Order Now

Royal Bank of Scotland

Royal Bank of Scotland (RBS) is one of the largest banks operating internationally. Today, the company has to develop new approaches to the development of its business and introduce new information technologies to provide its customers with a broad range of services. In this regard, it is extremely important to assess risks that may arise in the course of the development of the bank under the impact of new information technologies being applied by the bank. In actuality, the bank needs to develop methods and strategies that meet needs of customers. At this point, it is worth mentioning the fact that the bank faces the problem of the integration of new technologies because the bank has to adapt the introduction of new technologies to needs of customers and the current professional level of employees is essential. At the same time, the introduction of new technologies raises the problems and risks that may arise in the course of the implementation of new information technologies. In this regard, it is important to study the development of effective methods and strategies that may prevent the risks that may arise in the course of the introduction of information technologies. In fact, it is possible to focus on the analysis of current risks the RBS is currently facing. In this regard, it is possible to use interviews conducted with managers working in the banking industry.

In addition, it is important to involve IT specialists to assess risks associated with the implementation of ITs by the RBS. In addition, it is important to study the current problems other banks face, which are associated with the implementation of ITs. The current research focused on the risk assessment associated with the implementation of ITs by the RBS. In the course of the study, managers and IT specialists along with customers were interviewed and responded to the questionnaire. In addition, the risk assessment involved the use of the Risk Management Guide for Information Technology System as the basis for the analysis of risks and threats the RBS may be vulnerable to and how to prevent these risks and threats. The purpose was to find out the risks that may arise in the course of the implementation of ITs in the services provided by the bank. In the course of the study the major risks were identified. In this regard, it is possible to distinguish the risk of information breaches that arises in the course of the implementation of new ITs, identity theft and other problems, customers of the bank may face. In such a situation, the RBS should develop effective methods and strategies of the prevention of risks associated with the introduction of ITs.

Introduction

Today the risk assessment is very important for effective organizational performance and organizational development. In this regard the development of the modern banking industry is particularly dependent on the effectiveness of the risk assessment. In actuality, the banking industry is progressing rapidly and services provided by banks to their customers change rapidly. At the same time, the changes in services being provided by banks to customers are accompanied by consistent changes in technologies being used by banks. To put it more precisely, contemporary banks tend to implement information technology and modern telecommunication systems en masse to attract customers and to make banking services more accessible to customers and easier to use than they used to be in the past. In such a situation, many banks focus on the introduction of information technologies and new telecommunication systems underestimating possible risks that may arise in the course of the implementation of new technologies or shortly after their implementation. In actuality, the introduction of information technologies in the banking industry can raise numerous risks, such as the loss of the private information of customers, identity theft, information breaches, and other problems that may affect not only banks but also their customers. Banks may come unprepared to the risks and threats associated with the use of new information technologies. In this respect, it is possible to focus on the implementation of information technologies by the Royal Bank of Scotland (RBS) to find out the effective ways of the risk assessment and extrapolate them on the actual practices conducted by the bank in regard to the implementation of information technologies. At this point, it is worth mentioning the fact that the RBS is one of the leaders in the banking industry and operates internationally, whereas the introduction of innovations, especially in the field of information technologies, is one of the priorities in the strategic development of the bank. Therefore, the risk assessment is extremely important for the RBS because, on the one hand, the bank introduced information technologies en masse, whereas, on the other hand, threats of misuse of information technologies increases substantially, while customers of the bank still look for new services that make the further implementation of information technologies essential, which, though, is impossible without adequate risk assessment.

On analyzing the current situation in the RBS and policies conducted by the bank, it is important to place emphasis on the fact that the RBS uses new information technologies to improve its operations and to deliver its services to customers fast. At the same time, the use of information technologies leads to the shift of banking from the conventional bank-customer interaction to the virtual one. What is meant here is the fact that the RBS introduces new information technologies to facilitate its interaction with customers. As a result, the RBS develops e-banking, which implies that operations conducted by the bank are conducted in the electronic form. Moreover, the RBS attempts to provide its customers with the larger opportunities to manage their accounts online via their PCs and other devices, through which customers can access internet safely. Obviously, this strategy is beneficial for customers in terms of the accessibility of banking services and ability to control and manage their accounts online. However, this is exactly, where major risks and threats may appear.

