460 likes | 608 Views
The New Basel Capital Accord Background, basics, implementation problems and some solutions – from a Pillar II & operational risk view – David Millar, COO, PRMIA. Basel II – created by the Bank for International Settlements. The original cross-border financial institution,
E N D
The New Basel Capital AccordBackground, basics, implementation problems and some solutions– from a Pillar II & operational risk view– David Millar, COO, PRMIA
Basel II – created by the Bank for International Settlements The original cross-border financial institution, • Members are the central banks or monetary authorities of 54 countries plus the European Central Bank Advisory, not regulatory • Formulates supervisory standards and best practice, • Has no supranational authority (with local supervisors), • Through committees of national experts - makes recommendations to the financial community aimed at strengthening the international financial system, • Members agree to adopt standards as basis of their regulatory processes (at varying levels), • Used by most of the rest of the world, and their regulators • Accepted by banking community as standard of good practice (and of a desirable counter-party).
Created standards on capital • Basel Capital Accord (Basel I), • In 1988 the Basel Committee on Banking Supervision recommended a risk-weighted capital ratio for internationally active banks, • This set minimum standards of capital adequacy, • A “New Capital Accord” (Basel II) proposed in 1999, • Extended to cover regulatory and disclosure requirements, • Final (reviewed) version released November 2005 (over 100 countries to implement - but in the US say it is still under discussion) • Complete Accord will take effect from 2007 (earliest participants)
BASEL II overview The Three Pillars Supervisory Review Process Disclosure & Market Discipline CapitalRequirements 1 2 3 Implications on, and requirements for, systems, processes & people Capital adequacy and risk control processes and results will be disclosed. Calculated based on credit, market and operational risk. Operational control and compliance with Pillar 1 requirements. Many options on approach to calculation of capital requirements. Only varies on Pillar 1 approach, otherwise must comply with all. Requirements are common to all regulated firms.
Financial Enterprise-wide (2), (3) & (4) : Basel II also applied at lower levels to all internationally active banks on consolidated basis. 1) Boundary of predominantly banking group. Basel II applied at this level on a consolidated basis, i.e. up to holding company level Diversified General Industrial Group (1) Holding Company (2) Internationally Active Banking Group (3) (4) Internationally Active Bank Internationally Active Specialist Bank Special Purpose Vehicles Domestic Bank Securities Firm
Choice in capital approach Progressive adoption Fragmented adoption
Basel’s four principles of supervisory review • Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels. • Supervisors should review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take appropriate supervisory action if they are not satisfied with the result of this process. • Supervisors should expect banks to operate above the minimum regulatory capital ratios and should have the ability to require banks to hold capital in excess of the minimum. • Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored. Source: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, Updated November 2005
Basel’s 10 principles of operational risk Developing an appropriate Risk Management Environment 1Involvement of the board of directors. 2 Effective internal audit - operationally independent, trained staff. 3 Senior management to run the operational risk management framework. Risk Management: Identification, Assessment, Monitoring, Mitigation 4Identify/assess operational risk in products, processes and systems. 5 Implement processes monitor operational risk profiles and losses. 6 Have policies and procedures to control and/or mitigate operational risks. 7 Have in place contingency and business continuity. Role of Supervisors 8 Require framework to identify, assess, monitor and control operational risk. 9 Evaluate policies, procedures and practices related to operational risk. Role of Disclosure 10 To disclose approach to operational risk management to market. Source: Sound Practices for the Management and Supervision of Operational Risk, Feb 2003, abridged
Disclosures in the New Basel Capital Accord Requirements of disclosure (market discipline)
Disclosure of operational risk Probable operational risk areas also to be disclosed: • Assessment techniques • Risk recording, monitoring and reporting techniques • Risk culture procedures • Major risk events • Cumulative risk events above threshold • Risk mitigation processes • Operational risk capital calculation approach • Total operational risk capital • Capital impact of above risks reported
Disclosure benefits • A strong marketing position, providing that: • The news is not all bad, • The audience understands the message, • The message is consistent, • The message is “believable”. • Improved trading benefits, providing that: • Disclosed details match market rumour, • Disclosure is ahead of public knowledge, • Rating agency views are consistent. • Strengthened relationship with your supervisor. • Strong public image.
Disclosure concerns • Knowing what needs to be disclosed • Uniformity – the “level playing field” • Demonstrating compliance and “good citizenship” but not disclosing too much • Impact of bad news, or perceived bad news on share or counterparty positions • Flooding the market with information • Legal position – counterparty, shareholder, supervisor • Coordination with accounting standards • Privacy rulings
Capital considerations • The financial “group” assessed as a single unit. • Supervisors are extending requirements to most firms. • The bulk of the capital cost is from credit risk. • Restrictions on granularity of capital approach. • Capital pegged to the original levels for 2 years. • It may be possible to end up having to allocate more capital under the Standardised Approach (with its extra requirements) than under the Basic Approach! • Concern from regulators regarding Internal Ratings-Based (IRB) approach models. • A floor of 90% in year 1 (2008) and 80% in year 2, but talk of “keep the floors in place beyond 2009 if necessary”. • Supervisors may apply bank-by-bank floors and apply a single scaling factor should overall banking capital decline. • 5 years data (3 initially) needed.
