Saturday, July 09, 2011

ISO 28000: Bankers Exposed to Supply Chain Risk...

The banking institutions of the globe are on high alert. The Operational Risk doctrine is finally getting beyond the historical threats of fraud and rogue traders to the "New Normal" of other significant business disruptions. It's been on the horizon for some time, yet now Basel is finally enhancing the rules that have so far been ignored or given little consideration:

Banks should bolster their defenses against losses caused by rogue traders, client fraud and other so-called operational risks, global regulators said.

The Basel Committee on Banking Supervision endorsed updated principles on how banks should protect themselves from risks not directly linked to lending or market movements, the group said today on its website.

The measures add to beefed up capital and liquidity rules to toughen regulation of banks following the worst financial crisis since the Great Depression. Rogue traders such as Jerome Kerviel at Societe Generale (GLE) SA and Nick Leeson at Barings Plc can also wreak havoc on individual institutions, said Nicolas Veron, a senior fellow at economics research group Bruegel.

“Barings was killed by operational risk, and Societe Generale came very close to a near-death experience in 2008,” Veron said in a phone interview from Brussels.

“Does operational risk generally cause systemic crises? No. But it can have a major impact on individual institutions when things go wrong,” said Veron.

Today’s changes build on rules from 2004 that require lenders to hold reserves against risks including natural disasters, computer hacking, systems failures, theft, fraud and unauthorized trading.

So where is the weakest link in the 63 "Principles for the Sound Management of Operational Risk"? We still think it is this one, number 54 under the Principle of Mitigation and Control:

54. Outsourcing is the use of a third party – either an affiliate within a corporate group or an unaffiliated external entity – to perform activities on behalf of the bank. Outsourcing can involve transaction processing or business processes. While outsourcing can help manage costs, provide expertise, expand product offerings, and improve services, it also introduces risks that management should address. The board and senior management are responsible for understanding the operational risks associated with outsourcing arrangements and ensuring that effective risk management policies and practices are in place to manage the risk in outsourcing activities.

The reason that we believe this to be a single-point-of-failure, is the tremendous number of outsourced services from the critical informations systems infrastructure in the banking industry to the supply chain risk of the major global firms who the banks themselves are investing in for the continued commerce of the world.

One key aspect of this area of Operational Risk has to do with the sense of risk mitigation that usually occurs with the use of a "Service Level Agreement" (SLA) with a vendor or service provider. The General Counsel and the legal team are responsible for the prudent review and drafting of outsourcing contracts. This (SLA) in many cases is never audited or tested to find out how a supplier would respond or behave, during a major incident that impacts their particular area of supply chain operations. This brings us to ISO 28000.

ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact on supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain.

Regardless of the legal documents agreed upon with you and your Tier 1 suppliers, you can bet that they have their own supply chains that you have not done any due diligence on. Can you trust that all of your Tier 1 suppliers have gone down another layer or two to ensure their own survivability for a myriad of operational risks? Adopting an international management system such as ISO 28000, will send you on your way to a more adaptive enterprise and with improved business resilience.

Now the question might be, how many major banks or hedge funds are major investors in companies such as DP World? Are they ISO 28000 certified to be more business resilient at their respective supply chain points of failure?

DP World Cochin has announced that the International Container Transhipment Terminal (ICTT) at Vallarpadam has been certified under the ISO 28000 Standard for Supply Chain Security Management system, and has joined the other DP World terminals in India to be the only container terminal in the country to be certified in port security. Dubai: In 2007, Port operator DP World has raised $3.25 billion in Islamic and conventional bond sales to refinance existing debt and fund its expansion. The company said it exceeded its target of $3 billion for the two bond issues. Barclays Capital, Citi, Deutsche Bank and Lehman Brothers lead managed the two issues, helped by Dubai Islamic Bank for the sukuk. DP World, the world's third largest marine terminal operator, manages 42 terminals in 22 countries. Its investment commitments run into billions of dollars over the next few years in several countries, including India, Turkey, Britain, Senegal, Peru and China. Total capacity at DP World's ports was 48 million TEUs ((twenty-foot equivalent container units) in 2006 and is expected to increase to 84 million TEUs by 2016 when new terminals are built.


So the final analysis on Operational Risk Management in your particular supply chain, may very well be beyond the surface of the Service Level Agreement (SLA). The General Counsel and Legal team would be highly advised to dig deeper than their Tier I suppliers in "Achieving a Defensible Standard of Care." Barclays, Citi and Deutsche should be more confident that DP World is one of a few companies managing their Operational Risks with ISO 28000 at one port. Now your next step, may be to find out whether the precious semiconductors you need to manufacture your companies electronic products are in the hands of the DP World Dubai Port Jebel Ali, Terminal 1 or DP World Cochin.

You should not be alarmed that DP World has a vacancy for the SVP, Global Operations:

VAC2531 - Senior Vice President - Global Operations

Division: Operations
Location: Dubai, U.A.E.
Department: DPW FZE DUBAI PORT INTL - DEP
Closing Date: 11-Jul-2011
About the Role:

This position reports to Executive Vice President and Chief Operations Officer - DP World and the main purpose of the role is to develop, lead and assist in the implementation of DP World's standards in the management of Safety, Environment, Security, Operations and Engineering, in line with DP World business and Container Terminal Strategies.