Information Risk Management for Supporting a Basel II Initiative 

 
Download Article Article in Digital Form

Effective January 2008, Basel II stipulates the minimum capital requirements that financial institutions must possess in order to manage their risks. In addition to providing multiple risk capital calculation options, Basel II introduces operational risk as part of the risk portfolio. Operational risk is defined as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”1

The Basel II framework uses three pillars.2 Pillar I provides detailed methods for calculating minimum regulatory capital. Organizations have the option to choose estimating credit risk exposures with a standardized approach, the foundation internal rating-based (IRB) approach, or the advanced internal rating-based (AIRB) approach. To calculate the capital requirements per the Pillar I directives, organizations need to collect various types of credit risk, market risk and operational risk information (e.g., loan information, market information) from multiple, often disparate, sources, including external sources. The trustworthiness of the calculated capital requirements will depend largely on the quality of the underlying information. In addition, the reliability of the internal models (as an alternative to the standardized approach to calculate regulatory capital requirements) depends on the quality of the information used for validating the model.

Pillar II refers to supervisory review standards that provide regulators with oversight, discipline and action over Basel II, and involves the demonstration of an adequate governance system, including the implementation of an effective enterprise risk management (ERM) system. A large percentage of the operational risk stems from information quality issues. For example, duplicate payment or service level agreement (SLA) violations can be attributed largely to poor information governance issues and stem from inherent information risks present within an information-driven environment. To effectively mitigate information risks, financial organizations need to use appropriate controls to detect and prevent information quality issues in their transactional systems.

Pillar III refers to market disclosure, and aims at promoting financial stability through increased transparency and disclosure requirements. This final pillar requires financial institutions to publicly provide details of their risk management activities, risk-rating processes and risk distributions. While reporting itself may be a daunting task, the reconciliation of financial information between Basel II and other statutory reports, such as International Financial Reporting Standards (IFRS)/Generally Accepted Accounting Principles (GAAP), will be a challenge. However, without such reconciliation, there will be questions around the accuracy of the reported risks.

To reduce information risk exposure through appropriate risk mitigation processes, financial organizations need to put a stronger focus on information quality management. Poor information quality in risk information repositories increases the uncertainties about the information used for risk calculation, possibly resulting in inaccurate risk capital calculation. In addition, poor information quality in transactional systems increases operational losses (e.g., fines incurred due to SLA violations). While this article primarily addresses the Basel II requirements applicable to financial services organizations, the information quality issues and mitigation principles outlined in this article are equally applicable to financial, insurance and nonfinancial corporations. Standard and Poor’s, 3, 4, 5 a leading credit-rating agency, recently incorporated ERM, using frameworks similar to Basel II and Solvency II, as a factor in its credit- rating methodology. This is reflective of a growing market need to understand an organization’s risk exposure and its ability to address risk. To achieve favorable ratings, organizations should be able to demonstrate sound practices in dealing with risk, including information risk.

Information Risks Implications for Operational Risk Management

The Basel Committee classifies operational loss data in seven distinct categories. Figure 1 summarizes the result of the internal loss data collected from 119 institutions from 17 countries, representing a total loss of €59.6 billion.6

Figure 1

As shown in figure 1, approximately 30 percent of losses can be attributed to execution, delivery and process management. This category captures the losses due to, for example, failed or duplicate transactions, SLA-violation- related losses with trade suppliers and vendors, incomplete data, accounting errors, and compliance failure errors.

Based on the authors’ work with large financial organizations and review of categories of operational loss events,7 a large percentage of losses of this particular category (execution, delivery and process management) can be attributed to information-risk-related errors.

Based on the authors’ work with large financial organizations and analysis of operational risk data,8 the following four categories of information risk (figure 2) can be identified:

  1. Transaction processing risk—With the considerable number of transaction processes occurring within financial institutions, there are complex information flows related to orders, settlements, automated teller machines (ATMs), deposits and money movement. If these transaction messages are lost or delayed, financial institutions will need to cope with a loss of revenue and an increase in customer complaints.
  2. External information exchange risk—Financial institutions exchange information with third parties (e.g., credit card settlements, interbanking settlements, loan servicing). Errors in information exchanged with third parties result in subsequent incomplete transactions, dropped transactions and SLA violations. Unlike transaction processing risks, information risks associated with external information exchanges are extrinsic to the organization’s technology environment and cannot be completely mitigated through its internal systems. Organizations need to reduce this risk through detective reasonability controls.
  3. Financial reporting risk—The financial reporting system must have complete and accurate information and must reconcile with the information present in other reporting systems such as credit risk repositories. In addition, incomplete or incorrect posting of accounts payable and accounts receivable information to the general ledger results may result in erroneous financial reports resulting in rework and loss in market credibility.
  4. Fraud risk—Financial institutions incur additional costs due to internal fraudulent activities such as unauthorized trading, credit card fraud and improper cash movement.

