16]) and allow detailing the authorizations, obliga- tions (and their delegations), accountabilities, and separations of duties. Strategies give a description of the main approach or steps to fulfill given objectives. Our work follows [17] where strategies are integrated with goal-oriented analysis. For the sake of separation of concerns, responsibilities (and related aspects) are not defined in strategies but only in policies. Note that in financial institutions, the description of policies recalls its related objectives and strategies. This is also sometimes the case of strategies that gives a short description of their corresponding policies (i.e. descrip- tion of roles and responsibilities). However, it is found essential to separate those descriptions when designing and analyzing those policies and strategies. For instance, in the Figure 2, the diagram shows the model of the strategic level (topmost) and operational level (bottom). Only objectives are shown for those two levels. In between, at the tactical level, the objectives and indicators of business proc- esses are shown. The left part of the diagram shows the Basel II Accord formalization of ORM. The right part presents a partial ORM system implementation using ITIL [18]. The links between the two models are formally analyzed [5]. Page 5 of 7
  • 6. 4 Conclusions and Future Works Building upon a method that has been defined within the setting of a real-case study in financial institutions, the Basel II Accord, new results are presented in this paper aiming at giving a simple but integrated set of concepts – goals, indicators, policies and strategies – which can be used to design financial systems compliant to regulations and structure their analysis in relationship with the artifacts commonly used in financial institutions – business models, business processes models, proce- dures and more technical artifacts. The formalization of goals, indicators, policies and strategies independently from each other allows analyzing and recording the design decisions across all organizational levels, making easier the link with the regulation. The main advantage of this method is that it keeps the structuring power of the ISO/IEC 15504 capability model that can be used to discover weaknesses and opera- tional risks in the business process implementation with the method explained in [19]. Based on the same techniques as in [15], a prototype implementation is under devel- opment. The current and future works of the authors focus on a constructive method aiming at giving an effective support for financial business process design (compliant to regulations), establishment, assessment, improvement, governance and benchmarking [5]. In particular, a risk and value analysis method is under development adapted to process assessment, improvement and governance. Some support is also given to an- other research made by experts in DPM [21]. The aim of those experts is to ground digital policy management in sound non-federated distributed IT systems that en- forces policies fulfillment even outside the traditional IS frontier of each institution. Finally, the current project with the CSSF is still in progress with results that are ex- tended to the IFRS [2] concerning the management of unquoted assets (IFRS-IAS39) [2]. In addition to model this regulation and the systems compliant to it, the relation- ship between IFRS-IAS 39 and Basel II can be analyzed and alternative compliant implementations of integrated systems can also be designed. References 1. CSSF: Commission de Surveillance du Secteur Financier. The firsts results of the joint pro- ject are freely downloadable at http://www.cssf.lu/index.php?id=130 . 2. IFRS: International Financial Reporting Standards, IASCF, USA. SoX: Sarbanes Oxley Act of 2002, USA. COSO: Internal Control – Integrated Framework, CSOTC, USA. CobiT®: Control Objectives for Information and related Technology, ISACA, USA. ERM: Enterprise Risk Management – Integrated Framework, CSOTC, USA. 3. Basel Committee on Banking Supervision, “International Convergence of Capital Measure- ment and Capital Standards”; BIS; Basel, June 2004. 4. A. van Lamsweerde, "Goal-Oriented Requirements Engineering: A Guided Tour". Invited minitutorial, Proc. RE'01 - International Joint Conference on Requirements Engineering, Toronto, IEEE, August 2001, pp.249-263. 5. André Rifaut, “Goal-Driven Requirements Engineering for Supporting the ISO 15504 As- sessment Process”, EuroSPI 2005, Budapest 6. ISO/IEC 15504, “Information Technology – Process assessment”, (parts 1-5), 2003-2006 (see website [1] for details about this standard). Page 6 of 7
  • 7. 7. Anthony, R. N. Planning and Control Systems: A Framework for Analysis. Harward Univer- sity, Boston, USA, 1965 8. Henderson, J. and Venkatraman, N., “Strategic alignment: Leveraging technology for trans- forming organizations”. IBM Systems Journal, 1999, 38. 9. Osterwalder and Pigneur. An Ontology for e-business models. In “Value Creation from E- Business Models”, Wendy Currie ed., Butterworth-Heinenmann. Apr 2005. 10. Robson W, Strategic Management and Information Systems, Pitman, 1997. 11. Chaffey et al. (2005) - Business Information Systems: Technology, Development and Man- agement for the E-business, Prentice Hall. 12. Van Solingen, “The Goal/Question/Metric Method: A Practical Guide For Quality Im- provement of Software Development”, McGraw-Hill, Jan. 1999 13. René Wies, “Using a Classification of Management Policies for Policy Specification and Policy Transformation”. In Proc. ISINM '95, Santa Barbara, California, May 1995. 14. N. Damianou, N. Dulay, E. Lupu, and M. Sloman, “The ponder policy specification lan- guage” In Morris Sloman, (ed), Proc. of Policy Worshop, 2001, Bristol UK, January 2001. 15. A. Schaad and J. Moffett. “Delegation of obligations.” In IEEE Policy Workshop, 2002 16. Qingfeng He and Annie I. Antón, “Deriving Access Control Policies from Requirements Specifications and Database Designs”, ICSE 2005. 17. Rolland C., N. Prakash, A. Benjamen, “A multi-model view of process modelling.” Re- quirements Engineering Journal, p. 169-187,1999. 18. ITIL: IT Infrastructure Library – Service Support, Service Delivery, published by OGC, London. (see website [1] for details about this standard). 19. A. Rifaut, M. Picard and B. Di Renzo, “ISO/IEC 15504 Process Improvement to Support Basel II Compliance of Operational Risk Management in Financial Institu- tions”,International Conference SPiCE 2006. 20. B. Di Renzo, M. Hillairet, M. Picard, A. Rifaut, C. Bernard, D. Hagen, P. Maar, D. Re- inard, “Operational Risk management in Financial Institutions: Process Assessment in Con- cordance with Basel II”, International Conference SPiCE 2005. 21. J.-H. Morin and M. Pawlak, “Towards a Global Framework for Corporate and Enterprise Digital Policy Management”, SoftWars conference, Las Vegas, USA, Dec 11, 2005. Page 7 of 7