Basel II and the impact on financial IT project risk management
Project Risk Management professionals are just now becoming aware of the profound impact that revisions to a decade old minimum-capital requirements accord issued by the Bank for International Settlements will have on tomorrow's project risk management for financial institutions’ information technology (IT) projects. The New Basel Capital Accord capital adequacy framework for banks and with a direct impact on other players in the financial services sector such as insurance, finance companies, broker dealers and investment firms is generating a level of interest in the financial industry last seen with “Y2K compliance.” Since the publication of the 1988 Capital Accord by the Committee on Banking Supervision of the Bank of International Settlements (known as the Basel Committee), the international financial institutions witnessed dramatic events in the financial market such as the collapse of Barings, the Asian and Russian monetary crisis, and the near collapse of the Long Term Capital Hedge Fund. The most recent collapse of Enron and its impact on major financial institutions has also brought the need for more risk adjusted, global and uniform oversight of the financial institutions and their capital adequacy. The Basel Committee, motivated to maintain high standards for regulation of capital adequacy, proposed to replace the 1988 Capital Accord with a framework that addressed the underlying factors that caused the incidents.
The 1988 Capital Accord is largely based on assessments of credit risks and market risks. However, the second consultation of the Basel Committee recognizes that there is a range of other—operational—risks that should be subject to specific capital charge. The second consultation (Basel II) is also focused on being far more detailed and risk sensitive in its approach and formulation. It is under the framework component of “operations risks” that project risk management for financial IT projects will be significantly impacted. Financial institutions’ IT (and business process operations) departments may have regulatory capital charges and assessments applied to their project costs based on the project risk management tools, methodologies, processes and track record. Many regulatory authorities are considering risk metrics databases as a component of bank supervisor reviews in the evaluation of the overall soundness of the institution's ability to determine their capital adequacy and observers expect that the items related to project management will now be a part of the operations risk area. An overview of the Basel Accord, Operational Risk, and the impact on IT Project Risk Management are described in the sections that follow.
The New Basel Capital Accord: Scope, Timing, and Impact
In June 1999 the Basel Committee on Banking Supervision, which meets at the Bank for International Settlements (BIS), released a proposal to replace the 1988 Capital Accord and link international capital requirements to credit ratings to reflect market risk more accurately. Originally intended for banks that are internationally active, the Group of Ten (G10) countries, are applying policies to other financial service institutions including banks, securities firms, asset managers, and, insurance companies in their specific jurisdiction and expect the other countries to do the same. And, with over 110 countries (including most European countries, the United States and Japan) as signatories to the original accord, the impact is global and far-reaching.
Project management professionals are particularly interested in the scope and impact on financial institutions’ IT projects. Typically, 45% of a bank's IT budget is directed toward systems development and maintenance and 18% for hardware acquisition (Source: EDS). These are areas where their project management and risk management disciplines are routinely applied. Twenty percent of IT project budgets or more (depending on project performance metrics) may be required to be held in capital adequacy reserve. Sound project and risk management processes along with supporting performance metrics that can demonstrate, quantitatively precision of actual performance to planned will contribute to the reduction of capital reserves for IT projects. The regulatory attention to the project risk management discipline and the time frame for compliance have project management professionals considering Basel II as a significant career and revenue opportunity.
The New Basel Accord continues to be a work-in-progress. A second consultation period was completed in 2001. The next draft is expected in early 2002 and the final version is to be produced by year-end 2002. With implementation of the New Basel Capital Accord now targeted for 2005 (later for some developing countries) and implementation cost estimates from 4% to 7.5% of operating budgets net of interest expenses for three to five years for most G10 base financial institutions and much higher for countries such as Japan and those in the developing markets (Source: EDS), the time to invest in sound project risk management practices and project risk data collection systems is now.
Regulators from the G10 countries, awakened by several internationally bank failures, developed the 1988 Basel Capital Accord (Basel I) to address the inconsistencies in bank capitalization. Basel I, and subsequent amendments, introduced uniform minimum-capital requirements (8% of risk-weighted assets). As the business of banking and risk management underwent significant transformation in 1990s, the shortcomings of Basel I became evident. Basel I's risk-weighting system proved to be rather crude. The “one-size-fits-all” approach began to generate anomalies and encouraged counterproductive behavior by some banks. (For example, some banks engaged in “regulatory arbitrage” by shifting to low-grade loans that had no more capital requirement than higher-rated loans.) In June 1999, the Basel Committee released a proposal to replace Basel I with a more risk-sensitive framework that covers mar-ket, credit, and operations risk. The new accord (Basel II) aims to replace the “one-size-fits-all” approach with a series of flexible and more accurate options for calculating risk and will revise the manner in which risk reserves are determined for banks. (See Exhibit 1.)
The Basel Committee's current proposal attempts to address the shortcomings of Basel I by proposing a framework with which an internationally active bank may establish its regulatory-capital requirements commensurate to their actual risk exposure. The framework also promotes more rigorous bank supervision and advances market discipline through enhanced disclosure by banks. Basel II consists of three pillars: first pillar—minimum capital requirement; second pillar—supervisory review process; and third pillar—market discipline (disclosure). (See Exhibit 2.)
