Riskbaserad säkerhetstestning : En fallstudie om riskbaserad säkerhetstestning i utvecklingsprojekt / Risk-based security testing: A case study on risk-based security testing in development projects

Engblom, Pontus

January 2020

A risk is something that can happen and a problem is something that we know will happen or that has already happened. Security testing is used to evaluate a programs security using various methods and risk-based security testing is used to analyze, calculate and correct potential defects or problems in a system.Testing can be very costly and it is the most primary way of removing software defects. Many people focus their testing looking for correct behavior and not deviant behaviors in software, therefore security testing has not been as relevant in traditional testing. It is usually not possible to perform exhaustive testing on a system, instead you must selectively choose tests to conduct. How should the selection of tests be conducted? The study therefore intends to investigate how one can start working with risk-based security testing in development projects in order to prioritize and choose test cases and test methods. The study also aims to answer whether you can get any financial or practical benefits from working with risk-based security testing. To conduct the study a case study was used and to collect data, a document study was used to provide the opportunity to answer the questions. In order to analyze the collected data, a qualitative data analysis method has been used to explain and describe the content with a descriptive research approach. The results of the study provided an example of risk management with different steps one can take to start working on risk-based security testing in existing or new development projects. The study’s conclusion also shows that if you work with risk-based security testing there are practical benefits. For instance, higher quality of the system and economic benefits by finding defects or implementing countermeasures for possible risks at an early stage during the systems development. / En risk är någonting som kan hända och ett problem är någonting som vi vet kommer hända eller som redan har hänt. Säkerhetstest används för att med olika metoder värdera ett programs säkerhet och riskbaserad säkerhetstestning används för att analysera, kalkylera och åtgärda potentiella defekter eller problem i ett system. Testning kan vara väldigt kostnadskrävande och det är det mest primära sättet som används för att ta bort defekter i mjukvaror. Många fokuserar sin testning på att leta efter ett korrekt beteende och inte avvikande beteenden i programvara, därför har säkerhetstestning inte varit så aktuellt i traditionell testning. Det är oftast inte möjligt att utföra uttömmande testning på ett system utan man måste selektivt välja tester, men hur ska selektionen gå till?Studien ämnar därför att undersöka hur man kan börja arbeta med riskbaserad säkerhetstestning i utvecklingsprojekt för att kunna prioritera och välja testfall och testmetoder. Studien ämnar också svara på om man kan få några ekonomiska eller praktiska fördelar av att arbeta med riskbaserad säkerhetstestning.För att genomföra studien gjordes en fallstudie och för att samla in data utfördes en dokumentstudie för att ge möjlighet att besvara frågeställningarna. För att analysera den insamlade data har en kvalitativ dataanalysmetod använts för att med en deskriptiv undersökningsansats kunna djupare förklara och beskriva innehållet. Resultaten från studien har medfört ett riskhanterings exempel med olika steg man kan ta för att börja arbeta med riskbaserad säkerhetstestning i befintliga eller nya utvecklingsprojekt. Studiens slutsats visar också att om man arbetar med riskbaserad säkerhetstestning så finns det praktiska fördelar. Exempelvis högre kvalitet på systemet och ekonomiska fördelar genom att man i ett tidigt skede under systemets utveckling hittar defekter eller implementerar motåtgärder för eventuella risker.

Security testing

testing

risk-based security testing

risks

risk evaluation

risk management

system development

Säkerhetstest

testning

riskbaserad säkerhetstestning

risker

riskvärdering

riskhantering

systemutveckling

Social Sciences Interdisciplinary

The South African anti-money laundering regulatory framework relevant to politically exposed persons

