Improving the Management of Risk Through Implementation of Basel II

Speeches

27 Sep 2005

Improving the Management of Risk Through Implementation of Basel II

Simon Topping, Executive Director (Banking Policy), Hong Kong Monetary Authority

(Speech at the ACIHK The Financial Markets Association Basel II Seminar, The Grand Hyatt, Hong Kong)

Only a few years ago it might have seemed a bit strange to invite a regulator to speak on the subject of risk management. After all, a regulator was supposed to have the same relationship to risk as the preacher did to sin: he was against it.

Historically, regulation and risk management were opposites. Regulation was supposed to be all about stopping banks from taking risks. Risk management, by contrast, was concerned with how you take on risk and how you manage it. Regulation has been criticised, rightly in my view, for taking insufficient account of modern risk management techniques such as credit risk and operational risk modelling, stress-testing, and portfolio management.

Thankfully we are beginning to move away from the days when regulators were perceived as regarding taking any sort of risk as "a bad thing." Regulators care, above all, that the banking system should be sound and stable. One of the most important factors in a sound banking system is that banks should be profitable; and regulators recognise that without risks there is no chance of banks making money. What matters are not the risks that banks take, but how good they are at identifying, monitoring and controlling them. Hopefully we are also moving away from the days when regulators set regulations which have no real relation to how banks themselves look at risk, and how they manage risk.

Basel II is a major step in this direction. It aims to link the way regulators look at risk to how banks themselves look at risk; to encourage the use of modern risk management techniques; to encourage innovation; and to encourage banks to ensure that their risk management capabilities are commensurate with the risks of their business. As a result Basel II brings regulation into the 21st century.

Previously, regulators' main focus was on credit risk and market risk. Basel II takes a more sophisticated approach to credit risk, in that it allows banks to make use of internal ratings based systems - or "IRB systems" as they have become known - to calculate their capital requirement for credit risk. It also introduces, in addition to the market risk capital charge, an explicit capital charge for operational risk. Together, these three risks - credit, market, and operational risk - are the so-called "Pillar 1" risks.

But Basel II goes much further than this in looking at risk. As you will I am sure know, as risk management professionals, these three risks are only scraping the surface. Banks' risk management functions need to look at a much wider range of risks than this - interest rate risk in the banking book, foreign exchange risk, liquidity risk, business cycle risk, reputation risk, strategic risk. The risk management role of helping identify, evaluate, monitor, manage and control or mitigate these risks has become a crucial role in modern-day banking. Indeed, it is probably not exaggerating the importance of this to say that the quality of a bank's risk management has become one of the key determinants of a success of a bank.

Basel II recognises the importance of these risks - and of the quality of risk management - by means of what is known as "Pillar 2". Under Pillar 2, there is an assessment firstly of all the risks a bank is running and, secondly, of its ability to manage these risks. This can lead to the bank being required to hold more capital to cover these risks, or to make improvements in its risk management. Pillar 2 therefore encourages banks to improve risk management, and gives capital incentives to do so.

I will say some more about this later on, but it is probably time at this point that I said a little about how Hong Kong is implementing Basel II.


Hong Kong implementation

We took a strategic decision early on in the Basel II process that Hong Kong should implement Basel II in accordance with the timetable recommended by the Basel Committee of Banking Supervision for its own members. This means adoption of most of the approaches under the new framework from the start of 2007, and the more advanced approaches from the start of 2008. Thus Hong Kong will adopt Basel II at the same time as other major international financial centres, such as London, Frankfurt and Tokyo. From a regional perspective, the implementation timetable in Hong Kong is broadly similar to that being adopted by Australia and Singapore.

For several years now the HKMA has been developing its supervisory approach along Basel II lines, and this is leading to some significant changes in how supervision is conducted. Central to this is the issue of "process versus rules".


Process versus rules

The original Basel Capital Accord was developed when risk management was still very much in its infancy. It reflects what might be called a "rules-based" approach to regulation in the sense that it sets prescriptive standards that banks are required to follow. It relies largely on the application of simple, mechanical formulas for assessing how much capital a bank should hold.

