Incorporating Basel II Requirements Into an IT Corporate Governance Framework: Part 2 - The Services Dimension

Many major financial institutions are working to meet New Basel Capital Accord (Basel II) guidelines, tentatively, by 2007. Given the effort's complexity, urgency, and ongoing nature, it creates a natural opportunity for supporting business and IT services. Providers must do their homework and develop meaningful service offerings, and users must understand providers' appropriate roles relative to Basel II compliance.

META Trend: In 2004, public firms will accelerate business and IT projects to ensure they are in compliance with Sarbanes-Oxley (SOX) and other regulatory edicts (IAS, Basel II). During 2005/06, firms will consolidate global compliance initiatives within a corporate governance office. Firms will seek to optimize compliance processes through IT infrastructure (e.g., business applications, security), and many will also improve business efficiency by using the compliance justification. By 2007, global compliance will raise control expectations for all multinational firms.

Basel II is a complex new standard for measuring risk in financial services firms that has been published by the Basel Committee on Banking Supervision, which is a committee of the Bank for International Settlements (located in Basel, Switzerland). Specifically, areas of risk include credit, operations, and the market. The calculation of these three dimensions of risk ultimately determines the minimal reserve requirement for the financial institution, with the goal being to maximize investments and returns by deploying a larger percentage of capital (i.e., minimize reserve requirements).

The accord’s intent (see Delta 2888) is to promote safety and soundness in the financial system, align regulatory capital requirements more closely with underlying risks, provide incentives for institutions to pursue more sophisticated and effective risk management, and demonstrate robust governance, processes, and controls to shareholders and institutions. The final version of the accord was published in 4Q03, with parallel testing with the new and old accords (Basel I) from YE05 through 2006, and the new accord being in place by 2007 (though this date could slip further). Users must not only address Basel II independently, but also coordinate efforts to achieve its compliance with related parallel compliance efforts (e.g., Sarbanes-Oxley [SOX]) to both leverage efforts and support the development of more efficient enterprisewide governance programs.

Users are advised to selectively seek support from external service providers with Basel II expertise. These firms can play advisory roles, support IT implementation and support efforts, and play a role relative to managing outsourced business and IT processes that must support and enable Basel II compliance. Qualified providers will come from both the business and IT services perspectives. Although most user Basel II efforts are still relatively nascent and the regulations are being refined on an ongoing basis, there are offerings already in the market for consideration.

As with any complex regulatory pronouncement, business/risk service providers (e.g., “Big Four” accountancies, specialized boutiques) will initially gain the most business since they provide advice and counsel to clients on understanding and interpreting the regulation and developing a strategy and approach to address it. IT service providers then play a role in defining and implementing supporting IT tool solutions. Subsequently, business process and IT outsourcers play a role evolving their offerings not only to support and enable the respective compliance requirements, but also to embed capabilities to offload from the client some amount of the compliance legwork via the outsourcing process. The challenge these IT service providers and outsourcers face is that, overall, the regulations make their business models and offerings more complex and expensive, and most are still working through how to address them in an adequate and profitable manner.

Relative to specific providers, those that possess hybrid business process and IT service capabilities (e.g., Deloitte, PwC) will witness the greatest opportunities short term when advice and counsel is at a premium. PwC, for example, has developed a Basel II “Navigator” that is a process and an application, through which it can collaboratively work with a client to review key components of Basel II and their interrelationships. Clients can also drill down deeper into selected areas to review them in more detail. However, the Navigator does not map down to the level of a Basel II IT blueprint. Deloitte also has a full-service/full life cycle suite of Basel II process and IT service offerings.

Longer term (12-36 months), firms with strong IT implementation and integration capabilities and some level of business process/financial services/risk acumen (e.g., Accenture, BearingPoint, CGE&Y, Deloitte, IBM, Unisys) will have even more substantial opportunities. For example, BearingPoint has an active Basel II offering set, which includes education services, process redesign, a readiness assessment, IT architectural design and templates, and specific Basel II methods and processes, including risk assessment. We do not see any “offshore” firms delivering any Basel II-related offerings in the short/medium term, though those firms will need to address Basel II implications when they are involved in delivering business process outsourcing-related services in the area of financial applications.

Business/financial service consultancies and IT service providers are positioned to provide banking, risk management, business intelligence, and solution consulting expertise. From a services perspective, companies may need the following assistance (sourced from leading IT service providers with strong financial vertical services):

• Educating executive, business unit, and IT management on Basel II’s IT implications, ramifications, and opportunities
• Helping assess client Basel II readiness and maturity
• Providing data management and solution consulting
• Ensuring and supporting effective project management
• Defining, initializing, and setting up recursive best practices for risk-review processes
• Ensuring adherence to disclosure processes
• Attaining/maintaining management awareness and C-level buy-in to Basel II and compliance initiatives
• Driving the integration of Basel II compliance efforts with other corporate governance initiatives, and in many cases, helping the client define and move toward a corporate governance structure

There are also implications and opportunities for those providing outsourced business processes and IT services. On the one hand, Basel II - like SOX - complicates the outsourcing scenario. Clients must assess providers’ capabilities to meet Basel II requirements for the operational elements they are managing, and also have in place the appropriate feedback loops into the systems and processes the client maintains internally. All users must incorporate Basel II capability assessment into the outsourcing and vetting processes. This will prove a challenge for outsourcers in the short term as they work to understand and address Basel II requirements, and also to prove to users they have the capabilities to do so. Longer term, however, Basel II will drive outsourcing opportunities since providers will gain opportunities and competitive differentiation by better and more cost-effectively supporting clients’ Basel II requirements. Providers with stronger business process and financial services knowledge (e.g., Accenture, EDS, IBM, Unisys) will fare better against more IT-centric providers, especially “offshore” firms.

Bottom Line: Business and IT services can play a critical role in helping organizations attain and evidence Basel II compliance, though there is no one-stop-shop provider. Clients must also recognize that, while elements of Basel II compliance efforts can be outsourced to third parties, executive management must accept ultimate accountability for Basel II compliance.

Business Impact: A consolidated approach to corporate governance is critical to ensure that the IT organization can leverage a common infrastructure for regulatory compliance, performance management, risk management, and ethics initiatives. A corporate governance organization can help facilitate IT coordination by focusing enterprise initiatives on the governance pillars.

META Group originally published this article on 22 April 2004.