Ahlers, Christelle

January 2013

Politically exposed persons have become a specific risk factor in money laundering. The Financial Action Task Force has formulated clear and specific requirements for dealing with these individuals. Internationally, various jurisdictions such as the United Kingdom and the European Union have adopted effective legislation encompassing the 2003 Financial Action Task Force Recommendations. In South Africa the requirement to apply appropriate, risk based procedures to politically exposed persons has been limited to banks. The aim of this research study was to identify whether the South African anti-money laundering regulatory framework, adequately addresses managing the risks of politically exposed persons. The regulatory frameworks of the United Kingdom and the European Union, as well as the requirements of the Financial Action Task Force, were used to determine whether best practice is followed in South Africa with regard to politically exposed persons. The process of how money is laundered has been examined as well as the methods that corrupt politically exposed persons use in order to launder money. The study has shown that politically exposed persons are not regulated in South Africa in accordance with the Financial Action Task Force Recommendations issued in 2003, while the South African Anti-Money Laundering Regulatory Framework does not adequately address the risk posed by corrupt, politically exposed persons. Both international best practice and the recommendations of the World Bank were considered in terms of the way in which to address the risks posed by these persons effectively. / Dissertation (MPhil)--University of Pretoria, 2013. / Auditing / unrestricted

Money laundering

Financial Intelligence Centre Act (FICA)

South African anti-money laundering

UCTD

Financial Action Task Force (FATF)

Risk based approach

Politically exposed person (PEP)

European Union (EU)

Customer due diligence

Corruption

Anti-money laundering

Hierarchical Clustering in Risk-Based Portfolio Construction / Hierarkisk klustring för riskbaserad portföljallokering

Nanakorn, Natasha, Palmgren, Elin

January 2021

Following the global financial crisis, both risk-based and heuristic portfolio construction methods have received much attention from both academics and practitioners since these methods do not rely on the estimation of expected returns and as such are assumed to be more stable than Markowitz's traditional mean-variance portfolio. In 2016, Lopéz de Prado presented the Hierarchical Risk Parity (HRP), a new approach to portfolio construction which combines hierarchical clustering of assets with a heuristic risk-based allocation strategy in order to increase stability and improve out-of-sample performance. Using Monte Carlo simulations, Lopéz de Prado was able to demonstrate promising results. This thesis attempts to evaluate HRP using walk-forward analysis and historical data from equity index and bond futures, against more realistic benchmark methods and using additional performance measures relevant to practitioners. The main conclusion is that applying hierarchical clustering to risk-based portfolio construction does indeed improve the out-of-sample return and Sharpe ratio. However, the resulting portfolio is also associated with a remarkably high turnover, which may indicate numerical instability and sensitivity to estimation errors. It is also identified that Lopéz de Prado's original HRP approach has an undesirable property and alternative approaches to HRP have consequently been developed. Compared to Lopéz de Prado's original HRP approach, these alternative approaches increase the Sharpe ratio with ~10% and reduce the turnover with 60-65%. However, it should be noted that compared to more mainstream portfolios the turnover is still rather high, indicating that these alternative approaches to HRP are still somewhat unstable and sensitive to estimation errors. / Efter den globala finanskrisen har intresset för riskbaserade och heuristiska metoder för portföljallokering ökat inom såväl akademin som finansindustrin. Det ökade intresset grundar sig i att dessa metoder inte kräver estimering av förväntad avkastning och därför kan antas vara mer stabila än portföljer med grund i Markowitz moderna portföljteori. Lopéz de Prado presenterade 2016 en ny metod för portföljallokering, Hierarchical Risk Parity (HRP), som kombinerar hierarkisk klustring med en heuristisk riskbaserad portföljkonstruktion och vars syfte är att öka stabiliteten och förbättra avkastningen. Baserat på Monte Carlo-simuleringar har Lopéz de Prado lyckats påvisa lovande resultat. Syftet med detta examensarbete är att utvärdera HRP med hjälp av walk-forward-analys och empirisk data från aktieindex- och obligationsterminer. I denna utvärdering jämförs HRP med andra vanliga portföljmetoder med avseende på prestandamått relevanta för portföljförvaltare. Den huvudsakliga slutsatsen är att tillämpning av hierarkisk klustring inom ramen för riskbaserad portföljallokering förbättrar såväl den absoluta avkastningen som Sharpekvoten. Däremot är det tydligt att vikterna i en HRP-portfölj har hög omsättning över tid, vilket kan tyda på numerisk instabilitet och hög känslighet för skattningsfel. Vidare har en oönskad egenskap i Lopéz de Prados ursprungliga HRP-metod identifierats, varför två alternativa HRP-metoder har utvecklats inom ramen för examensarbetet. Jämfört med Lopéz de Prados ursprungliga metod förbättrar de två alternativa metoderna Sharpekvoten med 10% och minskar omsättningen av portföljvikterna med 60-65%. Det bör dock understrykas att även de nya metoderna har en förhållandevis hög omsättning, vilket tyder på att numerisk instabilitet och hög känslighet för skattningsfel till viss del fortfarande kvarstår.