In order to assess the risk the RBS may face, it is necessary to start from the first step of the risk assessment, the system characterization, which helps to understand possible weak points and strengths of the information system of the RBS. In actuality, the development of the RBS is closely intertwined with the application of information technologies en masse. At the same time, the bank should provide the high degree of information security and protection of information system of the bank. Otherwise, its customers will be under a threat of identity theft as well as the threat of losing their money because of the poor protection of their private information by the bank.

At this point, it is important to take into consideration the system-related information, which helps to understand the potential risks and threats the RBS may be vulnerable to. In this regard, the information system used by the RBS is grounded on the use of information technologies to manage and control financial flows and to establish the strict control over the use of financial resources by clients, on the one hand, and the provision of clients with the possibility to access their accounts freely online, on the other (Chari, 2007). What is meant here is the fact that the RBS has developed the information system, which allows to maintain the two-way communication between the bank and each customer. This information system contains the software and hardware, which allows the maintenance of the information system of the RBS. At this point, it is important to place emphasis on the fact that the RBS outsources its information system and its elements, including software. The bank purchases hardware, whereas the software is supplied by the companies developing the software that meets needs of the bank and its customers. In such a way, the bank attempts to optimize its performance through the introduction of the information system that is developed by professionals and that does not need the creation of the IT department within the RBS.

At the same time, in order to obtain the detailed information about the information system and information technologies used by the RBS, it is necessary to use effective information-gathering techniques. In this regard, several techniques were used. First, interviews were conducted involving managers and IT professionals, who have detailed information on the use of information technologies in the banking industry. Former managers of the RBS were among the subjects of the study that increased the reliability and validity of the study. In addition, the subjects responded to the questionnaire concerning the information system of the RBS. In such a way, the application of the aforementioned methods allowed to gather information concerning the information system and information technologies used by the RBS and find out possible threats and risks the bank may face in the nearest future under the impact of new technologies being applied by the RBS. In actuality, the information system of the RBS is outsourced that makes the bank dependent on the suppliers of the software and information technologies. At the same time, the company can rely on the information technologies, software and information system it outsources because the supplier is a reliable company.

Nevertheless, in spite of the advanced information technologies used by the RBS and the information system supplied and maintained by a reliable company, the RBS still faces a number of risks and threats because, even the perfect technologies are vulnerable to some risks and threats. At this point, it is possible to pass to the step two in the risk assessment of the RBS’ information system. In such a way, the threat identification is crucial for understanding risks and threats the RBS may face in the course of the implementation of its information technologies. In fact, the threat-source identification is an important step in the risk assessment of the RBS. To put it more precisely, the major threat sources for the RBS information system are human source, environmental source, and natural source of threats. In this regard, it is important to place emphasis on the fact that the threat source may differ and so does their impact on the organizational performance. To put it more precisely, the environment threats are threats associated with the impact of the environment, such as the power failure. In this regard, the bank is vulnerable to the threat of the power failure and other environment threats as other organizations do (Seitanidi, 2008). At the same time, the RBS attempts to back up its systems to enhance its information system and protection from the environment threats. The autonomous supply of power is one of the ways the organization may prevent the risk of information breaches or the loss of information in case of the power failure. The autonomous power supply can contribute to the prevention of the power failure for the bank can switch immediately from the external power supply to the autonomous one. In this regard, environmental threats may be also quite significant for they may have a destructive impact on the supply of power and other sources essential for the functioning of the bank units. However, it is important to point out that natural disasters can affect the functioning of the bank provisionally but they also affect other organizations and the bank cannot prevent the external, natural threats.

