The better control a bank has on its risk exposure, the better its opportunity for profitability. Still, many financial institutions continue to struggle to establish enterprisewide risk management controls that provide a true picture of risk across the organization, according to financial analysts.
Loan defaults - known as credit risk - are a major part of the equation in determining the rate to charge for credit and the amount to pay for funds. Miscalculations in the amount of loan defaults can lead to the failure of a bank. In the 1980s, banks saw what could happen if their interest-rate risk calculations were faulty when short-term interest rates rose to near 20 percent, while long-term rates for loans written in previous years were still in the single digits.
Additionally, as technology and regulations, for example, have become more integral parts of banking, operational risk has become an increasingly important component of a bank's overall risk. "Until five years ago, banks didn't have to worry much about operational risk," says Deborah Williams, group vice president, capital markets and risk management, for Framingham, Mass.-based Financial Insights. "But that's a real risk that needs to be managed." Highly publicized failures in recent years - notably at Riggs National Bank, which has since been acquired by Pittsburgh-based PNC - have brought to light the importance of managing operational risk.
As they prepare for compliance with the Basel II accords, the nation's largest banks are particularly focused on operational risk. According to the Bank for International Settlements (Basel, Switzerland), which is developing the Basel accords, the most important types of operational risk involve breakdowns in internal controls and corporate governance. Such breakdowns can lead to financial losses through error, fraud or failure to perform in a timely manner, and also can cause the interests of the bank to be compromised, for example, by its dealers, lending officers or other staff exceeding their authority or conducting business in an unethical or risky manner. Other aspects of operational risk include major failure of information technology systems and events such as major fires or other disasters.
Though the accords already are in place, some of the definitions of operational risk still are being fine-tuned. Williams, in part, blames these delays for banks' unwillingness to spend a dollar more on risk-related technology than they need to. "How far can you go if you don't know what the final rules will be?" she asks. Because of the uncertainty over Basel II's requirements, all risk-related IT investments should be examined in light of their ability to bring in additional revenue or improve bank efficiencies, Williams asserts.
"Institutions intend to comply with Basel II," adds Bjorn Pettersen, a managing director with BearingPoint (McLean, Va.). "But today, they are not sure what compliance means, or what value they will derive from the substantial efforts needed to attain compliance."
Pettersen stresses that the failure to link information, technology, risk management and the business is a major pitfall in Basel II operational risk implementation. Similarly, banks need to understand the overlap among Basel II and other regulatory initiatives in order to deal with them in a comprehensive, rather than siloed, manner, he continues. Piecemeal technology deployments for risk management no longer are sufficient, Pettersen notes.
Technologies for data collection, storage and analysis, for example, must be implemented enterprisewide, Financial Insights' Williams adds. "There's a lot of progress to be made in risk management," she says, but risk managers who want new or upgraded technologies need to make a business case as to why any additional risk investment makes sense.
Further, Williams recommends that banks standardize their risk-related IT spending initiatives with their top vendors. The largest cost of risk-related technology systems, according to Williams, is integration. "Efforts to consolidate the number of vendors or to provide middleware platforms that consolidate these systems will be important components of risk projects for the next few years," Williams says. But integrating risk management systems will present a difficult challenge, she acknowledges.
According to the Deloitte (New York) biannual global risk management survey, fewer than one-quarter of survey participants, all from large banks, say that they are able to integrate risk across any of the major dimensions of risk type, business unit or geography. While 38 percent say they have integrated the organizational infrastructure needed to deal with these risks, only 15 percent report progress in integrating methodology, data and systems. With all of the challenges involved with integration, it's in a bank's interest to establish a solid working relationship with a trusted, financially stable vendor, Williams continues.
Williams notes that there also are internal organizational challenges to enterprisewide risk management. "Risk initiatives require active cooperation among the business line heads who will ultimately benefit from risk done right, the IT department that implements it, and the key executives who identify the institution's risk appetites and policies," she says. "Best practice risk management cannot be implemented without the involvement of all three."
But, banks are making progress in this area. According to the Deloitte survey, 81 percent of banks have established the position of a chief risk officer. In the last report, two years earlier, 65 percent of large financial institutions had chief risk officers.
The Basel Committee was established as the committee on banking regulations and supervisory practices by the central-bank governors of the G-10 countries. It was founded at the end of 1974 after a series of disruptions in international currency and banking markets (notably the failure of Bankhaus Herstatt in West Germany). The first meeting took place in February 1975, and meetings have been held three or four times a year since.
The committee does not possess formal supranational authority, and its conclusions do not have legal force. The committee formulates broad standards and guidelines and recommends statements of best practice in the expectation that individual authorities will take steps to implement them through detailed arrangements - statutory or otherwise - that are best suited to their own national systems. Though the committee itself doesn't have regulatory power, its recommendations have become standards in member countries.
The committee's first comprehensive set of regulations related to risk were the International Convergence of Capital Measurement and Capital Standards, published in June 1988, and generally referred to as the Basel Capital Accord. These rules stipulated a "target standard ratio" of unencumbered capital to risk-weighted assets of 8 percent.
But shortly after the initial accord was published, and long before it was to take effect (year-end 1992), the development of new financial instruments, including increasingly complex derivatives, led to the adoption of a new capital adequacy framework (Basel II) in 1999. According to BIS, Basel II aims to build on a foundation of capital regulation, supervision and market discipline, and to enhance further risk management and financial stability.
In the last seven years, the Basel committee has outlined in more detail different parts of the framework, including the 1996 amendment that incorporated market risk into the pact and the addition of governance recommendations in early 2005. The rules for operational risk still remain largely undefined. -P.B.