News

	Latest News
	Jobs

Business Tools

	Professional Support Desk

Events

	Reviews
	Events Diary
	Events Gallery

Market Intelligence

	Online Reports
	Bespoke Research

Magazines

	In this Month's Issue
	The Magazine
	Feature Articles
	Editorial Schedule
	Advertise
	Contact Us

Features




< Back

Seven Deadly Sins

April 2005

The pitfalls in Basel II operational risk implementation

A new investment product, unveiled with much fanfare, ﬂops because employees are not adequately trained to sell it; an erroneous trade drops a leading stock market index by a percentage point; an employee is caught embezzling; ﬁre destroys a facility. These disparate events have one thing in common: they all reﬂect operational risk.

The Basel II Capital Accord is compelling large, internationally active banks to see operational risk in a new, brighter light. By formally introducing operational risk into risk management and capital calculation, Basel II is moving these institutions to explicitly identify, measure and report information related to operational risk. Many smaller banks and non-bank ﬁnancial institutions are following suit.

Yet precisely what Basel II will require remains a work in progress. Institutions are being directed to meet compliance deadlines as regulations are still being written, leaving them uncertain whether the approaches they take, and the expenditures they make, will ultimately pass muster.

Institutions intend to comply with the accord. But today they are not sure what compliance means or what value they will derive from the substantial effort needed to attain it. Nonetheless they must proceed, lest they fall perilously far behind. BearingPoint has identiﬁed seven operational risk pitfalls that ﬁnancial institutions should consider as they attempt to comply with the still-evolving requirements of Basel II.

Pitfall 1: waiting for regulators to provide detailed guidance and lay out an implementation road map

A notice of public rulemaking, expected from federal regulators in mid-2005, presumably will provide additional direction for Basel II implementation. However, delaying action in anticipation of this guidance risks the loss of half a year’s preparation, time that will rapidly become precious. Compliance deadlines loom in 2007 that will require ﬁnancial institutions to show ﬁve years of loss data, captured along Basel-deﬁned categories, along with potential causal factors for loss events.

Still, moving ahead with Basel II initiatives presents banking executives with a conundrum. On the one hand, should they do the bare minimum and risk learning later that they have underestimated what is needed to satisfy regulators? Or should they attempt to build a compliance framework that thoroughly addresses the requirements based on current interpretation, only to discover that the investment was misdirected?

Either way, they are sure to get somewhere. But where?

Rather than trying to hit the still-moving target of the regulatory requirements, institutions would be well served to focus on how they can improve business performance.

For example, to collect loss data required by Basel II, an institution might simply take last year’s general ledger, categorize transactions by the Basel loss-event hierarchy and report. But what has this accomplished beyond satisfying a compliance requirement? Is the institution better able to understand losses and manage them?

Instead of trying to nail down the compliance aspect, an institution could, for example, beneﬁt from conducting an analysis aimed at gaining insights and understanding to improve loan-loss results. Efforts such as this can create business value and better position the institution to adapt to the regulations as they gel. Financial institution executives may be well served to let the regulations be the excuse for investments that boost business performance.

Pitfall 2: Failing to understand the overlap among regulatory initiatives or dealing with them in a siloed manner

Basel II is but one compliance task towering over ﬁnancial institutions. Another mountain to climb is meeting the requirements of Sarbanes-Oxley. Too often, institutions are addressing these and other mandates in a siloed manner. The result can be a waste of time, money and resources.

Both Basel II and Sarbanes-Oxley Section 404, for example, focus on identifying the risk of loss, the controls in place to prevent that loss and how to manage the residual risk that can never be fully controlled. While their level of granularity differs— Section 404 focuses on materiality while Basel sets an arbitrary loss threshold — both provisions require the institution to take essentially the same actions.

Basel Pillar 3 and Sarbanes-Oxley Section 409 also intersect. Both require timely disclosure of material changes in operations and ﬁnancial condition.

A third example of overlapping regulatory initiatives is the linkages among Basel II, risk-adjusted return on capital (RAROC) and the Federal Reserve System’s SR 99-18, which require institutions to calculate economic capital. Risk-adjusted performance measurements lie at the heart of all three. Yet institutions are missing out on opportunities to, for example, use RAROC methodologies to help achieve Basel II compliance.

Addressing regulations in isolation can lead to two problems. One is the inefﬁciency and excessive cost of reinventing the wheel to comply with each mandate, rather than reusing existing tools. The other, equally serious issue is the potential for initiatives to diverge. Not only is the wheel reinvented, it is a different size. In today’s business climate, ﬁnancial executives need to be consistent and conﬁdent in what they report, lest they face potential criminal and personal liabilities.

For these reasons, it is crucial to understand what regulations are relevant and how they interrelate. This can be done by creating a regulatory map that lays out multiple mandates and addresses how to satisfy the matrix of requirements. The result is an approach that is at least consistent, and therefore more defensible.

Pitfall 3: Failing to make the link between information, technology, risk management and the business

Knowing the linkages between sets of risk data, credit data and ﬁnance data is a critical step in developing a road map to address Basel II. And some ﬁnancial institutions are hoping for a silver-bullet technology solution to address the data and risk management needs of Basel II compliance, a software package that will take care of it.

The trouble with this approach is that Basel II compliance is fundamentally a business problem that cannot be solved with technology alone. Still, some hope-ﬁlled institutions are relying on packaged solutions, without making commensurate changes in business processes and culture.

Instead, it is important to step back and ask: “What business problem is our institution trying to solve?” Financial institutions are adept at capturing transactional events. However, they often deal with operational issues as one-off occurrences. As a result, they are unable to consistently capture, aggregate and manage risk information from throughout the organisation. Ask for detail on losses from diversity or discrimination claims, for example, and the response may be that there is no simple mechanism to provide it, other than a speciﬁcally directed manual effort.