Capital adequacy is not all • Pillar 2 has two objectives: • compliance to the higher approaches to capital calculations, • sound integrated risk management systems and controls. • But all regulated organisations must develop: • an appropriate risk management environment, • risk identification, assessment, monitoring and mitigation/control, • regular independent evaluation of policies, procedures and practices. • … and make sufficient public disclosure to allow the market to assess their approach to operational risk management.
Regardless of Pillar 1 approach • Even if you go for the Basic Approach to Operational Risk-derived Capital:- • A risk assessment culture must be created, • Credit and operational risks must be monitored, • Risk must be tracked, • A risk trend history must be created, • Risk actions must be disclosed. … and all will be required from as early as 1 Jan 2007 depending on country and type of firm. “… additional capital would not be the only answer as capital is not a substitute for appropriate risk assessment practices or adequate internal control processes.”Nicholas Le Pan, Chairman of the Basel Committee’s Accord Implementation Group, March 2004.
Implementation Risk theories and regulations Processes, tools and capital allocation Rollout considerations Ongoing maintenance and improvement A risk culture
From financials to processes • Credit/market risk relatively mature (liquidity risk is a mystery!) • Operational risk still immature • We have little real experience in: • Specifying it What is it? How to recognise and classify it? • Setting it up • Involving the users, gaining commitment, regulatory approval, etc • Rolling it out • Collecting accurate data • Maintaining it • Feedback – correcting errors – changing classifications – renewing systems, etc
The Pillar II Maze Risk theories and regulations Updating the system User acceptance Create the framework Regulatory approval Processes, tools, capital allocation Pillar 1 and III implementations How much data to collect Feedback Cleaning old data Risk Culture Ensuring clean data User involvement An operational risk culture
10 implementation issues Processes, systems and capital allocations are easy – the problems are the “people issues”: • Creating the framework – consensus on the right risk categorisation structure • Getting user involvement – the necessary amount from the right people • Deciding on how much data to collect – too little = poor statistics, too much = inaccurate data • Gaining regulatory approval – different interpretations/numerics in different jurisdictions • Building a risk culture – everyone knows what risk is • Achieving user acceptance – “why am I doing this?” “I have better things to do!” • Ensuring clean data –completing data correctly • Integrating feedback and statistics – to improve the system • Cleaning previous data – which may be incomplete • Updating the system – changing processes, risk categories (framework) and upgrading systems
An operational risk framework + Risk Indicators (KRIs)
Example of risk categorisation (Merrill Lynch Capital) • 52 risks grouped into categories • People • Financial • Credit • Reporting & Control • Customer Suitability & Servicing • External • Technology • Legal/Regulatory • Reputational (!) • Employee Fraud • Resource Management • Involuntary Downsizing / Restructuring / Constrained Resources • Loss of Key Individuals / Teams • Lack of Training/Experience / Knowledge / Ability • Knowledge Capital Risk • Efficiency Risk • Leadership Risk • Authority / Limit Risk • Performance Incentives Risk • Change Readiness Risk • Alignment Risk People Risk: The risk of loss related to management and deployment of people including inappropriate resource management (e.g., lack of training and constrained resources) inappropriate management oversight, employee irregularities, discrimination, harassment and turnover.
What is a loss event? • Any actual occurrence which causes material loss to an organisation. • Any actual occurrence which nearly causes material loss to an organisation (a “near miss”). • Any actual occurrence which is considered likely to cause a material loss in the future (a “predictive incident”). • Any actual occurrence which, cumulatively with other events, does or could cause a material loss (“causal risk” events).
How to recognise a loss event? • Experience – “It has happened before”, • Judgement – “I know the business and I think this event will jeopardise its future”, • Effect – “We experienced a loss and this is what caused it”, • Impression – “This nearly caused a loss”, • Comparison – This matches a previous event which caused a loss”, • Chaining – “This event, although apparently innocuous, caused another loss event to happen”, • Regulation – “I am told this is a significant event which could cause a loss or impact the market”, • Cultural – “This is against public morals and laws so ought to be a risk and may be a loss”.
What to do with a loss event? • Record the event, • Measure or assess the effect (cost) of the event, • Allocate the event to an owner, • Allocate the event to a part of the organisation • Report the event to the appropriate person (or possibly external body), • Start a risk mitigation process (what to do so that this does not happen in the future), • Identify linked (“causing or caused”) risk events, • Update corporate risk statistics, • Update company procedures and standards (if necessary).
