Compliance with Basel II
Banks will not achieve compliance with the guidelines strictly
by way of technology as there is no single comprehensive Basel II system, says
Basel Capital Accord or Basel II is more than just another piece of regulatory
legislation which banks have to comply with across the globe. It has introduced
an approach to calculating capital adequacy that is closely aligned to the risk
profile of the banks, thereby introducing a wider array of changes than have
ever been seen in the financial services sector. The far-reaching changes in
risk management would be in identifying, measuring and managing the risks taken
by banks. It will drive changes in managing the banking business by concentrating
on the adequacy of returns for the risks taken. It will also direct banking
strategies and goals through the utilisation of capital to exploit the right
commercial opportunities. Basel II will be a catalyst for change which can be
leveraged to create business value.
Basel II has recommended new norms for credit and operational risk management.
It encourages banks to become sophisticated in their analysis of risk, closely
aligning regulatory requirements with internal risk measurement methodologies
and improving operational process controls. By modernising risk practices, banks
- Consistent process execution
- Maximisation of operating efficiency
- Improvement in available information to support
- Reduction in regulatory capital requirements.
Compliance with Basel II is adding urgency to banks enterprise-wide risk
management projects, and many banks are leveraging Basel II to revamp their
global risk practices and policies to gain a greater competitive advantage.
As part of that global effort, banks are re-examining the technology supporting
risk measurement and management.
Ernst & Young
Banks will not achieve compliance with the guidelines strictly
by way of technology as there is no single comprehensive Basel II system. However,
the guidelines place demands on banks that only technology can address. To meet
the requirements set out in an auditable and robust manner, demand extensive
data-collection and consolidation as well as system integration and reporting
capabilities within a global infrastructure. Banks must determine how best to
leverage their existing infrastructure by identifying and closing gaps, implementing
new solutions, and enhancing existing ones.
Beyond regulatory compliance
Regulatory compliance may be necessary but is not an all-encompassing requirement
of Basel II. To take advantage of the new guidelines, banks may need to not
only address issues relating to risk management methodologies and models which
are usually available off the shelf, but will also need to review many other
aspects of their business activities because in this sphere the same methodologies
and models may not work across banks, industry exposure concentrations and regions.
They would need to concentrate on the quality of data available, its cleaning
and maintenance, sufficiency and robustness of technology infrastructure, as
well as the alignment of business processes, people and technology to identify,
manage and monitor risk.
The senior management will be expected to understand and provide oversight on
all these aspects ensuring that the concept of risk is embedded in banking strategy,
direction, decision making, capital requirements, operations and management
Enhancements to transparency through increased disclosure requirements means
that banks need to effectively comply with Basel II as this information would
be publicly available, thus affecting market perception, external ratings and
ultimately the banks competitive position.
And the approach to take is...
Banks would need to enhance their
technologies to address all three proposed methodologies and be flexible
enough to support special regulatory requirements as well as future changes
and demands through a modular and flexible architecture
Risk-based approach for credit risk. The accord sets
out three methodologies of varying sophistication for a bank to determine regulatory
credit-risk capital: Standard, Foundation Internal Ratings-Based (IRB) and Advanced
IRB. Banks would need to enhance their technologies to address all three proposed
methodologies and be flexible enough to support special regulatory requirements
as well as future changes and demands through a modular and flexible architecture.
Centralised consolidation of the core data required to support credit analysis
is a preferred approach. Confidence in analytical results hinges on vendor reliability,
data consistency and dependable workflow tools.
- Charge for operational risk. The accord additionally
has introduced a new capital charge to account for operational risk, encouraging
banks to improve process monitoring, control and business continuity. All
businesses are built on the performance of various operational processes,
and it is the essence of quality control to perform these processes with discipline
and consistency. A systematic approach to operational risk, however, requires
- Control and risk self-assessment. A formal
review of what can go wrong with a process, how it can be strengthened, and
whether the residual risk of loss from operational failures is acceptable.
In effect, this is qualitative analysis based on the judgment of people close
to the process being reviewed. Once an acceptable control process is in place,
it is important to monitor the quality of execution on a continuous basis.
- Key risk indicators. Multiple quantitative
indicators are selected that are considered early warnings of potential problems.