At the same time, the human threats are more serious than environmental or external ones. In this respect, it is worth mentioning the fact that human threats are associated with activities, such as hacking, for instance. Often human threats are illegal, whereas the bank needs the effective protection from the attacks from the part of hackers and criminals. On the other hand, human threats may be occasional. For instance, a poorly qualified employee can make errors which may lead to malfunctioning of the RBS and its information systems. Therefore, the organization may suffer from multiple threats and risks. At this point, many specialists (Lunt, 1996) argue that today banks face the threat of criminal attacks using the advanced information technologies, which focus on obtaining private information of consumers of the bank or access to the database of the bank. As a result, information breaches may emerge, whereas banks, such as the RBS may suffer from substantial loss of the financial resources as well as customers. The latter is particularly dangerous for the RBS because the negative effects of information breaches and identity theft of customers leads to the drop of the customer loyalty leads to the loss of the customers by the bank. As a result, the number of customers decreases and the bank faces the problem of the lack of deposits and its revenues drop respectively to the loss of customers by the bank.

In such a situation, it is important to take into consideration the motivation and threat action. The following table shows the relationship between the threat-source, motivation and threat action:

Table 1. The RBS’ threat-source, motivation, and threat action.
Threat-source Motivation Threat action
Hacker, cracker Challenge
Ego
Rebellion Hacking
Social engineering
System intrusion, break-ins
Unauthorized system access
Computer criminal Destruction of information
Illegal information disclosure
Monetary gain
Unauthorized data alteration Computer crime (for example, cyber stalking)
Fraudulent acts (replay, impersonation, interception)
Information bribery
Spoofing
System intrusion
Terrorist Blackmail
Destruction
Exploitation
Revenge Bomb/terrorism
Information warfare
System attack (distributed denial of service)
System penetration
System tempering
Industrial espionage (activities conducted by other banks) Competitive advantage
Economic espionage Economic exploitation
Information theft
Intrusion on personal privacy
Social engineering
System penetration
Unauthorized system access (access to classified, proprietary, and/or technology-related information)
Insiders (poorly trained,
disgruntled, malicious,
negligent, dishonest, or
terminated employees) Curiosity
Ego
Intelligence
Monetary gain
Revenge
Unintentional errors and
omissions (e.g., data entry
error, programming error) Assault on an employee
Blackmail
Browsing of proprietary
information
Computer abuse
Fraud and theft
Information bribery
Input of falsified, corrupted data
Interception
Malicious code (e.g., virus, logic
bomb, Trojan horse)
Sale of personal information
System bugs
System intrusion
System sabotage
Unauthorized system access

Therefore, the development of the effective information system by the RBS depends on the effectiveness of the information system supplied to the RBS by the supplier. At this point, it is important to place emphasis on the fact that illegal activities and hacking are particularly dangerous for the RBS because these activities often aim at obtaining private information or stealing money from the bank or its customers. In such a situation, the bank should focus on the minimization of such threats. At this point, it is important to remind that the bank depends on the supplier of the information technologies and supply. In this regard, the development of the reliable information system of the RBS depends on the functioning of the supplier of software and information system. At the same time, the company should also pay attention to hardware because it also should function effectively because the failure of the hardware may also lead to the loss of important information.

In this regard, it is important to dwell upon the step three in the risk assessment, which is the vulnerability identification. In fact, the RBS is vulnerable to numerous risks associated with the use of advanced information technologies. In this regard, it is worth mentioning the fact that the RBS is vulnerable to numerous threats associated with hacking and unauthorized access to the private information of consumers as well as to the database of the bank. In such a situation, the major risk for the bank is losing the money, which can be stolen from the bank using illegal and unauthorized access to the bank accounts. As for customers of the RBS, they may suffer from the identity theft that may be a grave assault for them because they can lose money and identity as well.

In such a context, the major vulnerability sources are credit cards of customers, their online accounts, their PCs and smartphones, as well as other devices via which they can access their accounts and conduct some operations. In fact, the problem is that these devices may be misused by criminals to get access to the private information of customers of the RBS as well as to the bank’s database. In such a situation, the bank database becomes vulnerable to the unauthorized access because hackers, crackers or criminals use customers’ devices or accounts and manage their accounts, according to their will.