Figure 2

Information Risk Implications for Credit Risk Calculation

IRB or AIRB approaches require financial organizations to collect transactional details of credit risk exposures from a diverse set of systems and lines of business supporting various credit-related products. Data from the source systems are often extracted and transformed to ensure a consistent format for risk calculation. For example, a large financial institution captures credit exposure information from 26 different systems for calculating credit risk under the IRB approach.9 This organization identifies the following information risk factors that could result in information errors in the credit risk repository, resulting in inaccurate credit risk calculation:

  • Data quality issues with the source system
  • Changes in the source systems
  • Extract, transfer and load process failures

To ensure the accuracy, consistency and reliability of the risk calculation process, the bank uses the following checks and balances:

  • Verify the completeness, format and domain of values of the source systems prior to loading the source extracts to the line of business data warehouse.
  • Verify the integrity of the data transformation process by comparing the source information with the data warehouse information.
  • Reconcile the data warehouse information with the general ledger to ensure consistency between the risk calculation and the financial statements.

Figure 3 depicts the high-level architecture of information controls deployed within the Basel II credit risk repository of one large financial institution. This organization is currently assessing information risk exposure in its market risk calculation process.

Figure 3

Root Causes of Information Quality Issues in Financial Institutions

Data in financial organizations have primarily two states, and both states are susceptible to information quality issues:

  1. Data at rest—Certain systems, such as customer relationship management systems and loan management systems, serve as the source of input information for other systems. Data in these systems are referred to as “data at rest.”
  2. Data in motion—Data are often exchanged between or processed by two or more systems. The data in this state are often referred to as “data in motion.”

While several factors can be attributed to information quality issues, the following are the major causes of information errors experienced in most financial institutions:

  • Information quality issues with the source system—Source system information may be incomplete or inconsistent. For example, a customer record in the source system may have a missing identification code. Similarly, source system information related to a policy may use an abbreviation of the policy names in their information base. These types of information issues can be attributed primarily to manual information input, lack of information standards and poor quality of third-party information used by the source system. Information errors in the source system propagate in the downstream systems, resulting in higher detection and clean-up costs. Incompleteness and inaccuracies in certain source system information will lead to quality issues in the target systems used for regulatory capital calculations.
  • External information provider—Financial institutions routinely exchange critical information with third-party vendors and partners. Without appropriate completeness and accuracy checks, the probabilities of information quality issues are high.
  • Multiple systems—To support Basel II, financial institutions need to pull information from multiple source systems located in a diverse set of technology platforms. Information extraction, transformation and normalization increases the inherent information risk present in the environment.
  • Process failures—Information transfer processes may fail due to system errors or transformation errors, resulting in incomplete information loading. System errors may include process failures due to the unavailability of source system/ extract or the incorrect format of the source information. Transformation errors may result from incorrect formats.
  • Changes/updates in the reference information—Outdated, incomplete or incorrect reference information will lead to errors in the risk repository information.

Current Approaches and Challenges

Most financial institutions recognize the importance of information quality and have some form of an information quality program in place. However, current approaches are often fragmented, ad hoc and costly, as a result of organizational silos and varying departmental needs. In most cases, the primary focus of the current initiatives is on data at rest (e.g., names and addresses in a customer relationship management system). The scope of these initiatives is often limited to periodic review and cleaning of critical information provisioning systems.

While the importance of clean information in data-at-rest systems is paramount, financial institutions must address the information quality issues when information is in motion (e.g., information exchanged between systems, people and organizations) to comply with Basel II. Current approaches to governing data in motion include:

  • After-the-fact manual or semiautomated balancing, tracking and reconciliation to verify appropriateness, completeness and accuracy
  • Extensive research and remediation to identify, diagnose and correct issues identified during the previous steps

More specifically, current approaches suffer from the following limitations as they relate to supporting the Basel II information quality requirements:

  • Detective vs. preventive—Existing information quality initiatives rely on detection vs. prevention of information issues. The detective approach may result in costly calculation reruns and delays in internal model approval, and often require extensive manual interventions.
  • Narrow scope and focus—Current information quality initiatives do not fully address the quality issues when information is in motion, resulting in increased operational risk and erroneous information for use in regulatory capital requirement calculations.
  • Lack of monitoring and visibility—Current approaches do not focus on measuring and monitoring information quality on an ongoing basis, thus resulting in a delayed response to information quality issues. In addition, these initiatives do not provide comprehensive visibility across processes, resulting in an increased cost of resolving information errors.

