How to Model Operational Risk, If You Must. Lecture to The Faculty of Actuaries

The second Lecturer to the Faculty of Actuaries is Professor Paul Embrechts, Professor of Mathematics at the ETH Zurich (Swiss Federal Institute of Technology, Zurich), specialising in actuarial mathematics and mathematical finance. His previous academic positions include ones at the Universities of Leuven, Limburg and London (Imperial College), and he has held visiting appointments at various other universities. He is an elected Fellow of the Institute of Mathematical Statistics, an Honorary Fellow of the Institute of Actuaries, a Corresponding Member of the Italian Institute of Actuaries, Editor of the ASTIN Bulletin, on the Advisory Board of Finance and Stochastics and Associate Editor of numerous scientific journals. He is a member of the Board of the Swiss Association of Actuaries and belongs to various national and international research and academic advisory committees. His areas of specialisation include insurance risk theory, integrated risk management, the interplay between insurance and finance and the modelling of rare event

Data analytics and algorithms in policing in England and Wales: Towards a new policy framework

RUSI was commissioned by the Centre for Data Ethics and Innovation (CDEI) to conduct an independent study into the use of data analytics by police forces in England and Wales, with a focus on algorithmic bias. The primary purpose of the project is to inform CDEI’s review of bias in algorithmic decision-making, which is focusing on four sectors, including policing, and working towards a draft framework for the ethical development and deployment of data analytics tools for policing. This paper focuses on advanced algorithms used by the police to derive insights, inform operational decision-making or make predictions. Biometric technology, including live facial recognition, DNA analysis and fingerprint matching, are outside the direct scope of this study, as are covert surveillance capabilities and digital forensics technology, such as mobile phone data extraction and computer forensics. However, because many of the policy issues discussed in this paper stem from general underlying data protection and human rights frameworks, these issues will also be relevant to other police technologies, and their use must be considered in parallel to the tools examined in this paper. The project involved engaging closely with senior police officers, government officials, academics, legal experts, regulatory and oversight bodies and civil society organisations. Sixty nine participants took part in the research in the form of semi-structured interviews, focus groups and roundtable discussions. The project has revealed widespread concern across the UK law enforcement community regarding the lack of official national guidance for the use of algorithms in policing, with respondents suggesting that this gap should be addressed as a matter of urgency. Any future policy framework should be principles-based and complement existing police guidance in a ‘tech-agnostic’ way. Rather than establishing prescriptive rules and standards for different data technologies, the framework should establish standardised processes to ensure that data analytics projects follow recommended routes for the empirical evaluation of algorithms within their operational context and evaluate the project against legal requirements and ethical standards. The new guidance should focus on ensuring multi-disciplinary legal, ethical and operational input from the outset of a police technology project; a standard process for model development, testing and evaluation; a clear focus on the human–machine interaction and the ultimate interventions a data driven process may inform; and ongoing tracking and mitigation of discrimination risk

Introducing the STAMP method in road tunnel safety assessment

After the tremendous accidents in European road tunnels over the past decade, many risk assessment methods have been proposed worldwide, most of them based on Quantitative Risk Assessment (QRA). Although QRAs are helpful to address physical aspects and facilities of tunnels, current approaches in the road tunnel field have limitations to model organizational aspects, software behavior and the adaptation of the tunnel system over time. This paper reviews the aforementioned limitations and highlights the need to enhance the safety assessment process of these critical infrastructures with a complementary approach that links the organizational factors to the operational and technical issues, analyze software behavior and models the dynamics of the tunnel system. To achieve this objective, this paper examines the scope for introducing a safety assessment method which is based on the systems thinking paradigm and draws upon the STAMP model. The method proposed is demonstrated through a case study of a tunnel ventilation system and the results show that it has the potential to identify scenarios that encompass both the technical system and the organizational structure. However, since the method does not provide quantitative estimations of risk, it is recommended to be used as a complementary approach to the traditional risk assessments rather than as an alternative. (C) 2012 Elsevier Ltd. All rights reserved

The Role of the Audit Committee In Risk Management

Risk is a Board responsibility, which cannot be delegated. The boundaries of the audit committee lie somewhere below strategic risk, which is a Board function, and above detailed internal control, which belongs to management. However, there was no consensus about just where those boundaries lie. The flipside of risk is opportunity, and the Board should set a risk appetite for the organisation that reflects this. The Combined Code suggests a role for a Board-level risk committee, comprising independent non executives. The participants in the discussion did not think this to be practical: risk management must involve executives. There is a danger that too much focus on the process of risk management could lead to complacency or to a lack of focus on the risks themselves. The review of risk at Board and audit committee level necessitates having non executive directors with a suitable range of backgrounds. The skills mix, as well as financial, should include high-level business knowledge, for example the understanding of significant opportunities/risks specific to the business. A key aspect of risk management is understanding the culture of the organisation. Non executives, with limited contact below Board level, may find difficulty in understanding the culture at lower levels of the organisation. The audit committee's role in risk management requires a strong relationship with the internal audit function of the organisation, one of whose roles is as a ‘financial policeman'. Different types of risk should be addressed in different ways. Financial, operational and strategic risk have little in common, and their management and review should reflect the context of the particular compa

