The global head of Barclays' information risk management team has his eye on the prize, not letting the credit crunch distract. By Paul Fisher.
Canary Wharf has always had a strange, semi-detached feel to it. Even in the good times, it never really felt like a proper part of London. A visit on a cold, dismal January morning is stranger still, like visiting the scene of a great disaster – yet there is no damage, no rubble, no smoke. It just feels hushed and subdued, if not yet fully chastened.
Barclays moved its global HQ to a gleaming 32-storey skyscraper at One Churchill Place in 2005. It and its rivals – HSBC, Citigroup, Lehman Brothers and Bear Stearns – all clustered in Canary Wharf and each topped its building with a huge neon logo. It all looked invincible. Finance was king – Lehman's called itself “masters of the universe”.
Now we know different. We know some very stupid people were running these banks – and some still are. Lehman's and Bear Stearns are history. Citigroup is teetering. And in the days following SC's meeting with Stephen Bonner, global head of information risk management at Barclays Group, it started to look like the people who run it weren't so smart either. Barclays' posturing that it was strong and relatively untouched by the crash was starting to unravel. Commentators were saying that Barclays too would need a full-scale bail-out – maybe nationalisation – if it were to survive. Its critics point to its “synthetic structured investment vehicles” that are about to unwind spectacularly and are hiding the real extent of its exposure to toxic debt. In the same week, its share price plunged 25 per cent on profit fears and news that 2,100 jobs in investment banking were to go. Touchable after all.
That at least is how it feels from the outside, but Bonner knows the inside and so, as we sit in a glassy meeting room 30 floors up with mute Barclays PR minder in tow, I can't avoid recent events.
“The credit risk and market risk teams were taken very seriously and because of that we're well positioned. If you look at which markets we focused on and which ones we didn't go into, that has led to a very strong global diversification. Over half our profits come from outside the UK, which makes us very strong in the case of regional problems.
“There are certain businesses and areas we didn't go into strongly, while our competition did, and those have turned out to be not terribly profitable in the long run,” he says, seemingly oblivious to the gross understatement. “No kidding” would be many people's response.
Bonner's CV has equipped him with the necessary sangfroid. His first job was at Oxford's Mathematics Institute. After Virgin.Net and ING Barings, he joined Barclays Capital as senior information security consultant, and with a detour to LIFFE, rejoined as head of technical security, before moving to his group role.
Barclays is still proactive, he says. “We're taking opportunities now because the market has kind of gone a little bit – ‘disconnect' is the word they use – too far the other way. There are fantastic opportunities for growth, so over that period [late 2008], we bought the US operations of Lehman's, we bought a bank in Indonesia and a bank in Russia. We've been busy making sure those have been integrated and come on board. It's been very busy for us, but it's the direct opposite of most of our competition, who are shrinking or have uncertainties about takeovers. There's a great sense of confidence in the business decisions we have made and continue to make,” he says, ever the company loyalist.
It would be unfair to criticise Bonner for this kind of optimism and on this particular morning the accepted view of Barclays was that it remained largely unscathed – as the fickle market proved, when it marked up Barclays again, after it issued a letter on its future. He is not one of the idiots, but a bright, talented and resourceful person, ready for the fray.
“Now, that doesn't mean it's going to be easy, even though we're resilient,” he continues. “A lot of our customers face difficulties in the changing environment, but we need to make sure we're there for them, to support and help them. We, as a risk function, have to make sure we give the support to the business units doing that work to support those customers.”
And if the sun is still shining on Barclays, he knows others are not so fortunate. “I talk closely with colleagues and friends at other institutions and the mood there is really quite dark,” he says.
If Barclays does get through this intact in one form or another, it will be with a nice trophy from the wreckage of 2008 – the North American operations of Lehman Brothers. It all happened very quickly – surely it must have been difficult to integrate the two operations?
“Several of our staff have worked at Lehman's in the past. The CISO of Barclays Capital came from Lehman Brothers. We have a lot of institutional knowledge about how the two groups worked, so it has been a very easy integration. It's a good cultural and geographical fit, it's a good business fit. Things are never easy, but as integrations go it has been a very smooth one and it has worked well,” he says.
Bonner has quite some responsibility, as his department looks after key parts of a bank that operates in 60 countries. Global investors, wealth management, retail and commercial banking divisions – all come under his aegis.
It is easy to forget that most of the public's relationship with a bank is quite mundane (in some people's opinion, the kind of boring stuff banks have too often neglected) and proceeds mostly via a computer screen. Barclays has led the UK by introducing the first two-factor device for the consumer market, PINsentry. It's a source of some pride for Bonner.
“Since we rolled that out, our losses from online fraud have spectacularly dropped.” He doesn't take credit for that, thanking instead Shawn Gilchrist in the UK online banking team. “He drove that piece of work – it's fantastic. It is not only the kind of time-based token authentication that you see in secure ID products, but it allows us to authenticate to the user, and the user to authenticate to us, and it allows them to sign transactions,” he says. Bonner claims that since PINsentry's launch there has been a huge move by phishers into rival banks, which are seeing increased losses.