In response to these threats, the RBS attempts to raise unsurpassable barriers outsourcing its information system. However, before implementing the information system and all innovations the RBS conducts the system security testing to find out whether the information system is safe or innovation is secure. For this purpose, the RBS introduces the innovation or new information system in one of its units, where the bank can control all operations thoroughly. As a result, the bank can test the innovation or innovation system before they are implemented in the entire organization. If the testing is successful, the RBS takes a decision to implement the innovation or new information system.

In addition, the RBS develops the security requirement checklist, which defines accurately requirements of the bank to the information system, software and hardware the bank uses in its operations and internal business processes. The major requirements focus on the full protection of the RBS from external and human resource threats. At the same time, the bank pays a particular attention to human-resource threats because environmental and natural threats are treated by the bank on the common ground and comprise an integral part of the business strategy of the RBS. As for the human-resource threats, the bank pays a particular attention to these threats because they are often intended and the bank is the subject to attacks of hackers, crackers and computer criminals, whereas, in recent years, the threat of terrorist attacks has also increased. Hence, the security checklist includes such requirements as the high degree of protection, innovativeness of the information system, the protection of the system from external intrusion without permission of the bank or its clients, and others.

At the same time, to assess risks adequately, it is necessary to make the step four which is the control analysis. In actuality, the RBS has introduced the position of control officers, which maintain the control over functioning of the information system of the bank. They monitor operations conducted by employees of the bank and customers of the bank to identify any attempt of illegal or hacking activity. The control officers are specially trained and can identify threats accurately. They have the essential equipment and software to monitor internal business operations and processes occurring within the bank (Finley, 2008). In such a way, the bank can control its operations and information system.

In addition, the bank involves the supplier of its information technologies to monitor the situation in the bank and operations conducted by the bank and its customers. The IT specialists involved in auditing and monitoring can identify possible risks and threats through the analysis of the information systems and operations conducted within the system. If they identify any failures, they report to control officers, who, in their turn, take actions respectively to the risk or threat being identified.

At the same time, the RBS has to move to the step five, which implies the likelihood determination. What is meant here is the fact that the RBS attempts to identify the likelihood of occurrence of certain risks and threats. To put it more precisely, the bank attempts to assess the extent to which identified threats and risks can occur. At this point, it is worth mentioning the fact that the development of the information technologies and information system of the bank involves the use of innovative technologies. As a result, the bank defines the major threats, such as the identity theft and unauthorized access to the private information of customers. Through the identification of threats and risks, the RBS can prevent their development and the risk of their occurrence. The bank can focus on the specific risks and threats and invest substantial funds in the development of effective means of protection to minimize the risk of occurrence of such threats as identity theft and other identified by the bank. At the same time, the bank invests substantial funds to forecast threats and risks. In this regard, the RBS outsources partially forecasting risks and threats the bank may face in terms of the implementation of information technologies and changes being made in its information system.

Furthermore, it is important to dwell upon the impact analysis. In this regard, it is necessary to assess the impact of risks and threats on the organizational performance of the bank. In actuality, it is hardly possible to underestimates negative effects of risks and threats associated with the use of information technologies and information system of the bank. To put it more precisely, the threat of identity theft may prevent many customers from using services of the bank (Viardot, 2001). In such a situation, the RBS may suffer from substantial financial losses, if the bank suffers from the illegal criminal activities because customers cannot be confident in the bank, which suffers from repetitive information breaches or identity thefts. In such a way, the bank attempts to protect its customers and to develop an effective information system to minimize the risk of the unauthorized access to the private information and other violations related to information technologies and information system of the bank.

At this point, it is important to dwell upon the risk determination because the bank needs to determine the risk of threats to develop effective strategies of their prevention. The determination of risks occurs through the analysis of the current situation in the banking industry and the development of information technologies. In this regard, it is possible to identify information breaches and identity thefts as major threats banks suffer from as they provide online banking services to facilitate banking operations for their customers. In such a way, the RBS can take into consideration the experience of other banks to conduct its policies effectively and to determine accurately major threats it should come prepared to.

