Facing Up to the Challenges of Basel II

The Complexity of the New Accord

The first issue that strikes you about Basel II, even before one addresses any of the detailed content of the New Accord, is that it is far more complex than the current Accord¹. There is a clear distinction between the treatment of credit risk and operational risk, with each category having completely different approaches to calculating the capital allocation against risk. Within each of these two main categories there are also three optional approaches, which means a total of six different schemes that could be implemented. To address these issues banks will need to:

• Estimate the costs of implementation for any proposed approach and analyse the cost/benefit relationship so as to evaluate which of the options best suited their strategic business needs
• Where a progressive strategy is planned, starting simple and evolving to a more sophisticated approach later, planning the migration path for smooth transition²
• Appoint specialists to lead and participate in the extensive transformation programme that will be needed to implement the chosen approaches
• Set up a new risk management governance structure and a reporting framework
• Identify the key risk areas within the firm and create a risk model against which to collect an collate risk data
• Implement enterprise-wide processes and systems to monitor and track risks
• Design, build/acquire and implement new automated systems for collecting, storing, processing, integrating and interpreting operational risk data, including losses, events and near misses.
• Develop policies and procedures to demonstrate compliance with the New Accord
• Develop and implement a method of benchmarking the risk management process at regular intervals so as to demonstrate due diligence and a well-managed risk profile
• Raise awareness in the business units where the operational risks actually occur
• Engage with the regulators in all jurisdictions in which they have business activities to ensure approval of the chosen approaches and integration with the supervisory processes
• Calculate capital allocation requirements based upon analysis of detailed operational loss data, including the capture of all low frequency ‘tail’ risks

This all represents a huge investment in the transformation programme.

New Data Model

One of the key requirements for measuring operational risk is the capture of loss data from all parts of the business. This data must be maintained over a five-year rolling window of time. Clearly the volumes of data involved in this exercise are huge, which in itself is a major challenge. However, there is much more to be decided to reach this goal. Key questions are:

• What are the actual data items to be collected? What granularity of data is required? What fields must be included in a loss event data record?
• How will the data be captured? What will be the balance between manual and automated data capture?
• How will the data be stored? Will there be a single central physical store or will the storage be logically unified but physically distributed? If physically distributed, how will logical consistency be enforced and how will the data by integrated for processing and analysis?
• If data collected from different applications differs from one physical repository to another, how will it be normalised to bring it together into a single logical data structure?
• Will the granularity chosen be sufficient to support the data mining, correlation mapping and distribution modelling that will be needed downstream for analysis?
• If the model created initially is wrong, how much impact will that have on the ability to model risks based upon the (inappropriate) data?
• What tools will be needed to do the data management, data mining and statistical analysis and how can their scalability be ensured to meet the volume expectations?
• If banks merge, how will different data models be integrated?
• Can there be a common data model to support pooling of data, especially to investigate and analyse ‘tail’ risks?

Systems Transformation

To handle the data management issues, banks will need to invest heavily in new information systems. These must bring together data collected on an enterprise-wide basis and must deal with the capture, storage, integration, analysis and reporting of risk information over time in a reliable and resilient manner. According to research commissioned by FileNet across heads of IT and compliance at leading UK financial services and insurance organisations, compliance is considered the primary objective for IT investment over the next 18 months³.

To handle the data management issues, banks will need to invest heavily in new information systems. These must bring together data collected on an enterprise-wide basis and must deal with the capture, storage, integration, analysis and reporting of risk information over time in a reliable and resilient manner.

One obvious key question that accompanies this requirement is: should we build or should we buy? Recent investigations of the software products market by several of the larger banks suggest that no single supplier has come up with a software product that provides an integrated enterprise risk management (ERM) solution. Indeed it is almost certain that there never will be a viable ‘out-of-the-box’ solution, since the potential individual requirements of each bank differ so much. Does that mean that every bank must develop its own custom system? The answer is probably both yes and no. Yes, there will be a need for some custom development, but no, there is no need to start from scratch.