PINsentry can only be a good thing and it's not hard to see that a cost/risk analysis on such a device would deliver a positive result. But moving rapidly up the scale and into the areas where Bonner spends much of his time, mustn't risk assessment get trickier and involve some big mathematics? Or perhaps, is it all intelligent guesswork?
“So, you say, is there guesswork? One interesting thing about risk management is the uncertainties in the information you're using to make decisions. We can't have complete knowledge. If we had complete knowledge, it would be a very straightforward piece of work, where a classic annualised loss expectancy is the single rate of occurrence times the single loss expectancy. That's a fantastic risk calculation. There's no way we can know exactly how likely it is something is going to happen. And often what defences we put in change what happens,” he says.
It has to be cost-effective – you need to undertake a cost analysis of the loss events that have been near-misses, against what controls there are in place. Bonner likens it to a large-scale medical study. “We can see people with long passwords or short passwords, and we can see higher or lower losses and then decide what controls are effective. We need to be a lot more professional. It is not helped by checklist-driven regulations. Certain controls must be put in place, whether or not they manage a risk.”
Like ISO standards? “Well, they have actually done quite a good job, if you look over the history of the standards. They have moved from having a checklist to a risk-management tool with a cycle of assessing deployment controls that make sense.” Bonner would rather aim his fire at Cobit, Isaca's methodology for assessing compliance and governance in IT. He is not a fan.
“One of the Cobit controls is that you must have a security plan. It doesn't define what a security plan is, and it doesn't say you have to execute the plan or have funding – you just have to have a security plan. So, get a piece of paper, write ‘security plan' on top, sign it, date it, take three copies, put it in the safe, and there you go, you're helping manage risk? No. You've got an extra control, but you're not managing risk,” he says.
As Bonner points out, when something does happen (as it will), you need more than a plan, you need to take action and you need an understanding board. “The question is,” he says, “when that event happens, did we detect it rapidly, did we deal with it well, had people been trained, is there a systemic problem, is there an isolated incident we can resolve and make sure it never occurs again?
“We're very fortunate. Generally our management is interested enough in these topics that it can tell the difference between you having no incidents because you are too ignorant to notice them, and you having no incidents because things are working well and it's controlled.”
He has wise words too on how to get round the cost/ROI conundrum. “We tend not to gold-plate anything. Fundamentally, as a central group function, we're an annoying layer of cost and inconvenience, so our goal is to be as cheap and as convenient as possible. There's very much still an investment and growth strategy, because we never wasted money,” he says.
Recently, IT analysts have pointed to rapid and even frantic adoption of such trends as virtualisation, off-shoring and utility computing for CISOs as recession takes hold. How much of this brave new world can be found at Barclays?
“The answer to all of those is, well, yes – in some places. There are parts of our organisation that have gone heavily down that route, and others that haven't. So it gives us the flexibility to see what works and what doesn't. Internally, we still tend to use the majority of enterprise-type solutions. We have areas that help drive innovation, but generally we tend to wait for maturity, rather than adopt some of the wackier ideas that you get out there,” he says. And cost, he adds, is something he and his team always take seriously. Being a small team (of ten) helps. “When the unavoidable events occur, people see they're well managed and handled.”
A tightly run ship it may be, but it is one that has an international organisation behind it and one that is likely to take its security even more seriously in future. But what of those souls further down the chain in smaller businesses – what would he recommend they do in these straitened times to please their employers?
“I would find pieces of work that are easy and cheap ways to make things better that demonstrate your competence and skill, and you build the trust. Then when you say to the senior management, ‘look, this one I can't really justify, but, trust me, I'm a professional'; they then are willing to believe you because the previous project you ran delivered on time, on budget and had a business value.
“Often the best way to build credibility is to say ‘no, we don't need that; it's not relevant to our business',” he adds.
Bonner says he is lucky working in the financial sector, because people move around, they talk to each other. It's easy to provide evidence of other institutions having done things and it's worked well, or gone badly. And some of these people will end up working for Bonner, joining his diversified group of lawyers, ex-consultants, ex-government wonks and people from other parts of Barclays. It is a diversity that Bonner believes is a strength, in that it brings a lot of different approaches to solutions.
“I don't think you can teach people the right pragmatic attitude. There are people who are from that IT security background who say, ‘no, we couldn't possibly do that, that would be dreadful'. We're now actually thinking, well, no, there's this whole set of circumstances that it is the right thing to do for good reasons – because it balances the benefits off against the risks,” he says.
Bonner makes a distinction between IT security people and IT people. Those IT generalists seemingly have a lot more going for them: “Good IT people are much more focused on the business and their requirements are for the general operations of IT. They understand flexibility and strength, pragmatically balancing that against standardisation and operational reputability. “Everybody would be more comfortable if there was one answer and the problem went away. Good IT people realise that isn't the case,” he says.
There is no simple answer to the crisis either and its brutal reality is visible from the Barclays tower. That used to be Bear Stearns; and over there is the corpse of Lehman Brothers. KPMG, Bonner says, is moving into the building next door – the banks die, the accountants take over. Where will it end?