RegionsNorth AmericaBasel II and Technology: Minimising Operational Risk

Basel II and Technology: Minimising Operational Risk

The original Basel Accord of 1988 (and the European legislation that has implemented it to date) has become the global standard by which banks’ capital adequacy is measured. Basel II will supersede the existing Accord and is aimed at substantially revising the existing “one-size-fits-all” regime and creating a more risk-sensitive capital framework. It is expected that Basel II will be finalised by mid-2004 and will take effect from 1 January 2007. Within Europe, Basel II will be formally adopted by the European Union (EU) and transposed into European legislation, expected to take the form of a Risk-based Capital Adequacy Directive. European member states will be required to transpose that Directive into national legislation by 1 January 2007. Under the EU approach, the provisions of Basel II will apply to most investment firms as well as all banks and building societies (collectively referred to in this article as “firms”).

The structure of Basel II

Basel II is comprised of three mutually reinforcing pillars:

  • Pillar 1 – The Minimum Capital Requirement
  • The required ratio of capital to risk-weighted assets will remain unchanged at 8 per cent under Basel II. However, while under the existing Accord firms are required to measure explicitly exposures to both credit risk and market risk, Basel II will also require firms to calculate capital adequacy requirements for operational risk.

  • Pillar 2 – Supervisory Review
  • Supervisors will have the power to hold additional capital against risks not covered by Pillar 1, in an attempt by the Basel Committee to ensure that any deficiencies in the Pillar 1 calculation are addressed.

  • Pillar 3 – Market Discipline
  • A firm must disclose its risks, capital and risk management to the market, thus subjecting a firm’s capital adequacy requirements to the review of potential counterparties thereby encouraging market discipline amongst firms.

Measuring risks under Basel II

In designing a system intended to converge national approaches to capital adequacy supervision, the Basel Committee has recognised that common approaches require flexibility in application before they may be appropriate to all types and sizes of firm. Basel II therefore sets out a number of approaches to measuring each type of risk.

Credit risk

Basel II sets out three approaches to measuring credit risk. The standardised approach uses the same basic approach as the existing Accord but is more risk sensitive. For example, under the revised approach, low risk assets receive a lower risk weighting. The “foundation” Internal Ratings Based (IRB)

approach allows firms to use their own internal estimates of borrower creditworthiness to assess credit risk. An “advanced” IRB approach allows firms a much freer hand in assessing credit risks, allowing them to calculate various risk components (such as probability of default and loss given default) based on their own, rather than supervisory, estimates.

Market risk

The calculation of market risk will remain broadly the same as under the existing Accord, with firms retaining the ability to choose between a basic Standardised Approach and an Internal Models (Value-At-Risk) approach.

Operational risk

Operational risk is defined as “the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events”. It is said to include the risk of loss from IT and computer failures, poor documentation or fraud, thus covering “legal” risk but not necessarily “strategic” risk. Three approaches to the measurement of operational risk are available:

  • The Basic Indicator Approach uses a “blunt” approach whereby firms will be required to hold capital for operational risk equivalent to a fixed percentage of gross income.
  • The Standardised Approach allows different indicators to be used for different business lines, so that firms will be required to make separate calculations for each business type.
  • The Advanced Measurement Approach (AMA) will allow firms to determine their regulatory capital requirement in accordance with their own internal systems, using their own historic loss data.

Under the measurement of both credit and operational risk there is a marked incentive to move from the blunter approaches to the more risk calibrated approaches set out in both the Advanced IRB and AMA approaches. Such a move should in many cases result in capital adequacy cost reduction for firms (with the exact position depending on the business of the firm).

So what effect will Basel II have on technology?

Technology procurement – ensuring compliance

One of the biggest challenges facing most European financial institutions is to ensure the implementation of fully Basel II compliant systems. Systems will need to be updated, and in many cases replaced, to support a firm’s new risk calibrated approaches to credit and operational risk. However, there are a number of challenges to be overcome.

The timetable for the implementation of Basel II will require that systems are in full operation prior to 1 January 2007 (and in some cases is expected to require “parallel” running of old and new systems for a year or so prior to this), requiring not only the implementation of new systems but also their full integration with the existing systems of the business. While the demands of such a timetable are, in any event, rigorous, a number of other concurrent factors further question the likelihood of a compliant programme being successfully achieved by implementation day. Of fundamental importance is the lack of defined system specifications as to what will constitute “Basel II” system compliance. There are a number of reasons for this.