Portfolio construction

asset allocation

risk-based asset allocation

hierarchical clustering

agglomerative clustering

hierarchical risk parity

risk

volatility

Portföljallokering

portföljhantering

portföljmetoder

riskbaserad portföljallokering

hierarkisk klustring

agglomerativ klustring

risk

volatilitet

Probability Theory and Statistics

Sannolikhetsteori och statistik

商業地震保險監理機制之研究 / The Study of the Supervision Mechanism of Commercial Earthquake Insurance

林金穗, Lin, J.S.

Unknown Date

台灣位處環太平洋地震帶，為全球地震風險潛勢較高的地區之一；因台灣高科技產業蓬勃發展，地震保險需求殷切，再加上開放保險費率自由化的政策及金控效應，趨使保險業間競爭白熱化，惡性價格競爭及保險經紀人的推波助瀾，保險公司的清償能力面臨重大考驗。 台灣在保險監理方面如同日本、美國採行風險基礎資本額（RBC）制度，惟國際間位處高度地震風險潛勢之國家大都另建立一套地震保險監理機制，以確保保險公司的巨災準備金足以支付回歸期地震所造成的損失，其中以美國加州及加拿大政府均採用地震保險PML申報制度作為地震保險監理之依據最值得台灣學習。 地震保險PML評估可採用CRESTA Zone平均損失幅度表計算或採用認許的地震風險評估電腦軟體推估獲得，實施的關鍵為主管機關應建立具有公信力的CRESTA Zone平均損失幅度表。本文特就二種評估方式的利弊做深入的比較分析，並藉由地震風險評估軟體的架構說明影響地震保險PML的因素與權重，作為保險公司落實地震風險管理之依據。 本研究參考Solvency II的三大支柱提出建立地震保險監理機制之結論與建議如下： 1.鼓勵建立保險公司的地震風險管理機制。 2.公佈CRESTA Zone平均損失幅度表，作為保險公司地震保險PML申報依據，以落實產物保險業之地震保險監理機制。 3.依據保險公司申報資料，提供保險主管機關實施差異化管理之依據。 4.主動揭露經營績效、強化保險市場紀律，建立公平合理的經營環境。 期待藉由建立適當的地震保險監理機制，減輕或消弭產物保險市場面臨自由化的惡性價格競爭與保險經營面的不合理現象，進而達到健全保險經營環境、促進保險業長期穩定發展，並確保社會大眾之保險權益的目標。 關鍵詞：地震保險監理機制、地震保險PML、巨災準備金、風險基礎資本額、地震風險評估軟體 / Located at the Pacific Rim earthquake zone, Taiwan has been recognized as one of the severe seismic hazard areas in the world. With the bloom of high tech industry in the past two decades, the demand of earthquake insurance has been considerably increasing. However, along with the liberalization of insurance market, the new business model of financial holdings and the expanding influence from international brokers, insurance companies’ solvency capacity has been significantly challenged. Taiwanese Government, same as Japan and U.S., adopts Risk-Based Capital (RBC) method in insurance supervision, while most countries with high earthquake potential have set up independent earthquake insurance supervision systems to ensure insurers’ earthquake reserves capable to compensate the huge earthquake losses. Among all the measures, the PML reporting system adopted by Canada and the State of California to regulate and trace insurance companies’ financial statuses could be an adequate paradigm for Taiwan. The PML estimation could be obtained either using computer models or following default mean damage ratio table. This research compares the strength and weakness between these two methods, and presents the importance of parameters and key points in earthquake insurance management. Based on the three pillars of Solvency II, the conclusions and recommendations of this paper are: (1)Encourage insurance companies to build up the earthquake risk management mechanism; (2)Establish the official default mean damage ratio table for PML reporting system; (3)Adopt differential supervision practice to different level insurance companies; (4)Promote the self-disclosure of key business information and enhance market discipline. Establishing a sound earthquake insurance supervision system would not only ease the immoderate low-price competition but the whole insurance environment could also be stabilized and improved. It will ultimately achieve the objective to insure society liability and benefit the public as well. Keywords: Earthquake Insurance, Earthquake Model, Catastrophic Risk Management, Insurance Supervision, Risk-Based Capital, CRESTA Zone, PML