The best solutions will be built by integrating a number of existing ‘out-of-the-box’ products that have been developed for generic business use. Such products are likely to include business performance management engines, business process mapping and management tools, policy and standards management tools, document management systems and a range of specific risk modelling and risk assessment tools and sub-systems. These products will most likely be integrated into an overall enterprise risk management (ERM) system architecture, and wrapped with a variety of data capture sub-systems (both new and legacy) and MIS⁴ reporting and dashboard⁵ tools. All these products currently exist in the marketplace and are well established for other business applications (such as financial planning and management). What is innovative about this approach is the application of these tools to risk management by integrating them as ‘out-of-the-box’ components of a much more complex overall ERM system. This strategy brings together a number of tried and tested components to build an entirely new solution.

Whatever the answer (buy, build or integrate) there is a major systems development programme to be managed. At the same time, there is potentially an opportunity to increase automation and to streamline existing processes. Banks should be looking for these opportunities for added benefits so as to maximise the return on this new investment in systems transformation.

Cultural Transformation

It is predictable that, human nature being what it is, the change in risk management culture that the New Accord requires will meet resistance on a broad front. The changes do not just affect a few people in central head office – they will impact on behaviour, attitudes, underlying assumptions and business practices right across the operational business units in every bank that needs to comply. Everyone who works in a bank will need to be aware in some way or another of the changes in the risk management culture and the impact that has on his or her job. Managers at all levels will need to take on different and new responsibilities, and it will be crucial to the success of the transformation programme to bring these people ‘on-side’, to help them to understand the benefits, and to empower them to play important roles in bringing about the transformation itself. This means that there must be new policies and procedures backed up by carefully planned awareness programmes and in some cases retraining of staff for new skills. High quality leadership and championship will be essential to gaining success, and this will test the capabilities of management teams to their limits.

One of the key cultural changes will be the need to take an enterprise-wide view of business events across organisations that have traditionally been run as collections of separate fiefdoms. The collection of operational risk data across multiple systems with starkly different applications requires cooperation and collaboration on a wide scale, hitherto unknown.

Leveraging the Transformation

In many ways the implementation of the New Basel Accord is like the Y2K event. It has a deadline (although not necessarily so cast in stone – the Committee could move this deadline if it so chose), and it is a major transformation programme requiring large investment and a large highly specialised programme management team to deliver it. As with Y2K, banks should look to see what additional benefits they can reap over and above mere compliance. The question they must address is: ‘How can we make the benefits significantly outweigh the costs?’

One potential benefit is the improvement in shareholder value for individual financial institutions and increased market confidence in the banking sector as a whole. This should result from the Pillar 3 proposals for improved market disclosure and transparency.

Another potential benefit is competitive advantage for those who succeed in using the AMA to reduce their capital charges and hence release more capital for other purposes. There is also the potential to differentiate the firm in the marketplace through its superior risk management profile, and the need to get above a certain level even to have basic acceptance in the marketplace. However, there are also sceptics who argue that “the additional burden of costs and procedures placed on the industry may well also materially reduce competition in banking service”.

On a completely different front, banks will need to invest heavily in developing excellent data management capabilities in order to comply with the New Accord. This new capability has other possible application areas, and, for example, could be used to enhance the way in which banks mine commercial data for marketing purposes and for CRM applications. There are potentially many new application areas where these new powerful data management techniques can be profitably deployed, and banks should proactively seek out these opportunities so as to maximise the return on the investment in the New Accord.

According to research commissioned by FileNet across heads of IT and compliance at leading UK financial services and insurance organisations, 74.5% of respondents believed that new regulatory compliance demands represent a positive opportunity for improved business performance (operational efficiency 41% and business optimisation 33.5%) – only 5.2% see compliance as just a burden.  39.7% gave “responsiveness and transparency to regulators” as their primary IT objective, with a further 27.3% citing “ability to react to change.”

51.8% stated ability to “quickly adapt to changes in regulations” as their highest compliance priority with country-level and sector-specific regulations causing more concern than EU regulations and other international developments. On the negative front, 83.8% of companies still have the mindset of compliance being a one-off issue rather than an ongoing business concern, and only 4.7% felt 100% confident of their ability to address regulations.⁶

Clearly there are many opportunities to be considered carefully as part of the overall return on investment strategy for this transformation programme.