Air Traffic Management Safety Challenges

The primary goal of the Air Traffic Management (ATM) system is to control accident risk. ATM safety has improved over the decades for many reasons, from better equipment to additional safety defences. But ATM safety targets, improving on current performance, are now extremely demanding. Safety analysts and aviation decision-makers have to make safety assessments based on statistically incomplete evidence. If future risks cannot be estimated with precision, then how is safety to be assured with traffic growth and operational/technical changes? What are the design implications for the USA’s ‘Next Generation Air Transportation System’ (NextGen) and Europe’s Single European Sky ATM Research Programme (SESAR)? ATM accident precursors arise from (eg) pilot/controller workload, miscommunication, and lack of upto- date information. Can these accident precursors confidently be ‘designed out’ by (eg) better system knowledge across ATM participants, automatic safety checks, and machine rather than voice communication? Future potentially hazardous situations could be as ‘messy’ in system terms as the Überlingen mid-air collision. Are ATM safety regulation policies fit for purpose: is it more and more difficult to innovate, to introduce new technologies and novel operational concepts? Must regulators be more active, eg more inspections and monitoring of real operational and organisational practices

Governance of Offshore IT Outsourcing at Shell Global Functions IT-BAM Development and Application of a Governance Framework to Improve Outsourcing Relationships

The lack of effective IT governance is widely recognized as a key inhibitor to successful global IT outsourcing relationships. In this study we present the development and application of a governance framework to improve outsourcing relationships. The approach used to developing an IT governance framework includes a meta model and a customization process to fit the framework to the target organization. The IT governance framework consists of four different elements (1) organisational structures, (2) joint processes between in- and outsourcer, (3) responsibilities that link roles to processes and (4) a diverse set of control indicators to measure the success of the relationship. The IT governance framework is put in practice in Shell GFIT BAM, a part of Shell that concluded to have a lack of management control over at least one of their outsourcing relationships. In a workshop the governance framework was used to perform a gap analysis between the current and desired governance. Several gaps were identified in the way roles and responsibilities are assigned and joint processes are set-up. Moreover, this workshop also showed the usefulness and usability of the IT governance framework in structuring, providing input and managing stakeholders in the discussions around IT governance

Summary care record early adopter programme: an independent evaluation by University College London.

Benefits The main potential benefit of the SCR is considered to be in emergency and unscheduled care settings, especially for people who are unconscious, confused, unsure of their medical details, or unable to communicate effectively in English. Other benefits may include improved efficiency of care and avoidance of hospital admission, but it is too early for potential benefits to be verified or quantified. Progress As of end April 2008, the SCR of 153,188 patients in the first two Early Adopter sites (Bolton and Bury) had been created. A total of 614,052 patients in four Early Adopter sites had been sent a letter informing them of the programme and their choices for opting out of having a SCR. Staff attitudes and usage The evaluation found that many NHS staff in Early Adopter sites (which had been selected partly for their keenness to innovate in ICT) were enthusiastic about the SCR and keen to see it up and running, but a significant minority of GPs had chosen not to participate in the programme and others had deferred participation until data quality improvement work was completed. Whilst 80 per cent of patients interviewed were either positive about the idea of having a SCR or ?did not mind?, others were strongly opposed ?on principle?. Staff who had attempted to use the SCR when caring for patients felt that the current version was technically immature (describing it as ?clunky? and ?complicated?), and were looking forward to a more definitive version of the technology. A comparable technology (the Emergency Care Summary) introduced in Scotland two years ago is now working well, and over a million records have been accessed in emergency and out-of-hours care. Patient attitudes and awareness Having a SCR is optional (people may opt out if they wish, though fewer than one per cent of people in Early Adopter sites have done so) and technical security is said to be high via a system of password protection and strict access controls. Nevertheless, the evaluation showed that recent stories about data loss by government and NHS organisations had raised concerns amongst both staff and patients that human fallibility could potentially jeopardise the operational security of the system. Despite an extensive information programme to inform the public in Early Adopter sites about the SCR, many patients interviewed by the UCL team were not aware of the programme at all. This raises important questions about the ethics of an ?implied consent? model for creating the SCR. The evaluation recommended that the developers of the SCR should consider a model in which the patient is asked for ?consent to view? whenever a member of staff wishes to access their record. Not a single patient interviewed in the evaluation was confident that the SCR would be 100 per cent secure, but they were philosophical about the risks of security breaches. Typically, people said that the potential benefit of a doctor having access to key medical details in an emergency outweighed the small but real risk of data loss due to human or technical error. Even patients whose medical record contained potentially sensitive data such as mental health problems, HIV or drug use were often (though not always) keen to have a SCR and generally trusted NHS staff to treat sensitive data appropriately. However, they and many other NHS patients wanted to be able to control which staff members were allowed to access their record at the point of care. Some doctors, nurses and receptionists, it seems, are trusted to view a person?s SCR, whereas others are not, and this is a decision which patients would like to make in real time