The first pillar establishes minimum capital requirements. Basel II revisions improve and expand the measurement of risks to include: Credit Risk—modified from Basel I; Market Risk—unchanged from Basel I; and Operational Risk—added for Basel II. The second pillar addresses the review and oversight by bank supervisors of the internal bank processes used to evaluate risk and access capital adequacy needs. Regulatory authorities may also access a bank's standards for internal measurement methodologies and disclosure processes. The third pillar sets out to improve market discipline. An improvement that occurs through enhanced disclosure by banks to better understand risk profiles and capital positions.
Operational Risk: Background and Overview
Basel II, by including operational risk with Basel I's credit and market risk, takes a significant step forward in establishing a more credible risk-sensitive framework and promotes the development of more robust operational risk methodologies in the banking industry. Operational risks are posing significantly more and complex risk with greater consequences for failure. New and innovative financial products (such as new derivatives) and services (such as real-time banking and web-based banking) dramatically change traditional methods of doing business. These new products rely upon break through technologies to delivery business value. Shorter time-to-market development cycles have substantially compressed project duration. Emerging practices such as outsourcing to third-party suppliers must, also, be included in capital assessments. With such a wide range of potential operating risk, the Basel Committee recognizes that the framework must accommodate the various business lines, loss types, and activities as well as varying levels of risk management process maturity among institutions.
Definition of Operational Risk
Basel II defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” The range of operational risks is great—from people risks (incompetency and fraud)—to technology risk (system failure and programming error). Information technology projects are also included within the scope of operational risks. It is the intent of the Basel Committee to establish a framework that both recognizes the causal relationship of risk realization and rewards institutions (through reductions in operational risk capital requirement) that develop advanced risk management processes and risk measurement capabilities. Ultimately, the institutions with more sophisticated risk management disciplines will be able to set their own capital requirements based on their own risk profiles.
The Measurement Methodologies
Today, industry risk management techniques vary widely from institution to institution. Some have begun to collect operational loss data and build risk models; most are in the early development stages of data collection and model construction. The Basel Committee has offered three methodologies to address the level of risk management process maturity and presents them in a continuum of sophistication. They are the Basic Indicator Approach, the Standardized Approach, and the Internal Measurement Approach. (See Exhibit 3.)
The Basic Indicator Approach proposes basing operational-risk charge to a single risk indicator—gross income. The Standardized Approach links operational risk to business specific financial indicators and institutional business lines. Both of these approaches, predetermined by regulators, may penalize the high income or large revenue institutions and are disassociated from the actual risk being taken. Neither takes into account risk diversification or internal risk management ability. It is the third approach, Internal Measurement Approach, which offers institutions the option to base capital requirement on internal loss data and risk process maturity and realize the benefits of reduction in capital charge (and make available more capital for revenue generation). Banks will be incentivized to invest in, develop and implement robust project risk management disciplines. This will be particularly true for large banks that want to avoid the excessive capital charge determined by the Basic Indicator Approach and the Standardized Approach.
Other Considerations: Qualifying Criteria and Interaction with the Second and Third Pillars
The three approaches are presented as a continuum from the simple Basic Indicator Approach to the more sophisticated Internal Measurement Approach. The Basel Committee proposes a set of standards against which banks will be evaluated to determine which framework is used for its capital calculation. Supervisors will assess against these standards to determine the eligible approach. Basel II standards will also include a series of qualitative and quantitative requirements for effective risk management and measurement. Supervisors will also assess the institutions’ internal methodologies for operational risk to determine the adequacy of the risk control environment. To reinforce supervisory review and promote safety and soundness in bank and financial systems, the Basel Committee promotes the public disclosure of information about operational risk management and control process. Supervisor reviews that uncover anomalies in processes will be brought to the institution's attention for prompt resolution. These disclosure rules may force institutions to share a greater amount of proprietary data faster. For the most part, regulation will become more intrusive and strict but will become a clear “harmonizing force” as they rate and rank financial institutions by the same set of rules across all geographies.
Impact on IT Project Risk Management
The project management community is just beginning to understand the impact that the Basel II's Operational Risk framework will have on application of project risk management techniques to institutions’ information technology projects. For IT projects, the value at risk is directly related to the project's strategic business value. Risk events, realized during project execution, may contribute to cost overruns, schedule delays, and failure to deliver planned functionality and high-quality products. Cost overruns may negatively impact a project's return on investment business justification. Schedule delays and slippage, while also contributing to cost overruns, may have late-to-market with loss-of-market implications. And, issues of diminished functionality and poor quality have equally obvious negative implications.
A growing trend in the bank and finance industry is the use of outsourcing to third party vendors. Outsourcing, in addition to providing specialty products and services at competitive costs, has the possibility of reducing operational risk capital required by mitigating institution risk through contractual vehicles such as Service Level Agreements. Although outsourcing offers risk mitigation benefits, the Basel Committee points out that it “does not relieve that bank of the ultimate responsibility for controlling risks that affect its operation.” Third-party suppliers and their operational performance remain the responsibility of the bank. Regulatory authorities through their bank supervision authority have the right to audit, control and effect change in the use or retention of third parties if required. The future is coming into focus for those who would deliver, to financial institutions, IT products or services through a project construct and for those who would delivery project risk management (an program management) services. Third-party suppliers must have robust and comprehensive means to identify, measure, control and mitigate risk in the specific services that they are providing to the bank, and this includes the complete project management space.
