Operational risks are of three main types. (1) Volume forecasts (2) Management information systems (3) Outsourcing. One of the biggest challenges that banks have encountered is to forecast the number of customers they will gain accurately. Many banks going on-line have significantly misjudged volumes. When a bank has inadequate systems to cope with demand it may suffer reputational and financial damage, and even compromises in security if extra systems that are inadequately configured or tested are brought on-line to deal with the capacity problems.
To resolve this problem banks requires extensive market researches, impartial advertising campaigns, well defined business plan and systems with adequate scalability and capacity. HSBC has a sound mechanism of keeping track of volume of its customers. ARPU (average revenue per user) of HSBC is used as forecast in many reports related to finance. Through ARPU analysis HSBC can easily calculate the generated revenue and volume of customers. Highly professional information management systems are prime demands of e-banking. It is monitoring of e-services that focus over the needs to establish or configure new systems.
The result of neglected information system can lead to insignificant, meaningless and unclear information generation. Banks should be encouraged to ensure that management have all the information that they require in a format that they understand and that does not cloud the key information with superfluous details. Certain banks offering e-banking services outsource related business functions, e. g. security, either for reasons of cost reduction or, as is often the case in this field, because they do not have the relevant expertise within their build environment.
Outsourcing a significant function can create material risks by potentially reducing a bank’s control over that function. Outsourcing is of course neither new nor insurmountable but banks should care that passing on security to a third party does not reduce risk but it shifts the responsibility of risk to the third party. It has been announced by HSBC that 72 roles in its Finance section are to be sent overseas and would result in reduction of cost and increase in profit up to ? 6. 7 billion (Amicus, 2006). This is a major surprise in corporate world especially after the fraud scandal of HSBC call centre in India.
However HSBC claims that all HSBC businesses and major functions are reviewed for their control procedures and regular reports are made about any losses arising from operational risks. Contrary to that, it says that all these procedures are to manage risk not to eliminate them and HSBC reserves rights to fight these obligations under the “Handbook of Rules and Guidance” issued by the Financial Services Authority, HSBC’s regulator (HSBC – Internal controls, 2006). SECURITY RISKS Security risks are major concern of banks and customers.
E-banking increases security risks, potentially exposing previously isolated systems to open and risky environments. Banks need to be proactive in monitoring and managing the security threat. Security breaches essentially fall into three categories; breaches with serious criminal intent (e. g. fraud, theft of commercially sensitive or financial information i. e. , Phising, Man-in-the-middle attacks), breaches by casual hackers (e. g. defacement of web sites or denial of service attacks – causing web sites to crash), and flaws in systems design and/or set up leading to security breaches.
All of these threats have potentially serious financial, legal and reputational implications. HSBC has provided sufficient security measures to customers. HSBC provides VASCO’s Digipass device to its customers for secure connection between bank and customers. HSBC also provide encrypted information between users and bank, three random digits that are sent as code between user and bank. Web portal of HSBC is time locked out which means the customer needs re-login after every eight minutes of inactivity (HSBC User Guide, 2006) (VASCO, 2006).
However, there are some contradictory news that were received on August 03, 2006 and sent shock wave for call centres and customers. The fraud at HSBC customer call centre in India cause a loss of ? 230,000. It is being said that the over board HSBC transactions, lack security of provisions and protection of data due to being offshore to countries that do not meet the technology demands required by HSBC (AMICUS, 2006). REPUTATIONAL RISKS It is a ground reality that on internet being so easy and fast; new do not reside on desks today.
It spreads with in short span of time. So there is a heightened reputational risk for banks using e-banking. Internet rumours can easily become self-fulfilling prophecies. The speed of the Internet considerably cuts the optimal response times for both banks and regulators to any incident. Banks must ensure their crisis management, particularly PR, processes are able to cope with Internet related incidents (whether they be real or hoaxes). Reputational risk is not just limited to one portal at internet, other businesses also affect yours.
There is a possibility that one rogue e-bank may cause serious set backs to all e-bank providing services via Internet. Another such reputational risks are mishandling of data and mis-selling. Banks need to be sure that customer’ rights and information needs are adequately safeguarded and provided for. At HSBC, Reputational risks, including environmental risk matters, are considered and assessed by the Board, the Group Management Board, subsidiary company boards, board committees and/or senior management during the formulation of policy and the establishment of HSBC standards (HSBC – operational and reputational risks, 2006).
These policies are communicated through manuals and statement policies and are disseminate through training and internal communications (publications, meetings, manuals etc). These policies cover reputational issues like money laundering, preclusion, environmental impact, anti-corruption measures and employee relations. HSBC considers risk management as its corporate social responsibility and keep it documented for its legal proof of implementing them.