Basel II: Building Risk-resilient Banking Systems

When Barings Bank declared bankruptcy in 1995, the world was stunned. As Britain's oldest merchant bank, Barings had weathered disasters like the Great Depression and Two World Wars - only to be later brought down by a single man in a small office in Singapore. Nick Leeson, a derivatives trader employed by the bank, took unauthorized speculative positions primarily in futures linked to the Nikkei 225 and Japanese Government Bonds (JGB). What losses he incurred, he reported as gains on Barings’ spreadsheets. What funds he needed, he got by falsifying the bank's accounts. By the time Barings uncovered his actions, it was too late. Leeson had cost the bank over $1 billion.

Experts believe that the reason for the bank’s collapse was inadequate risk management. Had Barings insisted on supervising Leesons's actions or conducting an external audit, the situation could have been identified earlier and a crisis averted.

Risk management is becoming a crucial part of business strategy. Without it, thousands of people are adversely affected - shareholders, bankers, employees, customers and even the government who spends millions of dollars trying to bail a bank out.

To ensure that banks are equipped to manage risks, the Basel II Capital Accord was created by the Basel Committee for Banking Supervision.

• What is Basel II?
• Basel II Summary
• Extending Basel II to IT
• Basel II Guidelines
• Basel II Implementation
• Developing an IT risk management strategy
• Surmounting the challenges of Basel II compliance
• How MetricStream’s solutions can make a difference

What is Basel II? 
Basel II summary: Basel II (also cited as Basel 2), also known as the International Convergence of Capital Measurement and Capital Standards, helps international banks and financial institutions safeguard themselves against operational and financial risks. It does this by setting up rigorous risk and capital management requirements designed to ensure that a bank holds enough capital reserves on hand to offset its risks.

While risk management has always been a core banking function, banks were earlier permitted to develop their own risk methodologies. With Basel II, each bank has to follow minimum risk methodology standards, develop their own risk management framework and ensure regulatory supervision.

Extending Basel II to IT 
Implementing Basel II standards using Basel II compliance software is especially important in today's world where IT systems - the vortex of financial and banking information - are vulnerable to risks.

In 1995, a leading U.S. bank found that its accounts had been compromised. A hacker had illegally transferred $10 million from the bank’s accounts to chosen recipients across the world. Although most of the money was recovered, the incident revealed that even powerful banks can fall prey to security threats.

Banks need an effective risk management framework. After all, their systems deal with millions of customers and trillions of dollars every day. A lot of these transactions are automated and are routed across myriad systems, servers and networks. Consider the Automated Clearing House Network through which 11,000 banks and financial institutions offer electronic payment services; or ATM networks which route transaction requests between the user, host processor and bank in a matter of seconds; or CRM systems which contain extensive and confidential customer information. Each of these systems needs to be fully functional and secured.

Technology is only becoming more complex as banks extend their services to international markets. Business process outsourcing allows employees in one country to access customer information from another. In such an environment, a single unsecured network could be hacked into either externally or internally. Millions of dollars could be stolen, accounts misrepresented or confidential information made public.

Apart from the human element, IT systems are subject to other risks such as utility disruptions, software failures, hardware failures, data entry errors and accounting errors. Compounding these issues is the threat of natural disasters or vandalism which can irreparably damage physical assets.

Clearly the risks that financial institutions face are enormous. But by following Basel II requirements, they can work towards building a safer financial system and improving customer and investor confidence.

Basel II Implementation 
Basel II Guidelines are based on a framework of 3 pillars.

• Pillar 1: Minimum Capital Requirements - Identify risks, quantitatively measure risks, mitigate risks, allocate minimum capital for each risk
• Pillar 2: Supervisory review - Provide visibility into the risk management infrastructure, support supervisory review of capital adequacy and internal risk measurement methodologies, determine ability to hold additional capital above and beyond Pillar 1
• Pillar 3: Market Discipline - Release relevant financial data to the public to help investors evaluate the bank's health

Developing an IT risk management strategy
Basel II requires banks to develop a risk management framework that can:

• Maintain data integrity 
  Banks should prevent identity theft and data leakage by applying the principles of least privilege and deft error handling. External electronic devices like pen drives and camera phones should be restricted as far as possible. Firewalls should be in put in place and constantly updated to prevent malware or spyware from infecting the system.
• Prevent unauthorized transactions into the system
  A robust authentication system will prevent system compromise and fraud. Apart from recognized legitimate agents, no one else must be allowed to execute transactions within the bank. The code developed must ensure that there is no provision for a guest account to be created. Strong password policies should be implemented with strong encryption. An automatic system log-off should be used to prevent unauthorized users from accessing an unguarded system.
• Prevent unauthorized changes to the software
  Unauthorized modifications to the bank software lead to fraudulent practices and render the system weak. A robust change management system that allows only authorized changes should be implemented. Every change should be tracked and monitored. In case of suspected fraud, the change management system must leave a clear audit trail that traces every change in the system.
• Ensure system back-up
  Basel II mandates that the system must be available always. System back-up plans should be put in place. The system must be able to withstand high loads and perform at optimal speeds. It is impractical to revert to manual calculation in case of system downtime or failure. So it is extremely crucial to have in place contingencies that can handle unexpected system downtime and failures.
• Implement business continuity/disaster recovery plans
  In a business environment characterized by natural disasters, vandalism, terrorist attacks, epidemics and technological failures, it is imperative to implement an effective business continuity plan. Banks should develop a recovery strategy that targets technical systems, management and employees. The awareness around BCP plans should be raised and mock drills conducted. Effective crisis communication tools should also be developed.

Surmounting the challenges of Basel II compliance
Developing a risk management framework can be extremely challenging. Banks need to analyze risk reports and risk heat maps, assess and test controls, and choose the appropriate risk mitigating strategy. Adequate capital then has to be allocated. The whole process can be costly in terms of money, time, effort, technology and personnel required.

For best results, the risk management framework should be integrated across the entire value chain. This is not only complex and costly, it also requires management approval.

What banks need is a single platform that centralizes, streamlines and automates compliance and IT risk management.

How MetricStream’s solutions can make a difference
MetricStream offers one of the most comprehensive and advanced solutions for risk and compliance management. Key functions include:

• Risk assessment and analysis
  MetricStream provides a centralized risk framework to document and evaluate all risks faced by the bank. Executive-level dashboards and reports offer visibility into the bank’s risk profile, enabling risk response strategies to be prioritized for optimal outcomes.
• Control design and assessment
  The MetricStream solution helps companies define controls that can mitigate risks. It also supports control assessments based on predefined criteria and checklists. The results are maintained in a central repository with an easy search capability.
• Loss Tracking and Key Risk Indicators (KRIs)
  The MetricStream solution enables risk managers to track loss events, risk thresholds and metrics. Automated notifications indicate when thresholds are breached.
• Issue Management and Remediation
  Once issues are identified, documented and prioritized, a systematic mechanism of investigation and remediation is set off by the underlying workflow and collaboration engine.
• Internal Audit
  The MetricStream solution manages a wide range of auditing processes and data. It has advanced capabilities like built-in remediation workflows, time tracking, email-based notifications and alerts, and offline functionality for audits at remote field sites.

Banks and financial institutions that look to build a centralized, integrated risk framework stand to gain. With MetricStream’s single platform solution, they can reduce their capital requirements, manage risks effectively, aid in decision-making and maximize business performance.