The essence of the old Capital Accord was that it represented an attempt to monitor the prudential soundness of banks by using a standardised risk measurement framework, which was applied to all institutions and which employed data based on a snap-shot of their balance sheets at certain specified reporting dates. The approach was standardised since regulators specify the precise form in which the calculation of capital adequacy is to be performed - for example, the specific risk categories into which assets are to be assigned.

There are, of course, still plenty of rules-based aspects to the new capital framework: it's difficult otherwise to understand what the many hundreds of pages of the Basel II document are needed for. However, the point I want to stress is that the advanced approaches, and especially IRB, introduce a new element into banking supervision. For want of a better term, I'll call this process-regulation.

Whereas the old Accord focused on rules, the IRB approaches focus instead on the processes by which risks are managed. Rather than prescribing detailed rules for assessing capital adequacy, supervisors will in future need to assess the adequacy of the internal processes used by firms to manage their risks. This is reflected, for example, in the approach that we propose to take to the validation of IRB systems: we will not be prescribing specific numerical standards that we expect internal risk measurement systems to achieve. Rather, we will discuss with each individual IRB bank how its system performs in relation to the bank's own internal objectives and appetite for risk.

IRB will require us to engage in a dialogue with AIs to understand how they go about developing and approving their IRB models. As a result, the future for banking supervision is likely to take the form of an active discussion with our counterparts in the risk management and credit control functions. It will be less a matter of us setting hard and fast rules, and more a matter of us holding a dialogue with risk managers. Of course, the dialogue cannot be open-ended: at some point we will have to draw our conclusions and make our assessment. But those of you in IRB banks can expect us to show a different level of engagement, and a greater intensity of interest in, your risk management systems than we have previously shown.


Pillar 2

As I mentioned earlier, much of the focus on Basel II has been on IRB, and thus on Pillar 1. Now, credit risk remains, of course, one of the most fundamental risks in banking. However, we in the HKMA determined at an early stage in the Basel II process that it would be desirable to broaden the focus so as to bring into the equation the various "Pillar 2 risks." The case for this is, in our view, self-evident, as risks such as concentration risk, interest rate risk in the banking book, and liquidity funding risk can be every bit as devastating for the financial health of a bank as credit risk can be. In the run-up to final agreement on Basel II, therefore, we issued a series of guidance notes to give encouragement to AIs to upgrade their ability to manage these risks appropriately. We knew that for the coming few years AIs and their risk management specialists were likely to be preoccupied with Pillar 1 and thus we wanted to make sure that these "Pillar 2 risks" were adequately addressed as a priority, and not as an afterthought.

In theory, Pillar 2 requires banks to have a formal process for allocating internal capital against the wide range of risks that are not explicitly part of Pillar 1. This formal process is sometimes referred to as the Capital Allocation Assessment Process or "CAAP". However, it has to be acknowledged that very few banks currently have such a process in place, and only the largest and most sophisticated institutions have been able to devote the resources necessary to building these types of formal capital allocation systems. Consequently, as a regulator, we do not plan to require all banks to develop internal capital allocation models, at least initially. The need for such models must be commensurate with each institution's scale and sophistication.

In place of requiring all AIs to develop these models, the HKMA has developed its own internal Supervisory Review Process, or "SRP". As you may know, the HKMA has for a long time set capital ratios on a bank-by-bank basis. This has been with the aim of trying to ensure that the capital ratio reflects the risk profile of an individual AI, taking into account the full range of risks to which it is potentially exposed. We intend to use the SRP to bring greater rigour into the process of setting AI-specific minimum capital ratios.

In effect, the SRP is our own credit scoring system. It takes a large number of variables, each carefully chosen to reflect a different aspect of risk, and combines them to produce a single overall "score" for each AI. The score is in turn mapped onto a particular range of capital ratios.

Among the factors that this process will consider are the Pillar 1 and Pillar 2 risks that I have already mentioned. In addition, the SRP will take into account a variety of other factors such as reputation risk, strategic risk, and the quality of corporate governance. The inputs into this process will be derived primarily from our existing supervisory arrangements, such as off-site and on-site examinations.