Attention to Methodology, Data, Review, and Disclosure
Project Risk Management, when implemented as a component of a complete Project Management methodology, can reduce the ex-posure, severity, and frequency of project risk events. The result is risk reduction on a project and for institutions lower regulatory capital requirements. This is consistent with the Basel Committee's interest and is reflected in expectations, as described in Basel II, for an institution's operational risk control environment and related supervisory activities. Some of those expectations are:
• Organizations have a well-defined operational risk methodology and are able to demonstrate commitment and ability to perform this methodology with knowledgeable subject matter experts
• Organizations have robust data-collection systems with multiple years of historical data and the data is used in their own internal processes and is fully integrated in their day-to-day activities
• Organizations maintain and present past project performance and track record data in metrics that the supervisors can understand
• Supervisors examine the risk management control environment, including the data collection, measurement, and validation processes, and identify areas for corrective action
• Organizations disclose publicly, and in a timely manner, information about their operational risk control environment—(The Basel Committee continues to work at defining what data is appropriate for disclosure)
Similar expectations exist for third-party suppliers and out-sourcers. They are:
• Third-party suppliers have measures, metrics, and benchmarks to indicate performance specific to their services; Historical data of a minimum of five years used for benchmark and performance metrics.
• Third-party suppliers have well-defined management processes including governance and decision-making structures.
• Third-party suppliers have internal processes to validate the integrity specific to their services including full documentation and audit ability specific to the institution being supported.
Urgency in Preparing and Analyzing Historical Organization Project Performance Data
Coming as a shock to many organizations is the Basel II requirement that five years of project history performance databases are available and used to develop IT project estimates. IT project performance analysis is expected to show the quality of estimates (actual performance to planned) and correlate performance to such factors as program complexity, cultural risks, and political risks. Volatility in project variance-at-complete metrics will attract additional regulatory scrutiny. Capital charges will be determined and commensurate to the stability or volatility of past performance. For example, if project budget is 100 million but the organization's track record and metrics indicate constant cost overruns of 35%, then this historical cost overrun factor will be used in computing the capital charge (35 million). Significant amount of activity around retrieving past project estimates, analyzing influencing project events on final outcome, and structuring of data in understandable and telling ways needs to begin. A lot of data on project profiles and scope is also required to interpret the data in the context of work that is relevant for financial institutions. This will be a great challenge to organizations that have not defined and maintained project data at the granularity and purity to conduct meaningful analysis. For some firms operational risk databases are nothing more than the sum of mistakes of the past years. For Basel II, data must be available from 2000 and earlier. It is understandable that many consider the cost of Basel II implementation to be high.
Although the final details for Basel II continue to be defined, it's clear that the new accord offers greater incentives (through lower regulatory capital calculations) to adopt sophisticated risk management approaches that will require the implementation of mature project risk management disciplines. Basel II is having a profound effect on the banking and finance industry. Many institutions are just in the development stages of project risk control environments including risk event/loss databases, financial institutions, third-party suppliers (also required to conform to the Basel II risk framework), and project risk management professionals have little time to waste to be operational and collecting and analyzing project risk data. The community of project management professionals continues to advance the discipline of project risk management by developing, implementing, and refining practices for assessing, measuring, and controlling project risk including mitigation techniques such as early warning systems, risk metric dashboards, and change management. These practices are consistent with Basel II and will be required by banks to make their own internal risk management practices conform to Basel II. A sense of urgency is growing; project management professionals are being sought out; and the construction of operational risk control environments has begun. Not since “Y2K compliance” has the industry become so motivated to embrace change. And, for the project management professionals, Basel II offers a rewarding opportunity to apply their skills.
Secretariat of the Basel Committee on Banking Supervision. 2001. The New Basel Capital Accord: an explanatory note. Bank of International Settlement.
Secretariat of the Basel Committee on Banking Supervision. 2001. Overview of the New Basel Capital Accord. Bank of International Settlement.
Secretariat of the Basel Committee on Banking Supervision. 2001. The New Basel Capital Accord. Bank of International Settlement.
Secretariat of the Basel Committee on Banking Supervision. 2001. Operational Risk. Bank of International Settlement
David, Gabirel, & Sidler, Christoph. 2001. The New Basel Capital Accord: An Overview and Initial Comments. Plano, TX: EDS.
Secretariat of the Basel Committee on Banking Supervision. 1998. Risk Management for Electronic Banking and Electronic Money Activities. Bank of International Settlement.
Bear, David, Buehler, Kevin S., & Pritsch, Gunnar. 2001. Getting International Banking Rules Right. The McKinsey Quarterly, No 4.
Proceedings of the Project Management Institute Annual Seminars & Symposium
October 3–10, 2002 • San Antonio, Texas, USA