Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
27 February 2006  
Untitled Document
Sections

Corp. Governance
  & Reg. Compliance
 Technology Life
Columns

Between The Bytes

Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Express Hospitality
Express TravelWorld
feBusiness Traveller
Express Pharma
Exp. Healthcare Mgmt.
Express Textile
Group Sites
ExpressIndia
Indian Express
Financial Express

Untitled Document
 

Compliance with Basel II

Banks will not achieve compliance with the guidelines strictly by way of technology as there is no single comprehensive Basel II system, says Manek Fitter

The Basel Capital Accord or Basel II is more than just another piece of regulatory legislation which banks have to comply with across the globe. It has introduced an approach to calculating capital adequacy that is closely aligned to the risk profile of the banks, thereby introducing a wider array of changes than have ever been seen in the financial services sector. The far-reaching changes in risk management would be in identifying, measuring and managing the risks taken by banks. It will drive changes in managing the banking business by concentrating on the adequacy of returns for the risks taken. It will also direct banking strategies and goals through the utilisation of capital to exploit the right commercial opportunities. Basel II will be a catalyst for change which can be leveraged to create business value.

Basel II has recommended new norms for credit and operational risk management. It encourages banks to become sophisticated in their analysis of risk, closely aligning regulatory requirements with internal risk measurement methodologies and improving operational process controls. By modernising risk practices, banks can achieve:

  • Consistent process execution
  • Maximisation of operating efficiency
  • Improvement in available information to support credit decisions
  • Reduction in regulatory capital requirements.

Compliance with Basel II is adding urgency to banks’ enterprise-wide risk management projects, and many banks are leveraging Basel II to revamp their global risk practices and policies to gain a greater competitive advantage. As part of that global effort, banks are re-examining the technology supporting risk measurement and management.

Manek Fitter
Senior Manager
Ernst & Young

Banks will not achieve compliance with the guidelines strictly by way of technology as there is no single comprehensive Basel II system. However, the guidelines place demands on banks that only technology can address. To meet the requirements set out in an auditable and robust manner, demand extensive data-collection and consolidation as well as system integration and reporting capabilities within a global infrastructure. Banks must determine how best to leverage their existing infrastructure by identifying and closing gaps, implementing new solutions, and enhancing existing ones.

Beyond regulatory compliance

Regulatory compliance may be necessary but is not an all-encompassing requirement of Basel II. To take advantage of the new guidelines, banks may need to not only address issues relating to risk management methodologies and models which are usually available off the shelf, but will also need to review many other aspects of their business activities because in this sphere the same methodologies and models may not work across banks, industry exposure concentrations and regions. They would need to concentrate on the quality of data available, its cleaning and maintenance, sufficiency and robustness of technology infrastructure, as well as the alignment of business processes, people and technology to identify, manage and monitor risk.

The senior management will be expected to understand and provide oversight on all these aspects ensuring that the concept of risk is embedded in banking strategy, direction, decision making, capital requirements, operations and management information systems.

Enhancements to transparency through increased disclosure requirements means that banks need to effectively comply with Basel II as this information would be publicly available, thus affecting market perception, external ratings and ultimately the bank’s competitive position.

And the approach to take is...

Banks would need to enhance their technologies to address all three proposed methodologies and be flexible enough to support special regulatory requirements as well as future changes and demands through a modular and flexible architecture

Risk-based approach for credit risk. The accord sets out three methodologies of varying sophistication for a bank to determine regulatory credit-risk capital: Standard, Foundation Internal Ratings-Based (IRB) and Advanced IRB. Banks would need to enhance their technologies to address all three proposed methodologies and be flexible enough to support special regulatory requirements as well as future changes and demands through a modular and flexible architecture. Centralised consolidation of the core data required to support credit analysis is a preferred approach. Confidence in analytical results hinges on vendor reliability, data consistency and dependable workflow tools.

