Incorporating Basel II Requirements Into an IT Corporate Governance Framework: Part 1 - Overview and Applications

During the next two to three years, major financial institutions that must meet the New Basel Capital Accord (Basel II) guidelines must work to ensure that they have the appropriate IT infrastructure in place to support this broader business initiative. Firms should integrate Basel II efforts with other compliance initiatives, where appropriate. Ultimately, successful Basel II initiatives will enable better risk management processes and improved efficiency, leading to increased profitability.

META Trend: In 2004, public firms will accelerate business and IT projects to ensure they are in compliance with Sarbanes-Oxley (SOX) and other regulatory edicts (IAS, Basel II). During 2005/06, firms will consolidate global compliance initiatives within a corporate governance office. Firms will seek to optimize compliance processes through IT infrastructure (e.g., business applications, security), and many will also improve business efficiency by using the compliance justification. By 2007, global compliance will raise control expectations for all multinational firms.

Basel II is a complex new standard for measuring risk in financial services firms that has been published by the Basel Committee on Banking Supervision, which is a committee of the Bank for International Settlements (located in Basel, Switzerland). This regulation requires banks and, in some cases, related financial institutions to better understand and manage credit risk. Specifically, areas of risk include credit, operations, and the market. The calculation of these three dimensions of risk ultimately determines the minimal reserve requirement for the financial institution (with the goal being to maximize investments and returns by deploying a larger percentage of capital - i.e., minimize reserve requirements). Analysis and assessment include recording, accessing, presenting, and analyzing several years’ worth of customer and operational data, then coupling this to near-real-time analytics and risk assessment.

Basel II is a global initiative primarily targeting large financial institutions in “G10” countries. It is being most actively enforced with large banks operating in or headquartered out of the European Union. There has been a lively debate as to what degree Basel II should apply to US financial institutions. Many US banks, citing increased regulatory burdens - plus possible higher capital reserve requirements that Basel II could drive - are lobbying regulators to water down, ignore, or possibly exempt US institutions from coverage. Is it very likely, however, that the largest (e.g., top 10-20) US banks will fall under Basel II auspices. But potentially affected organizations and their IT groups cannot wait until final regulatory requirements are agreed on to start planning for and implementing compliance efforts.

Basel II is about further improving risk management. Although Sarbanes-Oxley (SOX) legislation in the United States in not directly related to Basel II, its aim is similar from the overall standpoint of promoting better and more effective corporate governance. The accord’s intent is to promote safety and soundness in the financial system, align regulatory capital requirements more closely with underlying risks, provide incentives for institutions to pursue more sophisticated and effective risk management, and demonstrate robust governance, processes, and controls to shareholders and institutions. The final version of the accord was published in the 4Q03, with parallel testing with the new and old accords (Basel I) from YE05 through 2006, and the new accord being in place by 2007 (though this date could slip further).

Affected companies should have efforts underway now to define a Basel II strategy, assign leadership and resources, and define governance and ownership. While dedicated Basel II resources and leadership are required, organizations should not view and address Basel II in an isolated fashion. Ultimate Basel II leadership should come from the chief risk/compliance/governance officer and office and the CFO organization. However, Basel II efforts and resources should be coordinated and leveraged with other compliance initiatives, particularly SOX. Even for financial institutions operating solely in Europe and hence not formally covered by SOX mandates, we expect adoption of some level of SOX-like controls. Thus, a need exists to coordinate those efforts, however informal. Similarly, for non-bank financial institutions in the US not formerly covered by Basel II (as opposed to their inclusion in the European Union), the SEC is considering similar capital rules for US security firms.

Organizations must also begin to define and deploy a Basel II “IT blueprint.” This IT blueprint model is similar in scope and intent to that defined for SOX compliance. While multiple technologies will support Basel II efforts, the most critical pieces will be ERP/financial management systems, collective integration technologies, and enterprise analytics and business performance management systems and tools. Organizations should begin immediately, for example, to aggregate data into data warehouses and build risk management solutions, with cutover testing slated for 2006. Although Basel II is a business and risk management issue, its successful and efficient enablement is driven by optimized IT solutions.

During 2004/05, financial institutions affected by Basel II will ramp up efforts to ensure they have an effective IT infrastructure (hardware and software) and, when needed, choose consultancy firms that can provide best-in-class vertical-specific risk management services. Qualified service providers can help clients interpret requirements; define strategies, processes, and procedures; and support efforts to define and build out an effective Basel II IT blueprint. They will also play a role in that, increasingly, financial institutions are outsourcing business and IT process elements that impact Basel II compliance. By 2005/06, firms should test to ensure the collective IT systems and interfaces that support Basel II are consistent, in parallel with testing operating, governance, and control models and processes at the business level. Increased integration with CRM and other corporate governance initiatives will be critical. Savvy firms will leverage the accord to build increased efficiency and better leverage of the IT portfolio, regardless of the ultimate specific Basel II due date.

As with SOX, an effective Basel II initiative can improve business value by improving shareholder value, providing economic capital savings, improving/maintaining credit rating, improving/enabling an effective risk management strategy, aligning operational credit risk with finance and accounting, reducing costs through organizational process improvement, and identifying potentially dangerous portfolio positions and other risk sources. A large part of banking is about understanding and managing risk. In essence, Basel II forces banks to do a better job of what they were already doing. Banks that institute sophisticated risk measurement and management systems will be able to maintain lower reserve margins, leading to more profitability.

A comprehensive Basel II IT solution that can adequately support enhanced risk management processes requires an infrastructure (e.g., databases, middleware, ETL). Firms will also require business intelligence (e.g., Business Objects, Cognos) and targeted analytics (e.g., SAS, PeopleSoft, Oracle, SAP, FRS) to complete the solution. IT solutions predominantly address the credit (and perhaps operational) risk associated with Basel II, but can play a supporting role relative to operational and market risk. IBM offers one solution that is providing much of the infrastructure (e.g., databases, middleware) for a Basel II infrastructure model, along with vertically focused professional services to implement the solution. Here, though, firms will still require business intelligence (e.g., Business Objects, Cognos) and targeted analytics (e.g., SAS, PeopleSoft, Oracle, SAP, FRS) to complete the solution.

Figure 1 details the capabilities required from a solution perspective. Organizations should use this as a checklist for internal efforts and when vetting third-party Basel II IT solutions and offerings.

Bottom Line: Organizations must define and implement a Basel II IT blueprint, coordinated with and leveraging other compliance blueprints, as a means to address the IT dimensions of Basel II compliance in a manner that optimizes investments and developed solutions.

Business Impact: A consolidated approach to Basel II and related corporate governance is critical to ensure that the organization can leverage a common IT infrastructure for regulatory compliance, performance and risk management, and ethics initiatives. A corporate governance organization can help facilitate IT coordination by focusing enterprise initiatives on the governance pillars.

META Group originally published this article on 22 April 2004.