Basel II for Operational Risk and Sarbanes-Oxley (SOX): Are They in Conflict?
Operational risk has become a defining business issue of our times. The new Sarbanes-Oxley Act of 2002 and the proposed Basle Capital Accord (Basle II), reflect heightened regulatory concerns over operating risk. Implicit in those concerns is the recognition that operating risk exposure has been a key element in recent headlines, including corporate governance and the increased threat of business disruption from terrorism. Sarbanes-Oxley, which applies to all public corporations in America, and Basle II, which covers financial institutions in over 100 countries, are part of a new wave of regulations mandating that the financial and corporate communities regularly assess their processes to ensure transparency and protect shareholder value.
Heavy fines and even imprisonment for senior executives (CEO’s, CFO’s, etc.) are no doubt strong incentives for businesses to satisfy the new U.S. Sarbanes-Oxley regulations. In addition, banks may face higher capital reserves under Basle II if they do not use an advanced measurement approach. Beyond this, the potential negative impact to businesses – and even economies – from adverse operational risk exposure and loss has pushed companies to focus in on better techniques for managing operational risk.
While the precise definition of operational risk may vary between and amongst banks and companies, a clear understanding of the term is a prerequisite for its effective management, mitigation, and control. The Basel Committee on Banking Supervision (the Committee) has developed a list of the types of operational risk events that can lead to significant losses. These categories include: “internal fraud; external fraud; employment practices and workplace safety; clients, products and business practices; damage to physical assets; business disruption and system failures; and execution, delivery, and process management.”1
Operational risk, unlike risk taken for economic reward, is an inherent part of running a business. It is a fundamental element of all business activity and must be a measured component of any entity’s risk profile, to ensure its proper management.
Sarbanes-Oxley, enacted to restore investor confidence, mandates far-reaching actions concerning financial reporting, conflicts of interest, corporate ethics, and accounting oversight. Certain provisions became effective immediately upon the President signing the Act. (Other provisions must await the promulgation of further rules by the SEC, before subsequent corporate action can occur.) Section 906, which is effective immediately, details corporate responsibility for financial reports. It mandates executive certification of financial statements and establishes more severe consequences for noncompliance.
Included among the other major sections of the Act are Sections 404 and 409, which deal respectively with management’s assessment of internal controls and real-time issuer disclosures. Section 404 requires each annual report to contain an internal control report. The report accomplishes two things: first, it states management’s responsibility for creating and maintaining an adequate control structure and procedures for financial reporting, and second, it assesses the structure and procedures currently in place. To further protect investors and safeguard public interest, Section 409 calls for the timely public disclosure of material changes in financial condition or operation, for those firms reporting under section 13 (a) or 15 (d) of the Securities Exchange Act of 1934.
Basle II reflects the recognition by the Committee that operational risk management, while always a central focus of banks, is increasingly viewed as a comprehensive discipline equal in stature to the management of credit or market risk. Beyond the more frequent, high-profile operational-loss events, the Committee points to a number of trends within the banking industry that are driving the changing view towards operating risk. E-commerce, industry consolidation, the emergence of high-volume service providers, and a high degree of automation-to name a few-all increase the complexity of risk profiles.
Under Basle II, financial institutions must more actively manage operational risk in order to reduce capital reserves. The accord provides three methods of calculating reserve requirements. First, firms can take what regulators enforce, which means holding up to 12 percent of gross revenues in reserves-a burden on working capital efficiency. Second, firms can allocate a different percentage of reserves by segregating their lines of business based on the type of activity. The final method, the Active Management Approach (AMA), motivates firms to proactively manage operational risk in return for reduced reserves. Firms must analyze their historical losses and other key risk indicators on a regular basis, justify their level of controls, and develop a model for assessing the correct amount of reserves. Although compliance must occur by the end of 2006, the real deadline is far closer. Approval under AMA requires three years of historical-loss data and up to two years of running a parallel model to prove to regulators that effective risk management is firmly in place.
Basel II faces many obstacles in the U.S., as well as other areas of the globe. Questions on the capital charges, and the methodology used to derive them, are growing more persistent. There is the “home-host” issue over regulatory cooperation and trust that does not appear to be going away soon. In addition, we see three specific concerns for U.S. financial institutions:
Our view is that regardless of the Basel II challenges, it has been monumental in energizing operational risk management efforts around the globe. The issues, though formidable, will be worked out as more people develop practical methodologies that make sense to their businesses and regulators. However, financial institutions, whether they agree with Basel II or not, would be hard pressed to dispute the benefits of some key components of the AMA, which improve how they manage their institutions. For example, self-assessment is a proven vehicle to building a better risk management culture that helps facilitate transparency from top to bottom. Most business managers will see the value of gaining a greater understanding of how their people, processes, technology and other risk may impede their business goals. Tracking losses and non-financial events that can impact business goals is a great indicator of control effectiveness, and can trigger questions about when trends start to shift in the wrong direction. Audit is essential to the process, and considering audit’s input helps to present a balanced view of risk. At JPMorgan, we developed this type of philosophy in our technology risk management group in 1996. We call it the “Triangle Approach” to operational risk management.
JPMorgan’s triangle approach to risk management (which underlies JPMorgan’s Horizon solution), is suited to the management of operational risk for both Basel II and SOX. The first leg involves self-assessment, which enables individual departments to assess their control effectiveness against an established template, rate their own level of compliance, develop action plans to address gaps, and monitor progress. The second leg involves testing, where auditors validate the self-assessment to ensure its accuracy. Finally, the third leg employs Loss Events/Key Risk Indicators, which act as a management control by quantifying and tracking the organization’s actual performance. If any leg of the triangle is out of sync, management should question it and make adjustments to restore balance.
This enables the triangle to be far reaching and broad, allowing universal access of shared information throughout an organization. Such solutions create transparency by enabling senior management to get an organization-wide view of operational risk. They also deliver the flexibility to view information from different perspectives, including regionally, globally and functionally. Management also must be able to drill down to the level of a specific individual. This ensures accountability by helping managers understand the status of operational risk management issues for each key activity globally, and to monitor progress against action plans. It can facilitate a clear understanding of priorities and strategy, which helps an organization to align strategy with execution.
Basel II and SOX, which some people look at as separate efforts, are really similar in that they require a common type of framework and governance model to be successful. They both need a group to manage policies around the effort, define the risk and approach, perform training, quality assurance, action plan tracking, issue analysis, testing and management reporting.
In addition, SOX requires strong accounting and financial controls, which we believe should be a key part of a businesses self-assessment. The goal should be that a business completes a comprehensive and holistic self-assessment that feeds all the necessary regulatory reporting requirements without creating wasteful separate efforts, or using separate tools. In this light, we see SOX (404) as a subset of the businesses self-assessment that could be required for the Basel II AMA approach.
In conclusion, financial institutions should implement the key practical pieces of the AMA approach to better manage their operational risk regardless of their overall Basel II position. This will also help institutions with their SOX efforts whose scope could expand in the future.
Today the pull for resources over Basel II and SOX are in conflict, but not the initiative’s intent, which is to create stronger public companies and financial institutions to protect shareholders and depositors thru effective operational risk management.
1 “Sound Practices for the Management and Supervision of Operational Risk,” published by the Bank for International Settlement, February 2003.