Changes in their behaviour through time provide objective signals to higher
management that there is an issue to be addressed before a situation becomes
critical. Although not the only indicators of process weaknesses, actual realised
losses do play a role in evaluating operational risk.
- Loss data collection. It is important that
such data collection be surrounded with a rigorous review process to assure
reconciliation to the profit and loss account and provide supplemental information
on the nature of the failure that gave rise to a loss. Analytics can be used
to estimate potential loss events as a basis for capital allocation once a
robust loss data collection mechanism is in place.
Basel II provides for three increasingly sophisticated app-roaches to the treatment
of ope-rational risk. These are the Basic Indicator and Standard- ised Approaches
as well as Advanced Measurement App-roach (AMA). There are incentives for banks
to move to the more sophisticated approaches. Qualitative process review and
improvement will be required as the basis for allowing the use of either the
Standardised Approach or one of the AMAs. Advanced analytics applied to loss
data by them will not be sufficient to achieve a reduced regulatory capital
level. This focusses attention on the need for sound tools to address all the
above requirements for operational risk.
Compliance with Basel II will be difficult and is estimated to involve significant
preparation, resources, workload and therefore cost. Compliance with the rules
will be required in the near future for all regulated organisations in the banking
sector. Failure to comply will have numerous implications including:
- Failure to comply properly with Pillar 1 may result
in banks incurring increased capital charges to cover credit or operational
- Under Pillar 2, the regulator may impose a capital
multiplier if it feels the banks are not ready for or have inadequately implemented
the requirements of Basel II. Under the requirements of Pillar 3, the banks
will need to disclose readiness for Basel II, the approach taken, and any
additional regulatory compliance. Disclosure may affect public perception
of the banks, external ratings and ultimately competitive advantage.
- Commercial opportunities and business value may
be lost due to poor portfolio and capital management.
More importantly, banks today can still spread the cost of compliance with Basel
II over several budget cycles and ensure that they get business value from their
Deciding the roadmap
Banks would need to choose the various options provided by the Basel II requirements
depending upon their state of preparedness from an operations, process and technology
perspective. Clearly, it will be right for some organisations to adopt the basic
approaches offered by Basel II rather than trying to implement the sophisticated
and advanced approaches offered. For others, the advanced approaches may be
the only option possible. Making this decision depends on the business value
banks perceive to achieve and the financial costs and resources attached to
it. The roadmap for this is:
Choose a relevant approach for credit and operational
risk from the provided Basel II options considering a business case that has
addressed the costs and benefits of each Basel II approach in the context
of the banks business strategy and the regulators expectations
from the bank. Once an approach has been chosen, the bank will need to put
in place a project management office (PMO) to address the approach-specific
requirements of Basel II.
Choose a relevant approach for credit and operational
risk from the provided Basel II options considering a business case
that has addressed the costs and benefits of each Basel II approach
in the context of the banks business strategy and the regulators
expectations from the bank
- PMO initiatives should cover all product and business
lines, geographic locations and business disciplines. Ideally, Basel II programmes
should be sponsored at the highest level in the bank and should include representatives
from risk, finance, IT and relevant business lines.
- Aligning the methodologies, models, risk strategy,
appetite and policy to the selected approach. Rating systems, scorecards,
credit risk models and operational risk frameworks will need to be designed,
implemented, validated and benchmarked against Basel II minimum requirements.
Basel II places significant obligations on an organisation to identify, collate
and store credit and operational risk data. Data integrity must be assured,
data must be complete, must be relevant to the ratings systems and models supported,
and must cover between five and seven years of historical performance.
IT systems must be robust, well-documented and able to support risk models,
risk methodologies and management processes. Typically, data requirements will
need IT systems that can collate and store a considerable volume of information
collected from multiple business lines, products and locations.
Basel II requires an organisation to embed changes in models, methodologies,
technology, people and processes in both operational and strategic management
processes. Management would be responsible for understanding and overseeing
risk management processes and aligning these to business strategy.
Banks will be required to define and implement a capital framework building
on the efforts of its compliance with Pillar 1 calculations for market, credit
and operational risk capital. The capital strategy will need to take into account
portfolio characteristics and risk appetite by business/product line. It will
need to cope with changing economic conditions and the impact these can have
on capital requirements.
All banks will be required to obtain regulatory approval to use one of the Basel
II approaches. This approval will be required at the outset of implementation
and on an ongoing basis, and will require rigorous internal and external validation.