Example of IT control categories (COSO) The Committee of Sponsoring Organisations of the Treadway Commission – www.coso.org
Basel offers a (partial) framework Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk
But Basel is not the only definition An European Bank definition
There is no “correct” categorisation • “Whilst it is helpful to see the 'Basel' risk categories referred to here, many banks do not use these categories in their day-to-day operational risk management or even in collating loss event information. They may be able to map, but the categories are seen by many to be regulator-imposed rather than reflecting risk management practice”British Bankers Association • There is no clear consensus in the industry on the structure of risk categorisation. • There is no common ground at all on risk events, controls and indicators • So you build what is seems the best and most relevant to your institution • But everyone is an expert when it comes to risk categorisation!
Categorisation can be a “one-off” process 1 1 Merge two risk types into one 2 Split one risk type into two 3 3a or ? 4 3b 5 Reclassification after collecting data is not easy! 4 etc 5 etc
A good framework needs acceptance • The framework is simple to use – and small enough to assure a common interpretation • All managers accept it is the right framework • The regulators accept it is the right framework • It matches (or can be transposed into) any common risk database(s) being used • All staff – levels, locations, functions, cultures - understand it and find it easy to collect data • It satisfies all parts of the institution • The right amount of data is being collected • It caters for future situations – business change, regulatory change, environmental change
How to efficiently categorise There is no simple answer – and you have to get it right first time!
10 implementation issues • Creating the framework – consensus on the right risk categorisation structure • Getting user involvement • Deciding on how much data to collect • Gaining regulatory approval • Building a risk culture • Achieving user acceptance • Ensuring clean data • Integrating feedback and statistics • Cleaning previous data • Updating the system
Building a risk culture - what is it? • An internal risk culture is the sum of the individual and corporate values, attitudes, competencies and behaviour that determine commitment to and style of risk management. • It includes both an enterprise-wide risk and an internal control culture • It requires clear lines of responsibility, segregation of duties and effective internal reporting • It requires high standards of ethical behaviour at all levels • Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture • It is the responsibility of both the board and senior management
Examples of staff risk culture • All staff know: • What a risk control or risk event is • Why they exist • What their risk responsibilities are • Prime and alternative reporting routes • What happens to their reports • What was the result of “their” event’s mitigation • What the institution’s risk status is (overall and their part) • How it is improving (or getting worse) • What their risk training plan is
Examples of management risk culture • All Board and senior management know: • What the institution’s risk policy is • What their risk appetite is • What their own risk responsibilities are • What major risk controls have been infringed or what risk events have taken place • What cumulative risk situation have accumulated • What the institution’s risk status is • How it is improving (or getting worse) • What the business impacts are
Why are Risk Cultures important? • Risks are managed by people • People can apply standards with greater or lesser degrees of efficiency – or they can make mistakes • People must apply the appropriate risk management standards to the best of their ability • Regulators appreciate that the best standards and guidelines are only effective if implemented correctly – and with diligence and enthusiasm. • Regulators will therefore test an organisations’ risk culture along with its risk standards, best practices, capital robustness and disclosure procedures.
Attributes of a risk management culture • Attention is paid to quantifiable and unquantifiable risks. • All risks are identified, reported and quantified. • Awareness of risk through performance measurement, risk-adjusted pricing, pay structures and forecasting. • Risk management is accepted as everyone’s responsibility. • Risk managers have teeth. • The enterprise avoids what it doesn’t understand. • Uncertainty is accepted. • Risk managers are monitored. • Risk management is not to stop people from taking risks but to create value, by enhancing the chances of success. • The risk culture is defined, the risk appetite is understood. Source: Operational Risk Management, PWC, November 2003 (abbreviated)
Risk culture roll-out • Plan from start • Involve all relevant management (line and HR) • Customise to “your” operational risk management solution • Consider all methods • Classroom training, web training, road shows, e-mail campaigns, etc • And media • Posters, portals, newsletters, etc • Demonstrate commitment • Involve senior management • Accreditation for the training can be an important facilitator • Performance and statistics • Gain supervisor/regulator comfort (theirs)
10 implementation issues • Creating the framework – consensus on the right risk categorisation structure • Getting user involvement • Deciding on how much data to collect • Gaining regulatory approval • Building a risk culture • Achieving user acceptance • Ensuring clean data • Integrating feedback and statistics • Cleaning previous data • Updating the system
Success means negotiating the maze! Risk theories and regulations Updating the system User acceptance Create the framework Processes, tools and capital allocation Regulatory approval How much data to collect Feedback Cleaning old data Ensuring clean data User involvement An operational risk culture
Thank you David Millar Chief Operating Officer david.millar@prmia.org