BASEL II

The Financial Services Authority (FSA) has set out new guidelines for the banking industry compliance with the credit risk requirements of the Basel II Accord.

The FSA has issued its proposals in a consultation paper on the key aspects of UK implementation of the European Union's Capital Requirements Directive (CRD), which is closely linked to Basel II. The FSA said that even though aspects of the CRD have not yet been finalised it wants to provide banks with as much early clarity as possible on the likely changes that will be necessary.

The New Basel Capital Accord, more commonly known as Basel II, is fundamentally about improving risk and asset management to avoid financial disasters. Compliance requires all banking institutions to have sufficient assets to offset any risks they may face, represented as an eligible capital to risk aggregate ratio of 8%. Part of this compliance dictates that data capture must be fully operational by 2004, and financial institutions must have three years of data on file by 2007, which of course means that work on this aspect of compliance needs to start now, if it hasn't already started.

If banks are going to have to set aside assets to balance possible risks, then analysing and measuring those risks is going to be paramount. A 1% change in asset allocation may not sound like much, but international banks deal in very large numbers, and 1% can make a significant difference to operation capital.

Operational risk is defined by the Basel Capital Accord as: "The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events." It is not just about IT, all companies are exposed to operational risk, and the integration of processes, systems and people has to be understood and continually monitored to mitigate these risks.

Hence in order to comply with Basel II, financial institutions will need to have a full and in-depth understanding of all possible risks and their potential impact. This requirement is ongoing; it cannot in any way be regarded as a one-off, or something financial institutions do once a year to fill a page in the annual report.

Risk changes all the time, some risks are known, and can be prepared for, some are unexpected and will need to be understood. The complexity of potential risk factors for financial institutions cannot be over-emphasised. For instance, fraud is a risk factor that might result in a financial loss, but how about the effect fraud might have on reputation and consequent business loss? The bottom line is that financial institutions must be sound enough to weather any storm, without needing to be baled out if their assets come up short, and it is not just nature that must be dealt with.

The challenge of compliance

The key areas in Basel II compliance are data capture, reporting and analysis of credit, market and operational risk, and then mitigating perceived risks through business processes, whether automated or performed physically.

In the IT and business world, knowledge starts with data, and risk factors are identified by analysing data, so the logical place to being is data modelling. By understanding how you currently operate and what controls you have or haven't got on the quality of your data, you will begin to identify where your risk areas might be.

The basic building blocks for compliance are therefore understanding meta-data, developing data standards and building corporate data models. Like all basic building blocks, everything else will stand or fall on how complete the original data capture is, and decisions based on high-quality information will have better foundations than those based on poor or incomplete information.

The next step is to gain a complete understanding of the processes, roles and skills employed in the operation of the business through business process modelling. Combining data and business processes together then provides an enterprise architecture, which details not only the processes and data themselves, but also the relationships between them. The most popular description of an enterprise architecture is based on the Zachman Framework, which models how all parts of an organisation fit together and provides an "as-is" diagram of the organisation.

The levels in the Zachman Framework can be equated to the blueprints for building a house. At the top are the plans and diagrams that an architect might discuss with the owner, at lower levels are the more detailed specifications that involve the builders. Changing the number of windows or bathrooms in the top level diagrams will have a knock-on effect for heating capacity or drainage requirements which will impact on the lower levels.

An enterprise architecture based on the Zachman Framework means that any changes made by those with an overall picture of the organisation can be examined and followed through the organisation to assess possible impacts at different operational levels. Capturing the process defines operational activities and logic and allows the linkage from the activity "Reject Application" to its associated risk definition diagram. The risk definition diagram contains related objects that define the owner for the risk and its effects, probability and impact of the risk, control procedures for monitoring and minimizing the risk, affected key performance indicators, such as processing efficiency and customer satisfaction, and actual losses incurred.

Hence capturing all relevant information against each risk and operational process enables the organisation to define the risk, identify actual and potential mitigation activities and rank the risk, thus providing all the information needed for well-informed decision-making.