John Sherwood, MSc, CEng, FBCS, CMC, CISSP
Director, Operational Risk and Compliance Management, idRisk Limited
John is active in operational risk management for more than a decade. John has extensive knowledge and experience of the development and application of risk assessment methodologies, having assisted two major banks (Barclays and Deutsche) in developing their in-house methodologies for assessing and prioritising operational risks in support of risk management decision-making. He has worked on numerous risk management assignments on behalf of clients in a number of industry sectors; frequently working with clients at senior management level, influencing corporate strategy.
As the Chief Architect of the SABSA® methodology (Sherwood Applied Business Security Architecture), he has worked on several major enterprise security architecture programmes, including the development of the SWIFTNet architecture for international payments. John leads the development of the idRisk market offerings in the operational risk space; in particular having presented and published widely on the issues surrounding the implementation of Basel II. (A white paper is available on this topic). John is also a visiting lecturer and external examiner at Royal Holloway College, University of London, and has published and lectured extensively around the world on a broad range of topics in the information security and risk management domains.
SABSA® methodology recently included in ISACA body of knowledge.
Basel II and Solvency II - Obligation or Choice?
The Basel II accord is being incorporated into banking regulations in all EU Member States under the Capital Requirements Directive of September 2005 (CRD) with implementation taking place over the current 12 month period. By the end of the decade Solvency II will bring similar regulations to the European insurance industry, by which time both banks and insurers will be required to maintain minimum regulatory capital to hedge against unexpected losses due to their portfolio of risks. That's the obligation, but there's still a choice as to whether or not the regulatory minimum is sufficient prudential provision of economic capital to match the risk appetite of the firm. This session will begin by examining the role of financial regulations in protecting economic development and will go on to explain the concept of economic capital, the regulatory minimums and the factors affecting the choice of economic capital adequacy for a financial services firm. It will also explain the requirements for sound risk governance and management practices and for market transparency so as to create stakeholder confidence in the financial markets.
Measuring Security: What a Device!
With the prospect of ISO 27004 being developed on the subject of how to measure security, it is timely for us to look at what that standard will need to address. This presentation also describes the part of the SABSA methodology that already offers a way forward, using a technique called Business Attribute Profiling. This method is used to determine business objectives, select measurement approaches for each, both quantitative and qualitative, set performance targets, assess the risks to underperforming against those targets and monitoring ongoing performance against the targets. The performance targets are effectively key risk indicators linked into risk appetite.