Basel II: An Update

By Tom Schmidt

As most banks know, the Basel II Accord identifies the -- steps required for adopting more risk-sensitive minimum capital requirements. In the words of the Basel Committee on Banking Supervision, the new framework that was endorsed by central bank governors in June 2004 "reinforces these risk-sensitive requirements by laying out principles for banks to assess the adequacy of their capital and for supervisors to review such assessments to ensure banks have adequate capital to support their risks." The new framework also seeks to strengthen market discipline by enhancing transparency in banks' financial reporting.

The Basel Committee expects the framework to be available for implementation in member jurisdictions by the end of 2006. The most advanced approaches to risk measurement, however, won't be available for implementation until the end of 2007.

Central to the new framework is what the Committee calls the "three pillars approach," which addresses minimum capital requirements, supervisory review, and market discipline.

Pillar 1 revises previous guidelines by aligning the minimum capital requirements more closely with each bank's actual risk of economic loss. Pillar 2 recognizes the necessity of exercising effective supervisory review of banks' internal assessments of their overall risks to ensure that bank management is exercising sound judgment and has set aside adequate capital for these risks. Pillar 3 leverages the ability of market discipline to motivate prudent management by enhancing the degree of transparency in banks' public reporting. It identifies the public disclosures that banks must make that lend greater insight into the adequacy of their capitalization.

Needed:  A strategic view

According to a study published in January by Financial Insights, European banks' approach to Basel II so far threatens to lead to "regulatory fatigue." The study found that the cumulative workload of ever-increasing regulatory compliance will force banks to take a strategic view of their data storage architectures and even cause some banks to review their core systems. Ad hoc solutions for each project are no longer adequate, the study observed, noting that "it will be important for banks to tackle the common elements of regulatory compliance coherently and take an enterprise view."

The real return on Basel II IT investment, according to the study, will depend "to a great extent on whether financial institutions have wider objectives for their risk management framework or are merely aiming at narrow technical compliance."

What's at stake

Financial Insight's findings are supported by a recent report from researcher Gartner Inc. According to Gartner, enterprise risk management is emerging unevenly across the financial services industry, and most banks are still far from taking an integrated approach. Moreover, Gartner found that many banks are using what it calls the "ever-evolving and changing" regulatory landscape as a reason to delay action. The report noted that companies are taking a "siloed" approach: "For example, bank data initiatives for credit, market and operational risk are frequently structured and managed in isolation.... A fragmented silo approach to risk management has proven to be inadequate in an environment where investors and regulators seek greater transparency into company operations and greater accountability from senior management."

Gartner concludes its risk-management survey with this prediction: "Banks lacking enterprise risk management will suffer competitively. By 2007, banks that don't establish integrated enterprise risk management capabilities will lose customers, increase capital costs and decrease credit ratings, compared to competitors that do."

A critical first step

It is essential for financial institutions (and organizations in general) to begin to address risk management from a strategic perspective -- one that mandates a proactive and holistic approach to building a comprehensive set of capabilities in security and availability that can lead to a positive impact on cost and performance. A critical first step in such a strategic direction is realizing that many of today's regulations include a significant amount of overlap.

For example, across regulations, there are required elements including logical and physical access control, encryption, monitoring (auditing and logging) of systems, change control procedures, incident response, disaster recovery, and notification of privacy policies to customers.

The challenge for financial institutions is in how well they can map the regulatory requirements appropriate to their organization to specific security and availability solutions. Four areas in particular are critical in addressing compliance requirements strategically: Risk Assessment, Vulnerability Detection, Remediation, and Incident Management.

• Risk Assessment This area includes the tasks that are critical to an analysis of an organization's tolerance for security threats and vulnerabilities or business disruption due to unanticipated downtime. It involves an inventory of in-scope controls, people, process, and technologies and an assessment of compliance with IT policies and regulatory requirements. It might also involve identifying and isolating threats, including intrusion protection, malicious program identification, "rogue" (or unknown) technology discovery, and log activity analysis.
  
  
• Vulnerability Detection This includes the set of tasks necessary to proactively identify and isolate asset weaknesses before they are exposed to attack. To meet regulations, organizations should gain assurance around their technical controls. Further, by scanning the systems for vulnerabilities and compliance, organizations should be able to assess and report on the efficacy of their security controls and processes. By identifying vulnerabilities that may affect availability, companies can reduce the risk of business interruption and preserve the company's investment in a system. Three areas in particular critical to vulnerability detection are compliance testing, vulnerability scanning, and operations availability analysis.
  
  
• Remediation This area includes tasks that are needed to isolate and resolve IT control gaps and issues, once you have identified and isolated asset weaknesses and vulnerabilities. It might involve deploying a new software patch to remove a security vulnerability. Or it might involve a change to IT processes and procedures to accelerate an organization's ability to respond to a new incident.
  
  
• Incident Management This includes the tasks necessary to integrate, interpret, and present security- and availability-related information from disparate sources: intelligence analysis, standards and policies compliance, asset classification, event correlation, and reporting (both on a specific action and its cumulative effect).

Conclusion

In many ways, Basel II is a wake-up call to financial institutions to come face-to-face with risk on a strategic basis. Those that take control of this risk through sound information security controls stand a good chance of significantly reducing their capital reserves. And that's not all. According to Gartner, "institutions that establish responsive, integrated risk management capabilities will achieve a lower cost of capital than less-savvy competitors through increased customer retention, reduction in working capital, and improved credit ratings." Any way you look at it, that's a recipe for success.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.