地震保險監理機制

地震保險PML

巨災準備金

風險基礎資本額

地震風險評估軟體

Earthquake Insurance

Earthquake Model

Catastrophic Risk Management

Insurance Supervision

Risk-Based Capital

CRESTA Zone, PML

[en] RISK-BASED MAINTENANCE AND INSPECTION APPLIED TO OFFSHORE SERVICE BARGES: PROPOSITION OF A METHOD FOR DECISION-MAKING / [pt] MANUTENÇÃO E INSPEÇÃO BASEADAS EM RISCO APLICADAS A BALSAS DE SERVIÇO OFFSHORE: PROPOSIÇÃO DE MÉTODO PARA A TOMADA DE DECISÃO

MAURO AUGUSTO MARTINS JUNIOR

30 September 2013

[pt] A Manutenção e Inspeção Baseada em Risco (IBR) compreende a utilização de ferramentas de cálculo de engenharia como análise estrutural por elementos finitos, análise de corrosão e fadiga, análise de risco e confiabilidade estrutural, de forma integrada, a fim de elaborar os planos de inspeção de maneira racional otimizada. No caso de inspeção de balsas para serviço offshore, particularmente da estrutura do convés principal da balsa, técnicas de análise de risco podem ser aplicadas para que se possam determinar os intervalos de inspeção de cada elemento da estrutura. Como resultado final, tem-se um plano de inspeção otimizado e aplicado à realidade estrutural da unidade. A presente dissertação tem por objetivo propor um método de predição baseado em IBR para aperfeiçoamento de processos de tomada de decisão referentes à manutenção de balsas para serviço offshore de uma grande empresa brasileira do setor de petróleo e gás natural. Apresenta-se um estudo de caso focalizando uma aplicação do método de predição em uma das balsas de serviço offshore da empresa – a Balsa de Serviço 3 (BS-3). Os resultados do estudo de caso permitem afirmar que a adoção de ferramentas de inspeção baseada em risco podem aumentar o TLV (Tempo Limite de Vida) das balsas de serviço offshore. Como consequência, os benefícios potenciais são: redução das incertezas associadas; identificação de avarias devido à deterioração estrutural; redução de custos de manutenção; e, principalmente, diminuição do tempo da paralisação das balsas de serviço. / [en] Risk-Based Inspection (RBI) involves the use of engineering calculation tools such as finite element structural analysis, corrosion and fatigue analysis, risk analysis and structural reliability in an integrated framework, in order to develop inspection plans in a rational and optimized manner. RBI attempts to map the structure degradation curve, in deterministic or probabilistic way. Once defined the degradation curve for the different areas of the structure, risk analysis techniques are applied to determine inspection intervals concerning each element of the structure. As final result, it is possible to obtain an optimized inspection plan applied to the structural reality of the unit. The objective of this dissertation is to propose a prediction method, based on RBI, to improve the decision-making process focusing on maintenance of offshore service barges of a large oil and gas company in Brazil. It presents a case study concerning an application of this prediction method in one of the offshore service barges of this company – Offshore Service Barge 3 (BS-3). The results show that the adoption of preventive inspections can enlarge the TLV (Time Limit of Life) of this type of unit. As a consequence, the potential benefits are: reduction of uncertainties; identification of faults due to structural deterioration; maintenance costs reduction; and, decreasing of time breakdowns concerning barge services.