Institutions must understand how information is linked in a business sense before developing a technology solution. Where is the data? How is it being captured? Is it consistent?

Pitfall 4: Attempting to build a Basel II infrastructure without data and technical architecture road maps

Whatever form Basel II mandates ultimately take, the accord clearly is requiring the collection and integration of data in unprecedented depth and detail. The result of this is a call ringing out in institutions to build data warehouses and the technical architecture needed to effectively use them.

But build data warehouses for what? With the regulations still in ﬂux, what information will actually be needed?

In addition, the ‘GIGO’ factor (garbage in, garbage out) looms large. An institution may think it has the data it needs, but does it really? For example, different internal units might use different deﬁnitions for the treatment of loss events. One calls a loss internal fraud. Another calls it external fraud. A third refers to the loss as a system error. With no common semantic framework, the institution cannot create consistent classiﬁcations, which impairs data accuracy.

Just as institutions should consider business value in their overall approach to Basel II, so should they in determining how to gather and manage the required data. What business purposes can this trove of information help address?

Focus on understanding what information is needed to run the business, who needs the information, when they need it and in what form. Once these questions are answered, the information can be classiﬁed and structured so that it is naturally compliant with Basel II requirements.

The technical architecture that will be used to address compliance also should be viewed in terms of how it can contribute to the overall health of the enterprise. The operational risk component of Basel II is intended to identify mega events that could potentially threaten the very viability of the institution. Because of this, the Basel II infrastructure must be embedded throughout the enterprise, spanning people, processes and technology.

Pitfall 5: Failing to generate the internal support needed for a smooth implementation

Risk management has traditionally been synonymous with audit, which in itself is a scoring effort. Business units have therefore been wary of providing too much information and airing dirty laundry, fearing potential negative consequences of such disclosure.

A top-down mandate is vital in gaining the organisational participation needed for successful program implementation. However, this mandate in itself is not enough. Enterprise wide, bottom-up support must be generated by demonstrating the business value of risk management, and incentives must be aligned so that people pull in the same direction.

For example, fulﬁllment of operational risk requirements includes conducting scenario analysis to identify and capture high-severity, low-frequency loss events. Business unit heads may be loath to do this because putting an estimated value and probability of occurrence on such events can identify a unit as being more risky, leading to potentially higher capital requirements. To overcome this reluctance, business units must be assured that their capital structure comprises many elements and that a particular loss scenario will not translate directly into a capital charge.

It is important for leadership to be out in front of the effort; otherwise, some people may merely go through the motions. However, as with any major initiative, while a top-down mandate can drive participation, active involvement will only come through the demonstration of business relevance and establishment of appropriate incentives.

Pitfall 6: Underestimating the magnitude of cultural change that Basel II requires

Risk evaluation is integral to almost everything individuals do. Yet organisations often treat risk as an adjunct added on at the end of a process — “Let’s do a risk assessment and see where we are.”

Such an approach is inadequate in today’s environment. Instead, risk must be factored in at the beginning of an initiative and must remain a focus throughout the entire process.

Attaining such a level of integration in order to meet Basel II requirements requires a cultural shift in how the organisation views risk. Risk cannot be seen as something to address each quarter just before reports are due. Instead, the entire organisation must understand and accept risk, and a framework must be developed for addressing it.

In addition, whoever leads the risk effort must be ready to become a ‘chief communication ofﬁcer.’ This person assumes the charge to convey the risk message continuously throughout the organisation.

Pitfall 7: Not correctly factoring Basel II into the institution’s merger and acquisition strategy

Financial institutions look at mergers and acquisitions in different ways. Some aspire to acquire. Others look forward to being absorbed by a larger operation. Basel II can play into an institution’s merger and acquisition plans in a variety of ways.

An institution below the opt-in threshold for mandatory compliance, for example, may forego the effort to save time and money. But what if the institution suddenly has an opportunity to acquire another business, which would elevate it to the level of a core institution that must comply? Without proper preparation, this could leave little time to adopt the advanced approaches Basel II requires, potentially scuttling the deal.

In another situation, an institution may be looking at a possible merger with a counterpart that already has a Basel II initiative underway. As a result, it decides it does not need to address Basel II, as the issue is already being dealt with.

Procrastinating on either account can carry signiﬁcant risk. In the ﬁrst case, as mentioned, a deal may fail because of Basel II-related issues. In the second case, the institution misses out on the business value of becoming a more attractive merger and acquisition candidate through meeting the rigors of Basel II.

Finding the way

Basel II compliance is a complex, uncertain undertaking. Yet the pitfalls in meeting Basel II operational risk requirements described above can be avoided.

First, develop a thorough understanding of the business, the regulations and how these ﬁt together. Then, focus on efforts that further sound business management, rather than on compliance for compliance’s sake. By taking such an approach, compliance will naturally follow.

Recognise the intersections between Basel II and other regulatory initiatives. This will help eliminate costly duplication and inconsistency of effort.

Technology is important to Basel II compliance, but it is not the sole solution. Understand the linkages between risk, credit and ﬁnance data. Then use technology to gather and manage the data to create business value.

Finally, do not underestimate the cultural change issues involved. Build broad support for the Basel II effort. Then, create a sense within the organisation that addressing risk is an ongoing, vital activity. High risk is not always bad, nor is low risk always good. Determine acceptable risk within the context of business goals and objectives.

BearingPoint

+1 703 747 6748

www.bearingpoint.com

< Back

Print Editions