  • Charge for operational risk. The accord additionally has introduced a new capital charge to account for operational risk, encouraging banks to improve process monitoring, control and business continuity. All businesses are built on the performance of various operational processes, and it is the essence of quality control to perform these processes with discipline and consistency. A systematic approach to operational risk, however, requires support for:
  • Control and risk self-assessment. A formal review of what can go wrong with a process, how it can be strengthened, and whether the residual risk of loss from operational failures is acceptable. In effect, this is qualitative analysis based on the judgment of people close to the process being reviewed. Once an acceptable control process is in place, it is important to monitor the quality of execution on a continuous basis.
  • Key risk indicators. Multiple quantitative indicators are selected that are considered early warnings of potential problems. Changes in their behaviour through time provide objective signals to higher management that there is an issue to be addressed before a situation becomes critical. Although not the only indicators of process weaknesses, actual realised losses do play a role in evaluating operational risk.
  • Loss data collection. It is important that such data collection be surrounded with a rigorous review process to assure reconciliation to the profit and loss account and provide supplemental information on the nature of the failure that gave rise to a loss. Analytics can be used to estimate potential loss events as a basis for capital allocation once a robust loss data collection mechanism is in place.

Basel II provides for three increasingly sophisticated app-roaches to the treatment of ope-rational risk. These are the Basic Indicator and Standard- ised Approaches as well as Advanced Measurement App-roach (AMA). There are incentives for banks to move to the more sophisticated approaches. Qualitative process review and improvement will be required as the basis for allowing the use of either the Standardised Approach or one of the AMAs. Advanced analytics applied to loss data by them will not be sufficient to achieve a reduced regulatory capital level. This focusses attention on the need for sound tools to address all the above requirements for operational risk.

Being prepared

Compliance with Basel II will be difficult and is estimated to involve significant preparation, resources, workload and therefore cost. Compliance with the rules will be required in the near future for all regulated organisations in the banking sector. Failure to comply will have numerous implications including:

  • Failure to comply properly with Pillar 1 may result in banks incurring increased capital charges to cover credit or operational risk.
  • Under Pillar 2, the regulator may impose a capital multiplier if it feels the banks are not ready for or have inadequately implemented the requirements of Basel II. Under the requirements of Pillar 3, the banks will need to disclose readiness for Basel II, the approach taken, and any additional regulatory compliance. Disclosure may affect public perception of the banks, external ratings and ultimately competitive advantage.
  • Commercial opportunities and business value may be lost due to poor portfolio and capital management.

More importantly, banks today can still spread the cost of compliance with Basel II over several budget cycles and ensure that they get business value from their efforts.

Deciding the roadmap

Banks would need to choose the various options provided by the Basel II requirements depending upon their state of preparedness from an operations, process and technology perspective. Clearly, it will be right for some organisations to adopt the basic approaches offered by Basel II rather than trying to implement the sophisticated and advanced approaches offered. For others, the advanced approaches may be the only option possible. Making this decision depends on the business value banks perceive to achieve and the financial costs and resources attached to it. The roadmap for this is:

  • Choose a relevant approach for credit and operational risk from the provided Basel II options considering a business case that has addressed the costs and benefits of each Basel II approach in the context of the bank’s business strategy and the regulator’s expectations from the bank
    Choose a relevant approach for credit and operational risk from the provided Basel II options considering a business case that has addressed the costs and benefits of each Basel II approach in the context of the bank’s business strategy and the regulator’s expectations from the bank. Once an approach has been chosen, the bank will need to put in place a project management office (PMO) to address the approach-specific requirements of Basel II.
  • PMO initiatives should cover all product and business lines, geographic locations and business disciplines. Ideally, Basel II programmes should be sponsored at the highest level in the bank and should include representatives from risk, finance, IT and relevant business lines.
  • Aligning the methodologies, models, risk strategy, appetite and policy to the selected approach. Rating systems, scorecards, credit risk models and operational risk frameworks will need to be designed, implemented, validated and benchmarked against Basel II minimum requirements.

Basel II places significant obligations on an organisation to identify, collate and store credit and operational risk data. Data integrity must be assured, data must be complete, must be relevant to the ratings systems and models supported, and must cover between five and seven years of historical performance.

IT systems must be robust, well-documented and able to support risk models, risk methodologies and management processes. Typically, data requirements will need IT systems that can collate and store a considerable volume of information collected from multiple business lines, products and locations.

Basel II requires an organisation to embed changes in models, methodologies, technology, people and processes in both operational and strategic management processes. Management would be responsible for understanding and overseeing risk management processes and aligning these to business strategy.

Banks will be required to define and implement a capital framework building on the efforts of its compliance with Pillar 1 calculations for market, credit and operational risk capital. The capital strategy will need to take into account portfolio characteristics and risk appetite by business/product line. It will need to cope with changing economic conditions and the impact these can have on capital requirements.