[pt] ANALISE DE RISCO

[en] RISK ANALYSIS

[pt] METROLOGIA

[en] METROLOGY

[pt] CONFIABILIDADE

[en] RELIABILITY

[pt] INSPECAO BASEADA EM RISCO

[en] RISK BASED INSPECTION

[pt] TEORIA DE DECISAO

[en] DECISION THEORY

[pt] MIBR

[pt] IBR

[pt] BALSAS DE SERVICO OFFSHORE

[pt] TEMPO LIMITE DE VIDA

[pt] TLV

風險基礎資本，情境分析及動態模擬破產預測模型之比較 / Regulatory Solvency Prediction: Risk-Based Capital, Scenario analysis and Stochastic Simulation

宋瑞琳, Sung, Jui-Lin

Unknown Date

保險公司清償能力一直是保險監理的重心，在所有現行的制度中風險基礎資本是最重要的，但此項制度仍有其缺點，因此其他動態分析模型被許多學者所提出，如涉險值及情境分析。雖然這些動態分析模型被學者所偏好，但監理機關仍須對這些模型的精確程度加以了解，這也是本篇論文所要研究的目的。 基於此，本篇論文以模擬方式及經濟模型加以分析風險基礎資本、情境分析及涉險值等方法的破產預測的相對精確性。其中風險基礎資本完全採用現有NAIC的年報資料，情境分析及涉險值則採用我們所建立的模型，基於此也可以確認現有監理制度是否有缺失。 我們的結果發現風險基礎資本的預測能力很低，動態模型-情境分析及涉險值皆優於風險基礎資本，且在不同動態模型中涉險值的預測能力較好。因此可知被學者所偏好的動態分析模型應是未來保險監理的方向希望藉由本篇提供監理機關一個參考的依據。 / Solvency prediction of insurers has been the focus of insurance regulation. Among the solvency regulation systems, risked-based capital (RBC) is the most important but RBC still has some drawbacks. Thus, the dynamic financial analyses-scenario analysis and Value at Risk have been developed to be the regulation tool. Although, the scholars prefer the dynamic financial analysis, the regulators still want to make sure the accuracy of dynamic financial analysis. That is the purpose of our paper. Therefore, we use the simulation result and the econometric model to analyze the relative effectiveness of RBC, scenario and Value at Risk (VaR). The RBC is from the annual statement and the scenario and VaR come from our simulation model. Our result shows that the RBC has very low explanatory power, the dynamic financial analysis is better than RBC, and VaR outperform scenario analysis. Thus, we conclude that VaR is the way to go for property-casualty insurance regulators.

風險基礎資本

涉險值

情境分析

動態財務分析

經濟模型分析

清償預測

清償監理

Risk-Based Capital

Value at Risk

Scenario Analysis

Dynamic Financial Analysis

Econometric Model Analysis

Solvency Prediction

Solvency Regulation

長壽風險對保單責任準備金之影響－以增額型終身壽險為例 / The effect of longevity risk on reserves – based on increasing whole life insurance