Included in this will be increasing external obligations for public disclosure
of information on risk appetite, capital calculations and chosen approaches.
For many banks, some of the areas highlighted, like data, will need significant
attention and investment to meet Basel II requirements. To date, much of the
focus of Basel II initiatives has centered on model design or enhancement, but
in our experience, data and process change will take far more time and effort
Although Basel II does not have directives on audit requirements, the transparency
required and the technological dependence of the banks have varied implications
on the audit considerations, be it on internal controls assurance, internal
audit, information systems security and audit or the normal concurrent audit
as these would be the normal means of tracking the various risk parameters necessary
under Basel II. The entire approach would be a risk-based one and would need
to transform from the age-old transaction-based approach.
This would require an assessment of the business processes and associated risks,
controls on business operations, risk mitigating factors and so on. As the banks
move on to internal risk-based approaches, the models used would need to be
reviewed, assessed with the market realities, and stress-tested. Relevant changes
would need to be recommended and implemented for the requirements to be continuously
adhered to in tune with the changing risk environment.
The audits would need to be strengthened through a risk-based approach with
a clear focus on analytical procedures, credit process analysis, treasury operations
review, mitigation of other key business risks, and continuous IT systems audits
including regular ethical hacking and penetration-testing exercises of the technology
For this, the auditors would need to have the relevant international exposure
to understand review methodologies already being practised in the banking sector
in countries already in the process of complying with Basel II requirements,
the compliance issues being faced by them, and address the technology review
and security requirements which to date were more from a black box type.
Banks need to understand that any lapses here would directly impact their risk
parameters thereby increasing the capital required to manage such lapses. This
over a long term would result in excess capital demanded by the regulators for
these particular banks and would be a key differentiator for one bank from another.
A high degree of data collection and management
Basel II involves a high degree of data collection and
efficient management. Data involved in credit and operational risk management,
including volumes of historical credit and operational loss data, need
to be captured, aggregated, evaluated and acted upon under a consistent
Basel II involves a high degree of data collection and efficient
management. Data involved in credit and operational risk management, including
volumes of historical credit and operational loss data, would need to be captured,
aggregated, evaluated and acted upon under a consistent policy framework and
a centralised IT system. Such a framework should extend to all risks that are
related to banking-book credit exposures, counterparty exposures in the trading
book, settlement risk and issuer risk from the exposures of debt or equity securities.
A consolidated view of all entity-specific exposure is important because it
provides fast, complete access to exposure data, facilitates the ability to
set an overall credit appetite limit for individual counterparties
and groups, enables proper identification of risk concentrations and portfolio
optimisation, and provides opportunities like diversification or economic offsets.
Aggregation of the relevant exposure data across multiple systems is often
the biggest obstacle to obtain the relevant information for Basel II. Such core
data consolidation is essential in order to reflect the risk-reducing impact
of diversification across regions, industries and specific obligors as seen
from an aggregate, high-level view. By automating the data collection and risk-adjusted
asset calculation, technology can reduce costs while minimising associated operational
risk and providing an effective audit trail to satisfy bank examiners.
A bank must not only collect and aggregate data but also must have confidence
in that data. Technology should help ensure:
- Data integrity. The quality of data is linked
to the processes, data flows and systems used. Fewer systems means lesser
risk of processing errors, fewer interfaces, reduced daily reconciliation
between different systems, minimal exceptions processing and reporting, and,
ultimately, improved operational efficiency.
- Data accuracy. It should begin with data
input, which requires the least amount of manual entry and re-keying into
other systems. With systems integration, data can flow through the organisation
with proper data cleaning and enrichment activities.
A successful Basel II programme would enable banks to exploit
business opportunities and achieve competitive advantage by generating business
value through higher awareness at all levels in the bank of the risks faced,
proper alignment of risk management activities to business strategy and risk
appetite, reduced capital charges leading to more efficient use of capital and
higher returns on equity, and an ability to pre-empt costly regulatory directives
regarding capital adequacy. At the advanced level, during disclosures it can
help avoid potentially negative reputation issues leading to loss of shareholder
value, introduce optimal practices and processes and optimise the credit portfolio,
improve the credit risk process, and more effectively price products.
Manek Fitter is Senior Manager Ernst & Young. He can
be reached at firstname.lastname@example.org