Insurance

Under the AMA banks are allowed to use insurance as a means to mitigate up to 20% of the operational risk capital requirement. However, this supposes that suitable insurance products are available in the marketplace. This presents the insurance industry with both an opportunity and a challenge. What range of new insurance products can be developed to offer banks greater opportunities to insure against operational risks? How will the underwriters reach their decisions in the early days, since insurance is based upon actuarial analysis of statistical data, which at present does not exist? Will the insurance market lag behind, waiting until the loss data that the banks will collect becomes available for assessing the risk exposures?

Business As Usual

Another major issue is that whilst there is all this work to do to get ready for the implementation of Basel II at the end of 2006, there is also a business to run on a day-to-day basis, just as always. There is a danger that whilst the management team are focusing upon these new regulatory issues, they are not keeping their eye on the balls called ‘revenue generation’ and ‘cost reduction’ (through outsourcing etc). Certainly the Basel II transformation programme will distract some attention and divert some resources away from ‘normal’ business activities.

Change Management

There is also the possibility that some banks will merge, make acquisitions, make divestments, launch new activities, close down existing activities, set up joint ventures or reorganise their structure during the transformation programme. This will require major reviews of the Basel II strategy, since such major changes may well have a major impact on the selected strategy.

Thinking of the longer term and the broader issues, well beyond first implementation, it will be essential to be able to integrate the risk management systems and processes into the overall enterprise change management process so that any significant changes to the business can be reflected by appropriate changes in risk management.

Benchmarking Risk Management Practices

One of the key components of Pillar 1 for both the standardised approach and the advanced measurement approach to operational risk is the mandatory implementation of an operational risk management framework of sufficient quality to satisfy the supervisors. Pillar 2 also implies the need for the banks to pass a qualitative review by the national regulator of its operational risk management processes. How will a bank demonstrate to the regulator that its operational risk management framework, processes and systems are of the requisite quality? The regulators are themselves very risk-averse, and so are certain to avoid giving specific advice as to how they might be satisfied in this respect. The regulator’s approach will always be: ‘show us what you do and we will tell you whether or not we approve’.

Every bank will therefore need to have some kind of framework by which it can demonstrate the quality and maturity of its operational risk management processes. Without such a framework how are the bank and the regulator even going to have the relevant conversation? One of the approaches most likely to fulfil this need is the use of a ‘capability maturity model’ to produce a self-assessed profile of how well the bank is performing in this respect. These models usually provide a qualitative assessment on a five-point scale. The area of work to be assessed is broken down into a series of ‘domains’, each of which is resolved into ‘process areas’, which in turn are further decomposed into ‘activities’. An assessment is made on each activity, and these are rolled up to provide aggregated assessments on ‘process areas’ and ‘domains’. The method allows an assessment to be made of where you are now, where you want to get to in a specified time period and also provides the means to track progress against those goals. If offered by a service provider who collects capability maturity data from a number of different banks, then the possibility exists to benchmark each bank against a sanitised average view of specific industry sectors, either by region, by size or by line of business. This will provide the type of framework needed for an individual bank to negotiate its way through the supervisory review of the quality of its risk management processes.

Conclusions

The implementation of the New Basel Accord raises many important issues, some of which have been outlined above. No doubt there are many more yet to be identified. Many of the larger financial institutions are well under way with their planning and development, but even these firms have much still to do. Those banks that have not yet made significant progress need to begin very soon, since there are many complex issues to be addressed, all of which will require both extensive expertise and considerable investment of time and money. Those that are wise will regard this exercise not just as one of compliance, but as an opportunity to make quantum leaps in improving their risk management, enhancing their shareholder value and their competitive position, and saving on operational costs through streamlining their business processes.

¹According to the Financial Times (FT.com, August 6th 2003), The British Bankers’ Association is concerned about too much complexity: “The new accord, as currently proposed, is unduly complex and will be difficult for our members to implement and for national regulators, even in the G10, to supervise.”
²According to the Institute of Financial Services, at the beginning when Basel II is first introduced, 46% of banks intend to use the AMA, 46% the standardised approach and 8% the basic indicator approach. The same respondents say that three years later 83% will use AMA, 14% the standardised approach and only 3% the basic indicator.
³ Quoted from www.insurancenewslink.com  11th May 2004.
⁴MIS: management information system
⁵A ‘dashboard’ is a conceptual presentation of key performance indicators and key risk indicators to appropriate levels of management.
⁶Quoted from www.insurancenewslink.com  11th May 2004.

Comments are closed.