陳志岳

Unknown Date

近年隨著油價、物價上漲所導致的通貨膨脹風險，壽險業者以增額型終身壽險來吸引潛在消費者。另外，由於醫療技術的進步，使得死亡率逐年改善，因此將造成保單在設計時可能將遭受到長壽風險的影響。本篇文章的主要目的即探討長壽風險對於保單責任準備金的影響，並以增額型終身壽險作為本文主要分析標的。首先建構死亡率模型(Lee-Carter模型)，用來配適並模擬死亡率，接著探討增額型終身壽險在各保單年度下之現金流量以及責任準備金的提存，進一步再引進不同的死亡率來探討其現金流量分佈情形與責任準備金之提存。本文研究結果發現，在保險公司未採用遞迴方式計算保費時，當繳費期間愈短、複利利率愈高以及投保年齡愈低時，保險公司所面臨之長壽風險愈大，其後在帶入各種不同死亡率模型，發現死亡改善率愈高，保險公司所面臨之長壽風險愈大，而保險公司在提存責任準備金時，並未考慮到死亡改善率的部分，此對保險公司的財務健全將造成隱憂，本文於此部分建議監理機關透過法規(RBC)的制訂，調整準備金提存的係數，以降低長壽風險對保險公司財務之衝擊。 關鍵字：長壽風險、死亡率模型、增額型終身壽險、保單責任準備金、增額準備金、Lee-Carter Model以及RBC制度。 / With the improvement of medical technology, the life expectancy around the world is increasing year by year during the past decade. Therefore, the increasing whole life insurance policy is popular during these years because its benefits are escalating with time and policyholders think they could gain more benefits when they live longer. Like annuity policies, the increasing whole life insurance could also suffer from the longevity risk, which may have enormous impact on the financial statements of insurers. The purpose of this paper is to discuss the impact of longevity risk on reserves, based on increasing whole life insurance policy. First, we construct Lee-Carter model to fit and simulate mortality rate and assume different mortality improvements from the 2002 Taiwan Standard Ordinary Experience Mortality Table (2002TSO) for further comparisons. And then, we construct a simple model to analyze the cash flows of the increasing whole life policies based on the mortality rates we observed. By constructing a simple model and simulation, we find that if the insurance company does not correctly estimate longevity risk, the insurance company will lose money on the increasing whole life policies. In order to mitigate the insufficiency of life insurers for the increasing whole life policies, we try to provide some supervision suggestion from the view of the risk-based capital (RBC) requirements. We calculate the factor of insurance risk (C2) of RBC requirements because this factor represents the surplus needed to provide for excess claims over expected, both from random fluctuations and from inaccurate pricing for future levels of claims. Keywords: longevity risk, increasing whole life insurance policy, Lee-Carter model, risk-based capital (RBC).

長壽風險

死亡率模型

增額型終身壽險

保單責任準備金

增額準備金

Lee-Carter Model

RBC制度

longevity risk

increasing whole life insurance policy

Lee-Carter model

risk-based capital (RBC)

Réglementations Financières et Gouvernance par les Risques : le cas des entreprises non-financières françaises soumises à la réglementation Sarbanes Oxley / Financial regulation and risk-based governance : the case of french non-financial companies under the Sarbanes Oxley Act

Bouazzaoui, Rhita

30 May 2014

La divulgation d’informations sur les risques est une problématique centrale de la communication des entreprises cotées. De nombreuses dispositions réglementaires ont été mises en œuvre aux Etats-Unis et en Europe pour promouvoir la transparence sur les risques et les dispositifs de contrôle mis en place pour leur gestion. Les exigences de certification de l’efficacité de ces dispositifs conduit à la question de savoir si ou comment les entreprises non-financières françaises, ayant une double cotation aux Etats-Unis et en France, sont conformes à ces règlementations. Dans ce contexte, il est soutenu que la mise en évidence des différents niveaux de formalisation des dispositifs de contrôle des risques, à travers la communication des entreprises, permet de dégager des typologies originales de mise en conformité et de gouvernance des organisations. La démarche de recherche adoptée est basée sur l’étude de cas longitudinale qui permet de suivre les entreprises du lancement des projets de mise en conformité, à la stabilisation des processus de production de la certification des procédures de contrôle des risques. Les données recueillies (entretiens, rapports annuels) font l’objet d’une analyse de contenu à travers le COSO2. Une seconde étape est leur traitement statistique pour discriminer les réponses stratégiques dans le temps et entre entreprises. Les observations empiriques mettent en exergue différentes réponses stratégiques en fonction de deux périodes et des préoccupations économiques et stratégiques des entreprises. / Risk oriented disclosure is a central issue of listed companies communication. Many Risk-based regulations have been implemented in the US and Europe to promote transparency about risks and controls mechanisms. Under the requirements of the SOX, executives must certify the public company’s financial results (section 302) and have to issue a report on the effectiveness of the company’s internal controls over financial reporting (section 404). The increase of mandatory risk reporting leads to the question of whether or how the French non-financial companies cross-listed in the US and France are compliant with these regulations. In this context and across corporate communication, it is argued that different levels of risk control’s formalization can highlight original typology of compliance and corporate governance. This research uses a longitudinal case study in order to explore the implementation of risk control measures and the risk narrative disclosure strategies to enhance organizational legitimacy. The collected data (interviews, risk disclosures within annual reports) are subject to a content analysis through COSO2. A second step is a statistical analysis to discriminate strategic responses over the time and between companies. Empirical observations point to different strategic responses to institutional processes based on two periods as well as economic and strategic business concerns. The first phase shows that risk control process is structured in order to build the auditability of organization. While, in the second phase companies develop different strategic responses more consistent with their concerns.

