Putting security at board level helps Bendigo Adelaide Bank smooth its risk-management overhaul

High-level representation of IT and information-security interests helped smooth the delivery of a major data-consolidation project that has revolutionised daily analytics and risk management of more than 4 million customer records for Bendigo and Adelaide Bank (BAB).

Priorities during the global financial crisis had put credit risk data-consolidation efforts on hold after the merger of the previous Bendigo Bank and Adelaide Bank in November 2007. It took several years before the merged organisations were ready to revisit shelved credit risk data consolidation projects, with data analytics positioned as a key capability.

The bank's overriding goal was to enable a shift from the Basel II-compliant standardised approach of risk management (including credit risk, operational risk and interest rate risk) to the more complex advanced measurement approach (AMA).

“Our ability as we grow to be able to harness the information, turning raw data into information – and using that for decision making purposes and management of risk at a more portfolio and group level – is fairly important,” head of risk analytics Taso Corolis told CSO Australia ahead of a presentation at this week's SAS Executive Forum in Melbourne.

The AMA approach is more responsive to risk and less prescriptive, and allows the use of an internal ratings-based (IRB) approach in managing the amount of capital that must be balanced against institutional risk at any given time. AMA also requires stronger and more regular involvement of senior executives.

To build the IRB framework, more than a year ago the bank kicked off a partnership with analytics technology provider SAS, with technology and business experts embedded within BAB's offices and a project team charged with bringing the project to fruition.

“We had roughly 4 million customer records, spanning multiple systems, Corolis said. “We needed to bring the whole group data into the one structure, to have confidence that the data that we deployed would allow us to run our models flexibly and give us the ability to respond to the business.”

The bank's IRB approach is based on the use of around 35 different credit models, run monthly against every live account in the bank. New portfolios are being added on a regular basis, with an internal target aiming to have at least 90 percent of all the bank's data available to the systems.

“Data was absolutely imperative,” Corolis said. “It was the foundation piece for everything else. Yet the focus wasn't on delivering a solution; it was on what we were trying to achieve.”

This differentiation not only laid the groundwork for compliance with the AMA approach, but promised improvements to customer service as the bank would be able to become more responsive to customer requirements and changing market conditions.

Information security was critical to the project, involving as it did the centralisation of such a massive amount of information. “Our move to AMA framed some of the governance and accountability requirements,” Corolis said, “because at some point we're going to have to convince external parties around the purity of the process.”

To ensure that security frameworks were both robust and business-relevant, the project team not only leveraged the bank's internal security expertise but ensured that technology leaders had high visibility at the board level. For example, the head of technology sits on the bank's steering committee.

“We had strong representation from the technology services team to make sure the security outcomes and objectives were maintained,” Corolis said.

Read more: Defence key to living in modern threat environment - Symantec

“We've worked with them to make sure that what we did didn't dilute security – not only because we are a regulated bank, but because having a clear bond with our customers means we don't want to compromise security in any shape or form.”

Indeed, while the analytics project has played an important role in improving the bank's IRB capabilities, its longer-term benefits will be measured in terms of improved customer service.

Since the project went live last October, the project team has worked closely with BAB's Customer Voice division to “make sure that we share our information and ultimately add better value to the discussions we have with customers,” Corolis said.

“We work closely to make sure we share our information, and ultimately add better value in the discussions we have with customers to better match their goals and aspirations.”

Join the CSO newsletter!

Error: Please check your email address.

Tags datasecurityinformation-securityBendigo Adelaide BankBABCSO AustraliaTaso Corolisrisk-management

More about AdvancedBendigo BankCSOSAS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place