A healthy debate is evolving over the precise shape that Basel II capital requirements should take in the United States. This is a serious matter and it is a mark of distinction in our great democratic system that the debate is now broad and deep, involving banks large and small, the regulatory community, and the Congress.
However, irrespective of how this capital requirement debate is concluded, other aspects of Basel II should not be overlooked; they are hugely important and are here to stay.
In the 1990s, U.S. regulators adopted a supervision-by-risk approach to get bankers and examiners to focus on the quality of banks' risk management systems. Since then, through supervisory pronouncements and on-site examination work, regulators have continued to advance their expectations for risk management. Other standard setters, such as accounting bodies, auditors, and the Congress, have added to the picture. Basel II Pillars 2 and 3, and even aspects of Pillar 1, form a highly detailed risk management-oriented and governance-oriented supervisory framework that takes us much farther down this road.
This is crucial for the banking industry. Basel II's risk management supervisory framework raises the bar considerably on what is expected of banks' risk management and control systems. For example, it encompasses:
- A more quantitative approach to credit, market, and operational risk.
- A systemwide and more intense focus on compliance and governance issues.
- An emphasis on transparency.
To date, bank regulators' worldwide preparations for implementing the Basel II risk management framework have not been entirely uniform. This results partly from the fact that this framework is still relatively new, and partly from the lack of detail. The framework is intended to evolve over the next several years through more comprehensive regulations and guidance. For now, the framework is embodied in a set of principles that have been elaborated on by supervisory actions, and in speeches and some changes to applicable agency guidance.However, it is essential that all bankers understand where the regulators will go with the Basel II risk management framework whether or not Basel II Pillar 1 is ultimately adopted in the United States. Or, for that matter, whether Pillars 2 and 3 are formally adopted in the United States. To prepare for the evolution of Basel II's risk management framework, there are some things banks should do or should be aware of to be in sync with these trends:
- Banks need to adopt or strengthen their enterprisewide risk management framework.
- The ERM framework should be independent of the business lines, with at most a dotted-line reporting relationship to a business group; it should include market risk, credit risk, and broadly defined operational risk components.
- Compliance is, in essence, a component of an ERM framework, though at least for the time being it can be an independent entity. If the chief compliance officer does not report to the chief risk officer, he or she ideally should report to the chief executive officer, with a dotted-line reporting relationship to the board.
- The ERM framework should be made up of both qualitative and quantitative components. Sophisticated risk metrics should be utilized where possible, coupled with judgmental adjustments that are based on environmental factors, stress tests, peer analysis, and the like.
- The board of directors should establish risk-appetite guidelines for each major risk area; management, with the assistance of the ERM mechanism, should help to ensure that these guidelines are followed by the business units.
- All banks of substantial size - if they have not already - should be moving to determine the economic capital necessary for their risks and business lines.
- The chief risk officer needs to produce for top management and the board, at least quarterly, an integrated assessment of the bank's current and future risk profile. These reports should benchmark the risk profile to the risk appetite guidelines set by the board, and they should be used to help management and the board make informed risk management decisions. These reports must be concise and be able to be easily understood by readers who are not technicians.
- Business lines need to be monitoring and testing the effectiveness of their internal controls, with control weaknesses and failures being reported to the chief risk officer. The risk management and internal audit functions should also be involved in testing internal controls. More significant failures need to be reported to top management and the board.
- Banks need to adjust their historical loss experience to account for expected future changes in the business environment (such as growth or a change in product mix) and factors that change the effectiveness of their internal controls.
- Business lines need to update their policies and procedures to satisfy Basel II requirements.
- Quantitative risk modeling must include stress tests that cover the reasonable range of possible events, and sensitivity analysis that reveals the stability and sensibleness of the results.
- Banks need to check the integrity of the data and systems upon which their risk estimates are based.
- Risk models and estimates must be documented and independently validated.
- Banks need to make sure they have an effective and independent internal audit function that has sufficient resources to do the job. The annual audit plan needs to be approved by the board's audit committee.
There are, of course, additional steps that need to be taken to have a risk management and control environment that is consistent with what regulators will require in the wake of Basel II. And these requirements will continue to evolve. Nonetheless, what I have set out above are bases that should be covered for all larger regulated banking organizations in the brave new world of risk management supervision that we are entering.