Conformité

Entreprises non-financières cotées

Analyse qualitative longitudinale

Risk based regulations

Compliance

Risk disclosures annual reports

Sarbanes-Oxley Act

Non financial corporations

Longitudinal Qualitative Research

650

Anti Money Laundering – Förhindra eller undvika? : En studie om svenska AML-chefers inställning till penningtvättsregelverken. / Anti Money Laundering - Prevent or Avoid? : A study of attitudes towards money laundering regulations among Swedish AML-managers.

Castor, Robin, Rosenqvist, André

January 2021

Författare: Robin Castor och André Rosenqvist  Handledare: Elias Bengtsson  Examinator: Andreas Jansson  Titel: Anti Money Laundering – Förhindra eller undvika? – En studie om svenska AML-chefers inställning till penningtvättsregelverken.  Sökord: AML, Anti-Money Laundering, Penningtvätt, Bankreglering, Compliance, KYC, Kundkännedom, Riskbedömning, Riskbaserat förhållningssätt, Rapportering, Resursallokering  Bakgrund: Penningtvätt är ett växande problem som skadar samhället. För att hantera detta problem utfärdar EU kontinuerligt nya direktiv för medlemsländerna att implementera. Den aktör som hamnat mest i fokus är banker, där skandaler visat på brister i arbetet mot penningtvätt bland svenska banker. Regelverken ställer hårda krav samtidigt som ett riskbaserat förhållningssätt låter banker tolka och implementera arbetet olika. Genom att studera AML-chefers inställning till regelverken bidrar denna studie med en synvinkel som inte tidigare beaktats i Sverige.  Syfte: Denna studie syftar att öka förståelsen kring attityder mot AML och dess regelverk inom svenska banker, om det skiljer sig mellan olika banker samt vad det kan innebära för alla berörda parter.  Metod: En kvalitativ studie med abduktiv forskningsansats har genomförts. Studien har hämtat empiri genom semistrukturerade intervjuer med fem olika AML-chefer på den svenska bankmarknaden.  Resultat/Slutsatser: Studiens resultat visar hur AML-chefer i Sverige har en kritisk syn på penningtvätts-regelverken. Regelverken upplevs ställa höga, men rimliga, krav på bankerna. Flera fördelar med det riskbaserade förhållningssättet lyfts upp, där riskbedömning och kundkännedom ger en god överblick av verksamheten i ett bolagsstyrnings-perspektiv. Regelverken låter bankerna stänga ute de kunder som inte vill samarbeta. Tyvärr kan dessa kunder gå vidare till nästa bank och fortsätta sitt misstänksamma beteende. Detta problem grundar sig i banksekretessen som gör det omöjligt för banker att dela information och samarbeta i arbetet mot penningtvätt. Studien visar därmed hur incitamenten bakom efterföljandet av regelverket till stor del bygger på rädslan av att skada bankens eget rykte eller ådra sig stora bötesbelopp. Fokus har skiftat från att faktiskt försöka stoppa penningtvätt, till att endast undvika att själv bli utsatt för penningtvätt. / Authors: Robin Castor and André Rosenqvist  Supervisor: Elias Bengtsson  Examiner: Andreas Jansson  Title: Anti Money Laundering - Prevent or Avoid? A study of attitudes towards money laundering regulations among Swedish AML-managers.  Keywords: AML, Anti-money laundering, Money laundering, Banking regulation, Compliance, KYC, Know your customer, Risk assessment, Risk-based approach, Legal reporting, Resource allocation  Background: Money laundering is a growing problem that harms society. To address this issue, the EU is continuously issuing new directives for member states to implement. The banking sector has come to be the most affected industry, where scandals have shown deficiency in the work against money laundering among Swedish banks. These regulations set strict requirements at the same time as the risk- based approach allows banks to interpret and implement the regulations in various degrees. By studying how Swedish AML-managers experience these regulations, this study contributes with a point of view that has not been considered in Sweden previously.  Purpose: This study aims to increase the understanding of attitudes and experience towards AML and its regulations within Swedish banks, if it differs between banks and what it could signify for involved parties.  Method: A qualitative study with an abductive research approach has been conducted. The study has gained empirical data through semi-structured interviews with five different AML managers in the Swedish banking market.  Results/Conclusions: The results of the study show how AML managers in Sweden have a critical view of the money laundering regulations. The regulations are perceived to put high, but appropriate, requirements in the banks. Various advantages of the risk-based approach are highlighted, where risk assessment and customer awareness (KYC) provide a good overview of the business from a corporate governance perspective. The regulations allow banks to end their business relationship with customers who do not want to cooperate. Unfortunately, these customers are able continue their suspicious behavior throughout different banks. This problem is based on the bank secrecy, which makes it impossible for banks to share information and cooperate in the work against money laundering. The study shows how the incentives behind compliance with the regulations are largely based on the fear of damaging reputation or receiving heavy fines. The focus has shifted from actually trying to stop money laundering, to only avoiding being subjected to money laundering themselves.

