Banks worldwide have been scrambling to assess Basel II requirements, which come into effect in 2006. At the moment, most banks are identifying what they need to do to reduce their risk exposure and also testing solutios and processes to ensure that they are in line with their overall compliance objectives.
What has been missing though is insight into what banks can actually gain from the exercise. Basel II actually brings about a radical change in statutory ccapital reserves needed to meet operational, credit and commercial risk.
How?
First, Basel II empowers banks to choose their own risk management approach, rather than laying down a standardized procedure and policies.
The different categories of approaches are: Basic Indicator Approach (not much has changed since Basel I , 1998), Standardized Approach and Advanced Measurement Approach. However, there are very clear incentives to move from one approach to another.
Second, by choosing to ‘upgrade’ to Standard and Advanced Approach, banks will see tangible benefits in terms of capital that they need to set aside to meet their risk exposures - i.e. the benefits are actually monetized and will show up on their balance sheets. This means that, unlike other regulations like SOX, banks will find it comparatively easier to justify cost of compliance, and indeed, upgrades from one approach to another.
Third, Information Security Management is outlined as an operational risk management tool - which, when factored into the banks overall risk management strategy, provides a safe, secure and trustworthy operating framework for banks to do business. Basel II takes good practice and good governance a step further, and actually provides banks with a competitive advantage if they review and improve their risk management strategies.
Here is a summary of the three approaches, provided by Symantec Enterprise Security Services:
“Basel II defines operational risk as ‘the risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events.’ One need look no further than recent virus/worm infections to see examples of the operational impacts of failed or insufficient information security controls. And those impacts were relatively mild compared to what they could have been. This positions information security controls as one of the foundation stones of operational risk management.
Basel II proposes three techniques for calculating the amount of capital that a bank must place in reserve as a buffer against operational risk:
Basic Indicator Approach. Like the earlier Basel I Accord of 1988, Basel II allows a bank to use a single indicator (such as 20 percent of its average annual gross income) to determine its capital charge. There are no qualifying criteria associated with this approach, and little change to current practices is called for. In general, only small banks are expected to use this basic approach.
Standardized Approach - A bank that follows this approach must calculate a capital requirement using a risk indicator (such as annual average assets or gross income) for each one of its business lines. The savings in reserve charges, compared with the Basic Indicator Approach’s across-the-board 20 percent figure, could be large. (And the incentive for banks to move from the Basic Indicator Approach to the Standardized Approach couldn’t be clearer.) As a condition for using this approach, banks must meet the following criteria:
**demonstrate that an operational risk management system is in place
systematically track relevant operational risk data including material losses by business line
**regularly report operational risk exposures, including material operational losses, to business unit management, senior management, and the board of directors have a process in place for ensuring compliance with a documented set of internal policies, controls, and procedures concerning the operational risk management system
**subject their operational risk management processes and assessment systems to validation and regular independent review.
Advanced Measurement Approaches (AMA) - Of the three approaches available for calculating operational risk, the AMA is likely to have the most appeal because of its flexibility and the amount of self-discipline it provides. In the words of the Basel Committee, ‘in the AMA, banks may use their own method for assessing their exposure to operational risk, so long as it is sufficiently comprehensive and systematic.’ As Aberdeen Group has observed, ‘Moving beyond the averaging of the other methods, the bank is allowed to collect the history of its losses, analyze it, and use multiple risk factors to derive a probability of loss.’
Use of the AMA is subject to supervisory approval, and banks need to classify transaction incidents according to their impact on business. Recognizing the rapid evolution in operational risk management practices, however, the Basel Committee has stated it ‘is prepared to provide banks with an unprecedented amount of flexibility to develop an approach to calculate operational risk capital that they believe is consistent with their mix of activities and underlying risks.’
In general, banks must first integrate an internal risk measurement methodology directly into their day-to-day operational procedures and major decision-making processes. But the bottom line here is clear: With the AMA, banks can use their own internal loss data to demonstrate to regulators that they should qualify for reduced capital reserves. While many of the details surrounding the AMA are still being worked out, you can count on this to be an area of paramount interest to upper management.
Information security and operational risk:
It is my conviction that information security is underappreciated as an operational risk management tool. At the same time, I believe that Basel II represents a real opportunity for information security to help financial institutions reduce their operational risk – and thereby positively impact their bottom line.
Information is critical to the operation of every financial institution -
**If the confidentiality of sensitive or private information is compromised, lawsuits or regulatory sanctions may result in penalties, and violated trust may result in customer flight.
**If the integrity of critical information is corrupted, errors in processing may occur with similar negative consequences.
**If critical information is not available where and when it is needed, important processes may fail completely with similar results.
In all three of the above areas of compromise, recovery costs alone can be major, while the business impacts can range from the annoying to the catastrophic. Managing the security of financial information, particularly when it’s in electronic form, must therefore be a central goal in the management of operational risk.
In the context of the Standardized Approach for calculating capital requirements, the bar is set high with respect to the information security program. As we have seen, the bank must demonstrate that a system of information protection controls is in place; systematically track operational losses by business line (and presumably by root cause); and have a process in place for ensuring compliance with a documented set of internal policies, controls, and procedures concerning intended information security controls.
While these are non-trivial challenges for any institution not already doing them, the degree of risk mitigation (and therefore loss reduction) from such a formal, well-organized information security program will be significant.
Arguably the biggest challenge to the information security profession comes under the banner of the AMA. Quantifying all the important dimensions of information risk management is today a largely unsolved problem. But if it can be done, then such a quantitative model will form the basis for highly confident prioritization of security spending on a risk-adjusted basis. Further, it will support very systematic and precise information risk management, which is exactly what Basel II seeks to reward with the lowest capital reserve requirements. That’s strong motivation, indeed, to develop such a model. ”
The full article is found at:
http://ses.symantec.com/Industry/Regulations/article.cfm?articleid=3270&EID=0
Basel II, in the Indian banking scenario, represents a lot more than purchasing and implementing an Anti Money Laundering (AML) Solution.
More information on Basel II is also available through International Banking Systems (IBS), www.ibspublishing.com
As usual, post your comments or email me at rdutta@mielesecurity.com
oRiOn