In this regard, it is possible to provide several control recommendations to the RBS. First, the bank should enhance the work of its control officers. Second, the bank should create the IT department, which can work uniquely on the prevention of risks and threats associated with the use of information technologies and information system used by the bank. Third, the RBS should monitor the development of information technologies and banking industry to identify potential and prospective threats and risks and to develop effective strategies of their prevention.

Finally, the results documentation should include the detailed analysis of potential risks and threats. The bank should define sources of threats and methods of their prevention. In addition, the bank should forecast the further development of the industry and to develop close cooperation with suppliers of information technologies, software and hardware to increase safety and security of private information and the bank’s database.

References:
Chari, A. (2007). “Heterogeneous Market-Making in Foreign Exchange Markets: Evidence from Individual Bank Responses to Central Bank Interventions.” Journal of Money, Credit & Banking, 39(5), p.1131-1238.
Finley, J.T. (2007). “International Marketing and Delivery of Bankcard Processing Services.” Journal of the International Academy for Case Studies, 13(3), p.83-94.
Lunt, P. (1996). “An American in Edinburgh: RBS Advanta’s John Mullady Introduces the First U.S. Credit Card in Scotland.” ABA Banking Journal, 88(5), p.85-92.
Seitanidi, M.M. (2008). “Adaptive Responsibilities: Nonlinear Interactions in Cross Sector Social Partnerships.” Emergence: Complexity and Organization, 10(3), p.51-58.
Viardot, E. (2001). Successful Marketing Strategy for High-Tech Firms. New York: New Publishers.

Annotated Bibliography:
Chari, A. (2007). “Heterogeneous Market-Making in Foreign Exchange Markets: Evidence from Individual Bank Responses to Central Bank Interventions.” Journal of Money, Credit & Banking, 39(5), p.1131-1238.
The article focuses on the implementation of the international expansion strategy by the RBS. The author of the article stresses the importance of technological innovations introduced by the RBS and the regulations conducted by central banks to minimize risks to customers associated with the use of new information technologies and other innovations. The article helps to understand the current strategy of the international market expansion conducted by the RBS based on the introduction of new information technologies to attract new customers.

Finley, J.T. (2007). “International Marketing and Delivery of Bankcard Processing Services.” Journal of the International Academy for Case Studies, 13(3), p.83-94.

The author of the article focuses on the introduction of new information technologies by the RBS and other innovations introduced by the bank. The author stresses that information technologies allow the bank to take the lead and outpace its major rivals in the competitive struggle. On the other hand, the author warns against a number of risks that arise in the course of the implementation of technological innovations by the RBS. The author argues that the bank prefers to outsource its information system that raises a number of risks, including the dependence on its supplier.

Lunt, P. (1996). “An American in Edinburgh: RBS Advanta’s John Mullady Introduces the First U.S. Credit Card in Scotland.” ABA Banking Journal, 88(5), p.85-92.

The author reveals the history of the development of the RBS and focuses on the introduction of e-banking and new information technologies in particular. The article helps to understand major causes of success of the RBS. At the same time, the article helps to understand major risks and threats the RBS has faced in the course of its business development. The revelation of difficulties the bank has faced is important to understand current risks and threats it does face or may face after the introduction of technological innovations and development of its information system.

Seitanidi, M.M. (2008). “Adaptive Responsibilities: Nonlinear Interactions in Cross Sector Social Partnerships.” Emergence: Complexity and Organization, 10(3), p.51-58.

The author focuses on the organizational performance of the RBS, internal organizational structure and internal business processes in the context of implementation of new information technologies. The author argues that information technologies facilitate the interaction within the bank and improve internal business processes. On the other hand, they raise numerous problems and difficulties because of the high risk of errors being made by employees and the need to train employees to use the full potential of new technologies.

Viardot, E. (2001). Successful Marketing Strategy for High-Tech Firms. New York: New Publishers.
The author discusses the experience of leading companies operating in the US, including the RBS, which use high technologies, especially information technologies. The author discusses major threats and risks companies operating in high tech industries, including banking industry, may face, including the identity theft, hacking, illegal criminal activities online, and others. In such a way, the RBS may face numerous threats and the author helps to identify the major risks and threats for the bank.