AML

Anti-money laundering

money laundering

banking regulation

compliance

KYC

know your customer

risk assessment

risk-based approach

legal reporting

resource allocation

AML

anti-money laundering

penningtvätt

bankreglering

compliance

KYC

kundkännedom

riskbedömning

riskbaserat förhållningssätt

rapportering

resursallokering

bankstyrning

finansinspektionen

Business Administration

Företagsekonomi

Внедрение интегрированной системы менеджмента в соответствии с ISO 45001 в АО «Институт реакторных материалов» / Implementation of an integrated management system in accordance with ISO 45001 in JSC " «Institute of reactor materials»

Пучихина, А. А., Puchikhina, A. A.

January 2020

Объект исследования – система менеджмента безопасности труда и охраны здоровья АО «ИРМ». Цель данной работы является актуализация документации интегрированной системы менеджмента в соответствие с требованиями международного стандарта ISO 45001:2018. Методология проведения исследования – в работе использованы такие методы, как: изучение СМИ и литературы, анализ данных от предприятия, сравнение. Полученные результаты и их новизна – в работе раскрыта актуальная на сегодняшний день тема перехода предприятия на стандарт ISO 45001:2018. Новая версия стандарта была опубликована не так давно и вопрос перехода на новый стандарт является насущным для многих предприятий. В дипломной работе произведен сравнительный анализ прошлой и настоящей версии стандартов ISO 45001 и OHSAS 18001, что позволяет оценить предприятию возможные изменения в системе менеджмента безопасности труда и охраны здоровья. Область применения – при сертификации или ресертификации на стандарт ISO 45001:2018. Значимость работы – теоретическое и практические вопросы, исследуемые в работе, являются значимыми, так как затрагивают актуальную тему перехода на ISO 45001:2018. / The object of study is the management system for labor safety and health protection of JSC INM. The purpose of this work is to update the documentation of the integrated management system in accordance with the requirements of the international standard ISO 45001:2018. The methodology of the study – the methods used are: the study of the media and literature, analysis of data from the enterprise, comparison. The results obtained and their novelty – the topic of the enterprise’s transition to the ISO 45001: 2018 standard is disclosed in the current work. A new version of the standard was published not so long ago and the issue of transition to a new standard is urgent for many enterprises. In the thesis, a comparative analysis of the past and present versions of the ISO 45001 and OHSAS 18001 standards is made, which allows the company to evaluate possible changes in the system of labor safety management and health protection. Scope – in the certification or recertification to the standard ISO 45001: 2018. Significance of the work – theoretical and practical issues studied in the work are significant, as they touch on the current topic of the transition to ISO 45001: 2018.

ОХРАНА ТРУДА

ПОСТОЯННОЕ УЛУЧШЕНИЕ

MASTER'S THESIS

INTEGRATED MANAGEMENT SYSTEM

QUALITY STANDARD ISO 45001: 2018

LABOR PROTECTION

RISK-BASED THINKING

CONTINUOUS IMPROVEMENT