No “Basel II System Specification”

While there are clear benefits to be gained by financial institutions using the AMA approach to measure Operational Risk, there is, as yet, no definitive legislative or regulatory approach as to what this will actually mean in practice. Until legislative and regulatory uncertainties are resolved, system specifications cannot be defined.

Data integrity and quality

Any system design must take into account the huge data integrity and quality requirements imposed by Basel II. These are driven from the necessity to collect both new and historic data in order to adopt the IRB approach to credit risk and the AMA approach to operational risk. Moreover, third party data disclosure requirements are required as a result of the Supervisory Review and Market Discipline approaches of the second and third pillars of Basel II. As a result, data must be collected from multiple back and front office risk systems. Given the qualitative nature of the new approach, it will be of critical importance to ensure the quality and integrity of historic and newly collected risk data so that operational risk may be correctly measured.

Number of systems affected

Further, the sheer number of systems that will be affected by Basel II are so great that all aspects of the business are likely to be touched upon. While credit and operational risk may have been the traditional responsibility of the CFO, a fully coordinated business-wide approach to system procurement must now be adopted which complies with the firm’s own Basel II strategy.

Existing and new technology procurement contracts may need to be reviewed. The lack of defined system specifications may mean that traditional contractual processes, with an emphasis on tying a system developer to a defined specification (and hence price), may need to be replaced with a more partner based approach. A firm cannot simply “outsource” its Basel II system development requirements to a third party. Given the nature of Basel II and its impact on the entirety of a firm’s business, firms will need to take a very proactive approach with third party system developers.

At the same time, mechanisms for change control embedded in contracts may need to be tightened to ensure that a developer is not allowed to increase costs through the inevitable system change requests.

Operational risk is the risk of loss resulting from “inadequate or failed internal processes, people and systems, or from external events.” Business processes and technology therefore will be a key factor in a firm measuring operational risk using AMA. The mitigation of operational risk, leading to a reduction in capital adequacy requirements, will be heavily influenced by the effectiveness or otherwise of internal systems and control over the procurement and operation of technology. This may have a number of consequences:

Technology procurement

Those firms that adopt the AMA approach will need to develop a clear understanding and measure of actual operational risk associated with any new system development or implementation. Where technology is developed by third parties, systems and controls must be developed to address and measure the actual risk associated with each particular project. Given the high degree of failure of many projects, tighter procurement and project management controls will, by necessity, have to be developed to guard against operational risk and an impact on regulatory capital. This may result in projects being terminated for breach at much earlier stages as firms try to guard against the failure of business-critical projects, particularly if such failure occurs late in a project cycle.

Outsourcing

A similar approach will need to be adopted in respect of outsourcing arrangements. However, here the measure of actual risk will often extend further than that of the underlying technology, and take account of the operation of business processes by the vendor. Much tighter service level arrangements and service credit regimes are likely to be put in place to mitigate operational risk.

Legal risk

Legal risk in general is a factor to be taken into account in assessing operational risk under AMA. In relation to the procurement of technology or services, this is likely to raise a number of issues. Can a firm take a uniform approach to the assessment of legal risk across differing vendor relationships?

With the myriad number of contract terms and conditions in use, a historic due diligence exercise may need to be undertaken in order to take an actual view of legal risk with regard to existing business critical systems and relationships. The contracts that will need to be reviewed will include system procurement and integration projects, maintenance and disaster recovery relationships and outsourcing arrangements. In reviewing documentation, matters such as liability, warranties, rights of termination and the ownership of intellectual property rights will all need to be addressed.

Going forward, firms will need to take a uniform approach to contractual documentation and procurement projects so that risk can be fairly measured on a project-by-project basis. Certainly, and at the very least, firms will begin to put into place a list of certain “must have” matters which will need to be addressed in each procurement contract.

Jonathan Herbst

This article was co-authored by Jonathan Herbst. Herbst specialises in UK and EU financial services law and regulation and provides specialist advice relating to hedge and other funds, investment management and custody and the regulatory aspects of acquisitions and disposals.

Comments are closed.

Subscribe to get your daily business insights

Whitepapers & Resources

2021 Transaction Banking Services Survey
Banking

2021 Transaction Banking Services Survey

2y
CGI Transaction Banking Survey 2020

CGI Transaction Banking Survey 2020

4y
TIS Sanction Screening Survey Report
Payments

TIS Sanction Screening Survey Report

5y
Enhancing your strategic position: Digitalization in Treasury
Payments

Enhancing your strategic position: Digitalization in Treasury

5y
Netting: An Immersive Guide to Global Reconciliation

Netting: An Immersive Guide to Global Reconciliation

5y