Its recommendations include the awkward question of operational risk, which in the on-line age, is changing from a one-dimensional procedure to a highly complex analytical process.
This shift in thinking will require multi-level risk assessments and sophisticated analysis of security, operational and management factors. The accord is going to change how institutions capture operational metrics data in the first place.
Some heavyweight institutions are going to be looking to their IT directors to play a big role in making it all happen.
This is the latest stage of an ongoing process. The original 1988 Basel Committee (Basel I) ruled that banks have to have enough cover potential losses from transactions (technically, a bank's total capital should never fall to a level of less than 8% of risk-weighted assets) and set out rules for calculating the risk-weighted figure.
In a world of interconnected financial systems, it's been recognised that a single risk measure for all banks is no longer appropriate.
The current Basel Committee (Basel II) has developed a new system that will be more risk-sensitive and flexible – and more onerous.
Banks will now be expected to examine IT, security, fraud, employment practices and workplace safety, business services, physical damage, business disruption, system failure, service execution-delivery-process management, and legal and reputational factors.
The clock is already ticking loudly. The final accord is due for completion at the end of next year and takes effect from 2007. The bottom line requirement is that data capture which enables operational risk factors to be identified and analysed needs to be fully operational from 2004. By the time Basel takes effect, three years' data will be required.
Not only does the IT department have the responsibility for providing the right data capture applications, it will have to help its masters decide how to collect that data.
It's relatively easy to identify quantitative data for areas such as transactions, but how is a bank to measure reputation or predict risk from employee performance? Measurements will also need to encompass the risks from outsourcing and the mitigating effect of having relevant insurance in place.
Boundaries between types of risk aren't yet clear. Different departments will need to fully understand how risks flow through the organisation – what the dependencies and correlations are.
A successful hack on a bank's IT system might bring the bank to a halt for a certain amount of time – risk one – but it might also have a "reputational" impact – risk two – and if the reputational impact coupled with the business disruption affects the share price, there is a third risk. How do you separate these out and measure them?
Navel gazing could actually be beneficial, since there will be a need for organisations to look both internally and externally at the risks that they face. But are institutions truly effective at assessing external and internal factors impacting on their operations to gain an understanding of risk?
An extension of this issue is that Basel II encourages an integrated risk management approach – risk information will need to be reported both as an aggregate measure and across different business lines. In many organizations, there is currently insufficient understanding of how to bring together different risk approaches.
At present, most risk measurement still takes place in stovepipes. It's no use measuring performance if you haven't agreed parameters which give a true picture of your performance and told your fellow managers.
Just as the banking community has had the foresight to develop its recommendations, so the IT departments are realising that they will have to speak in many different management languages to draw up their plans for Basel II.
They will need to show strong leadership in the next twelve months. They will also need support and encouragement from their respective boards to do so.
This article was contributed to OUT-LAW.COM by Debi Ashenden, managing consultant of QinetiQ Trusted Information Management, a business security specialist. QinetiQ is exhibiting at Infosecurity Europe at the Grand Hall at Olympia from 29th April - 1st May 2003. For more information, see: www.infosec.co.uk