All banks will be required to obtain regulatory approval to use one of the Basel II approaches. This approval will be required at the outset of implementation and on an ongoing basis, and will require rigorous internal and external validation. Included in this will be increasing external obligations for public disclosure of information on risk appetite, capital calculations and chosen approaches.

For many banks, some of the areas highlighted, like data, will need significant attention and investment to meet Basel II requirements. To date, much of the focus of Basel II initiatives has centered on model design or enhancement, but in our experience, data and process change will take far more time and effort to address.

Audit considerations

Although Basel II does not have directives on audit requirements, the transparency required and the technological dependence of the banks have varied implications on the audit considerations, be it on internal controls assurance, internal audit, information systems security and audit or the normal concurrent audit as these would be the normal means of tracking the various risk parameters necessary under Basel II. The entire approach would be a risk-based one and would need to transform from the age-old transaction-based approach.

This would require an assessment of the business processes and associated risks, controls on business operations, risk mitigating factors and so on. As the banks move on to internal risk-based approaches, the models used would need to be reviewed, assessed with the market realities, and stress-tested. Relevant changes would need to be recommended and implemented for the requirements to be continuously adhered to in tune with the changing risk environment.

The audits would need to be strengthened through a risk-based approach with a clear focus on analytical procedures, credit process analysis, treasury operations review, mitigation of other key business risks, and continuous IT systems audits including regular ethical hacking and penetration-testing exercises of the technology infrastructure.

For this, the auditors would need to have the relevant international exposure to understand review methodologies already being practised in the banking sector in countries already in the process of complying with Basel II requirements, the compliance issues being faced by them, and address the technology review and security requirements which to date were more from a black box type.

Banks need to understand that any lapses here would directly impact their risk parameters thereby increasing the capital required to manage such lapses. This over a long term would result in excess capital demanded by the regulators for these particular banks and would be a key differentiator for one bank from another.

A high degree of data collection and management

Basel II involves a high degree of data collection and efficient management. Data involved in credit and operational risk management, including volumes of historical credit and operational loss data, need to be captured, aggregated, evaluated and acted upon under a consistent policy framework

Basel II involves a high degree of data collection and efficient management. Data involved in credit and operational risk management, including volumes of historical credit and operational loss data, would need to be captured, aggregated, evaluated and acted upon under a consistent policy framework and a centralised IT system. Such a framework should extend to all risks that are related to banking-book credit exposures, counterparty exposures in the trading book, settlement risk and issuer risk from the exposures of debt or equity securities.

A consolidated view of all entity-specific exposure is important because it provides fast, complete access to exposure data, facilitates the ability to set an overall ‘credit appetite’ limit for individual counterparties and groups, enables proper identification of risk concentrations and portfolio optimisation, and provides opportunities like diversification or economic offsets.

Aggregation of the relevant exposure data across multiple systems is often the biggest obstacle to obtain the relevant information for Basel II. Such core data consolidation is essential in order to reflect the risk-reducing impact of diversification across regions, industries and specific obligors as seen from an aggregate, high-level view. By automating the data collection and risk-adjusted asset calculation, technology can reduce costs while minimising associated operational risk and providing an effective audit trail to satisfy bank examiners.

A bank must not only collect and aggregate data but also must have confidence in that data. Technology should help ensure:

  • Data integrity. The quality of data is linked to the processes, data flows and systems used. Fewer systems means lesser risk of processing errors, fewer interfaces, reduced daily reconciliation between different systems, minimal exceptions processing and reporting, and, ultimately, improved operational efficiency.
  • Data accuracy. It should begin with data input, which requires the least amount of manual entry and re-keying into other systems. With systems integration, data can flow through the organisation with proper data cleaning and enrichment activities.

A successful Basel II programme would enable banks to exploit business opportunities and achieve competitive advantage by generating business value through higher awareness at all levels in the bank of the risks faced, proper alignment of risk management activities to business strategy and risk appetite, reduced capital charges leading to more efficient use of capital and higher returns on equity, and an ability to pre-empt costly regulatory directives regarding capital adequacy. At the advanced level, during disclosures it can help avoid potentially negative reputation issues leading to loss of shareholder value, introduce optimal practices and processes and optimise the credit portfolio, improve the credit risk process, and more effectively price products.

Manek Fitter is Senior Manager Ernst & Young. He can be reached at manek.fitter@in.ey.com

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.