Managing risk is about to become more complicated for financial institutions and their IT departments because of Basel II.
Basel II is the international accord which will map out how the banking industry will regulate itself in the coming years. The final accord is due for completion at the end of next year and takes effect from 2007.
Its recommendations include the awkward question of operational risk which, in the online age, is changing from a one-dimensional procedure to a complex analytical process.
This shift in thinking will require multi-level risk assessments and sophisticated analysis of security, operational and management factors. The accord will change how institutions capture operational metrics data and they will look to their IT directors to play a big role in making this happen.
Basel II is the latest stage of an ongoing process. The original 1988 Basel Committee (Basel I) ruled that banks must have enough money to cover potential losses from transactions. It set out rules for calculating the risk-weighted figure. Technically, a bank's total capital should never fall below 8% of risk-weighted assets. In a world of interconnected financial systems, it has been recognised that a single risk measure for all banks is no longer appropriate.
The current Basel Committee (Basel II) has developed a system that will be more risk-sensitive and flexible - and its requirements more onerous. Banks will be expected to examine IT, security, fraud, employment practices and workplace safety, business services, physical damage, business disruption, system failure, service execution delivery process management, and legal factors.
The bottom line requirement is that data capture, which enables operational risk factors to be identified and analysed, needs to be fully operational from 2004. By the time Basel II takes effect, three years' data will be required.
The IT department is responsible for providing the right data capture applications and helping its masters decide how to collect that data. It is relatively easy to identify quantitative data for areas such as transactions, but how is a bank to measure reputation or predict risk from employee performance?
Measurements will also need to encompass the risks from outsourcing and the effect of having relevant insurance in place.
Boundaries between types of risk are not yet clear. Different departments will need to fully understand how risks flow through the organisation.
A hack on a bank's IT system might bring the bank to a halt for a time (risk one) but it might also have a "reputational" impact (risk two), and if that, coupled with the business disruption, affects the share price, there is a third risk. How do you separate these and measure them?
Organisations need to look at the risks they face internally and externally. But are institutions truly effective at assessing these factors to gain an understanding of risk?
The banking community has had the foresight to develop its recommendations and IT departments are realising they will have to speak in many different management languages to draw up their plans to meet Basel II requirements. They will need to show strong leadership and the support and encouragement of their boards to do so.
Debi Ashenden is managing consultant at QinetiQ Trusted Information Management