Its recommendations include the awkward question of operational
risk, which in the on-line age, is changing from a one-dimensional
procedure to a highly complex analytical process.
This shift in thinking will require multi-level risk assessments
and sophisticated analysis of security, operational and management
factors. The accord is going to change how institutions capture
operational metrics data in the first place.
Some heavyweight institutions are going to be looking to their
IT directors to play a big role in making it all happen.
This is the latest stage of an ongoing process. The original
1988 Basel Committee (Basel I) ruled that banks have to have enough
cover potential losses from transactions (technically, a bank's
total capital should never fall to a level of less than 8% of
risk-weighted assets) and set out rules for calculating the
risk-weighted figure.
In a world of interconnected financial systems, it's been
recognised that a single risk measure for all banks is no longer
appropriate.
The current Basel Committee (Basel II) has developed a new
system that will be more risk-sensitive and flexible – and more
onerous.
Banks will now be expected to examine IT, security, fraud,
employment practices and workplace safety, business services,
physical damage, business disruption, system failure, service
execution-delivery-process management, and legal and reputational
factors.
The clock is already ticking loudly. The final accord is due for
completion at the end of next year and takes effect from 2007. The
bottom line requirement is that data capture which enables
operational risk factors to be identified and analysed needs to be
fully operational from 2004. By the time Basel takes effect, three
years' data will be required.
Not only does the IT department have the responsibility for
providing the right data capture applications, it will have to help
its masters decide how to collect that data.
It's relatively easy to identify quantitative data for areas
such as transactions, but how is a bank to measure reputation or
predict risk from employee performance? Measurements will also need
to encompass the risks from outsourcing and the mitigating effect
of having relevant insurance in place.
Boundaries between types of risk aren't yet clear. Different
departments will need to fully understand how risks flow through
the organisation – what the dependencies and correlations are.
A successful hack on a bank's IT system might bring the bank to
a halt for a certain amount of time – risk one – but it might also
have a "reputational" impact – risk two – and if the reputational
impact coupled with the business disruption affects the share
price, there is a third risk. How do you separate these out and
measure them?
Navel gazing could actually be beneficial, since there will be a
need for organisations to look both internally and externally at
the risks that they face. But are institutions truly effective at
assessing external and internal factors impacting on their
operations to gain an understanding of risk?
An extension of this issue is that Basel II encourages an
integrated risk management approach – risk information will need to
be reported both as an aggregate measure and across different
business lines. In many organizations, there is currently
insufficient understanding of how to bring together different risk
approaches.
At present, most risk measurement still takes place in
stovepipes. It's no use measuring performance if you haven't agreed
parameters which give a true picture of your performance and told
your fellow managers.
Just as the banking community has had the foresight to develop
its recommendations, so the IT departments are realising that they
will have to speak in many different management languages to draw
up their plans for Basel II.
They will need to show strong leadership in the next twelve
months. They will also need support and encouragement from their
respective boards to do so.
This article was contributed to OUT-LAW.COM by Debi
Ashenden, managing consultant of QinetiQ Trusted Information
Management, a business security specialist. QinetiQ is exhibiting
at Infosecurity Europe at the Grand Hall at Olympia from 29th April
- 1st May 2003. For more information, see: www.infosec.co.uk