We believe that the SRP is capable of replacing the current, relatively subjective, approach to setting AI-specific minimum capital ratios with something more rigorous and objective. Like all good credit scoring systems, there will still be scope for expert judgement and, in my experience, there is no substitute for the supervisory smell-test. On the whole, however, we intend to base each AI's capital ratio on the output of this process.

Once we have derived a score, and thus a corresponding capital ratio, for an individual AI, we will discuss the results of the SRP with the AI. Again, as in the review of IRB systems, the concept of supervisory dialogue will be important. It will be our aim to understand how each AI approaches the range of risks that exist outside Pillar 1, and to understand the mechanisms they have in place for identifying, monitoring and controlling those risks. If an AI is able to demonstrate to us that it has a better way of allocating capital against these risks than our own SRP model, then we will be open to discuss with it a corresponding adjustment to its capital ratio. Thus one aim of this approach is to give banks an incentive to come up with a better mousetrap. There will be capital benefits from having a good internal capital allocation process.


Implementation challenges

I'd like to say a few words next about the implementation challenges associated with Basel II.

Although preparations for the implementation of the new capital framework are well advanced in a large number of jurisdictions, including in Hong Kong, the process has not been without its critics. It has recently been claimed that too much regulation is now itself the greatest source of risk in the global financial system, and the implication that is supposed to be drawn is that regulators are somehow engaged in a self-defeating exercise.

At the root of this criticism is the compliance burden that arises from Basel II implementation taken in combination with other recent developments, such as the adoption of International Accounting Standards.

The first point I should make is that the timing of these various initiatives is not completely under our control: the accounting profession, for example, has tended to plough its own furrow independently of any of the banking regulators. This has been the case in many leading international financial centres, not just in Hong Kong. Efforts are now underway in a variety of contexts to try to secure better coordination in these various initiatives, but it has to be admitted that in an ideal world they would not be quite so clustered together.

That said, I would be the first to acknowledge that Basel II requires heavy investment in risk management systems and IT infrastructure, as well as radical changes in the risk management culture at some banks. However, this is a healthy development. I suspect that banks would have in any case needed to make most of the so-called "Basel II-related" investment if they wanted to stay at the top of their game. By agreeing to accept banks' internal risk management systems as the basis for the calculation of regulatory capital requirements, the Basel Committee has provided a powerful incentive for banks to upgrade their risk management systems. But this is only what they otherwise would have needed to do to be able to compete with the best.

There are, however, some quite specific challenges for Asian banks in using the more advanced approaches under Basel II. One of the most important is the availability of data. Historically, many Asian banks have not collected the data needed to develop the type of models needed for IRB purposes. Some are only now starting to do so, and it will be several years before they have sufficiently rich data that it can begin to inform their credit risk management processes. A second, related, factor is that even where the data has been collected, in many countries the default experience is distorted by the 1997-98 financial crisis: the question for banks is to what extent this experience should be factored into their risk management systems. A third issue is the extent to which off-the-shelf models that have been developed primarily for the US market can capture the behavioural characteristics of Asian borrowers.

None of these problems are in principle insurmountable. However, they do suggest that a degree of caution is in order before banks make the leap to IRB. That is why we have been advising those banks that are considering using IRB approaches to "look before you leap." The most important consideration is for banks to make sure that their IRB systems are robust and well-founded, and that they are integrated with their overall systems for identifying, managing and controlling risk, for making credit decisions, and for product pricing. We are willing to allow banks as much time as they need to achieve these objectives. The implementation dates for the IRB approaches should not be taken as a deadline. Banks that feel they need longer to work on their systems will have our full support. Getting it right matters more than a specific date in the calendar.

Looking ahead, both the regulators and the industry will continue to face many challenges over the coming months and years. Putting Basel II in place has been demanding for everyone involved, and will continue to be so. However, I am confident that once the process is complete we will be able to look back with satisfaction on what has been achieved. There is no doubt in my mind that Basel II will produce a step-change in risk management practices around the world, with the result that the global banking system will become both more efficient and more robust. Through all the pain of the transition, we need to keep our eyes firmly on that prize.

Latest Speeches
Last revision date : 27 September 2005