Business Research vs Credit Risk Assessment- ‘Alternate data sources’
Discussions by eminent credit experts have highlighted the pure dependence of credit risk assessment on financial statements and payment history. Whereas good business research thrives on ‘Alternate data sources’ then why shouldn’t credit risk assessment incorporate alternate data for a robust model? Whether financial statements are more reliable is debatable point especially in the context of MSMEs (they form the bulk of business enterprises all over the globe). Most developed economies do not insist on audited statements from business owners and in developing economies, we are aware of what happens. The business owner decides what is to be presented….. Yes, payment history is credible and can be used as a source of information but can be misleading if relied solely upon. Credit rating does consider ‘alternate data sources’ but as a product is used for a minuscule segment of the universe. When you consider credit scoring or internal risk assessment processes, invariably ‘alternate data sources’ are disregarded. Moreover, majority of the credit officers are unaware of ‘alternate data sources’ and their relative weight in the risk assessment model. It seems that we all want to follow the system that has been established………….. Are we doing it right?
Securing Information Systems
Businesses are under constant threat of loosing what they own or have created diligently over the years. In this age of technology advancement there is a huge possibility of “Information Leakage” thus resulting in loss of valuable assets such as proprietary processes, product patents or inappropriate disclosures of operational performances. Therefore there is a need for Forensic Accounting and Audit of Information systems that prevent such occurrences.
In a recent case, one of the leading players in the Pharmaceutical industry desired “To review existing Policies and Practices on preventing Information Leakage in the factory area covering the Production, Plant Gate, IT Infrastructure, R&D and Quality Control section and to suggest remedial measures”. What prompted this business to secure Information systems was a review by the US FDA (US Food and Drug Administration) for granting license to their facilities. The US administrator considers Information system as a critical part of the manufacturing process.
The business had adopted several standard operating procedures to avoid leakage of information. They had blocked all electronic mails ‘to’ popular public mailing systems such as Google, Yahoo and Rediff mail. Most of the communication devices such as scanners, photocopying machines and mobile phones were disabled for copying and transmitting. Closed circuit cameras were installed to capture the overall activities of the employees. The IT department has hastily put together some randomly created Standard Operating Policies (SOPs) that would manage the email system, the IT infrastructure and the server room.
On the face of it, the measures adopted by the business would have, to a greater extent, prevented the flow of unwarranted information from within the facility to the outside world. But this was not the case!
As a first step towards checking the robustness of the system that had been implemented a couple of tests were instituted. The business managers were of the opinion that information on the computer systems could not be transferred to a remote location without the active connivance of the device owner. Inspite of these measures the investigators, with the help of Bluetooth technology and when the device owner was not at his work station were able to transfer documents from a computing device to a mobile device. In another case an email was delivered to an unknown address from a desk top system without the knowledge of the work station owner. Both the cases indicated a lack of operational understanding on the part of the employees to treat information in a sacrosanct way and some of the possible shortcomings of the planned system.
Considering the initial results that exposed the vulnerability of the system that was in place, an elaborate audit procedure was adopted. Various operational aspects of the facility were checked that mapped extensively over most of the departments.
1. The inventory of communication devices was verified for ownership and location.
2. The server room was assessed for:
i) Accessibility violations.
ii) Security arrangements.
iii) Disaster management.
3. Email management system was thoroughly checked against active and inactive accounts, access levels and other improper behavior.
4. Scrap management policies were advised.
5. The Gate and Key management were not as per the standard operating procedures.
The audit process established that the facility was under threat from “Information Leakage”. Based on the findings the following recommendations were made to the facility management in order to avoid the criticalities of the system. They are:
1. Standard Operating Procedure Manual should be developed keeping in mind the different information needs and security levels requirements of different department.
2. Emails can be managed through advanced screening software.
3. Implementation of security measures like body searches, metal and other advanced detection facility.
4. Stress testing the system at regular intervals.
5. Finally as a first line of defense it important to continually educate the employee about the SOPs.
There are lessons to be learnt by other organizations. Leakage of confidential information can result into crucial damage to a business in its reputation, employee work culture and profitability. Before such an eventuality arises, it is necessary for businesses to adopt a multidimensional approach to Information System management.
Vivek Parti, CEO, India Business Database.com, Risk Management and Forensic Company