More important, the effectiveness of these initiatives degrades due to the presence of multiple systems, complex information structure and increased adoption of a real-time distributed technology environment. The problem exacerbates when a financial institution is required to provide evidence of information quality in the risk information used for regulatory capital calculation. Typically, risk information is collected from multiple transactional systems and stored in a risk repository, which serves as the source for internal model and risk capital calculations. In this scenario, the requests for information quality evidence will be met by querying a myriad of log files, e-mail chains and risk repository tables. This not only increases the cost, it also, in some instances, may delay the certification of the risk capital calculation.

Current approaches provide short-term respites, but are not sustainable in the long term. The increased labor costs of manual processes and high development costs of ad hoc information quality detection and correction programs increase the ongoing operational costs.

Required Capabilities for Ensuring Information Quality for BASEL II

To support information quality management, financial institutions must consider required minimum capabilities as described in the following sections. To reduce cost and increase efficiency, organizations should aim at automating these capabilities to the extent possible.

Information Controls
Information controls are application-independent, automated routines/procedures that can validate data at rest and data in motion to detect and prevent errors and to identify anomalies. Ideally, information controls should have the following capabilities to validate data at rest and data in motion:

  • Verification—Ability to verify the information content and format and the spatial and temporal reasonability of transactions
  • Balancing—Ability to balance information as it traverses through various systems
  • Reconciliation—Ability to reconcile information at an aggregated and transactional level
  • Tracking—Ability to track information flows to ensure adherence to SLA agreements and timeliness requirements

Well-designed information controls can validate information at an aggregate level as well as at a transaction level.

Exception Management
Even with the most advanced control system in place, exceptions do occur. Exception management is an automated workflow that can support investigation and resolution of errors detected or prevented by information controls. Ideally, exception management should have the following capabilities to support resolution of errors within a certain time frame (figure 4):

  • Routing—Ability to route the error to the appropriate resource for research and resolution
  • Research—Ability to research secondary sources and audit the trail of the information flow
  • Resolution—Ability to correct the issue
  • Reporting—Ability to provide an audit-trail report on exception resolution and status reports on exceptions and their resolution status

Figure 4

Continuous Monitoring
Continuous monitoring enables organizations to achieve visibility and improve the information quality across processes. Ideally, continuous monitoring should have the following capabilities to meet the integrated visibility needs by combining process, risk, control and performance information (figure 5):

  • Process monitoring—Ability to measure and trend process information, such as information volume and information quality indicators
  • Control monitoring—Ability to monitor the effectiveness of the information controls deployed to prevent information quality issues
  • Exception management—Ability to monitor exception resolution progress
  • Reporting—Ability to create standardized and ad hoc reports to support audit and business needs

Figure 5

Continuous monitoring should provide visibility into risk indicators, control performance and exception management status in the context of a process view as shown in figure 6.

Figure 6

Establishing an Information Quality Management Framework

Establishing a comprehensive and sustainable information quality management program could be daunting in the absence of a structured approach. Financial institutions may consider adopting the following four-phase approach to achieve the information quality necessary to comply with Basel II (figure 7):

  1. Analyze—In this phase, critical information flows relevant to Basel II need to be identified. All information provisioning systems, including external source systems along with their information lineage, need to be identified and documented. Special attention must be given to establish a common understanding of the key information elements between the source system and the target system. In this phase, source and target system owners should jointly establish information quality criteria and information quality measurement metrics for the key information elements.
  2. Assess—In this phase, financial institutions must assess information quality risk for both data at rest and data in motion. Once the risks are evaluated and prioritized, financial institutions must determine an appropriate response based on a cost-benefit analysis.
  3. Control—Appropriate information controls and exception management processes must be defined and deployed to address the risks identified in the assessment phase. Financial institutions should consider using automated controls to avoid sampling errors and to gain efficiency.
  4. Monitor—Once appropriate controls are in place, business owners should monitor the information quality indicators established in the analysis phase and identify opportunities for improvements by analyzing the microtrends in the information quality indicators. Automated continuous monitoring solutions provide the most cost-effective approach for monitoring.

Figure 7

Conclusion

Information quality issues in the information used for capital requirements for credit risk will impact the trustworthiness of the estimated capital requirements. More important, they may limit the method that can be used for risk calculation. Information risk inherently presents, within critical business processes, increases in operational risk, resulting in operational losses. As financial organizations further optimize their risk management processes for supporting Basel II directives, they need to put a stronger focus on managing information risk.

Inefficiencies in existing information risk management processes stem from information silos across product lines, mergers and acquisitions, and the prevalence of manual steps within most processes. Wherever applicable, organizations should use automated methods for mitigating, monitoring and reporting information risks. Leading financial organizations have initiated projects to achieve efficiencies through automation, standardization and centralization of information risk management activities.

Endnotes

1 Basel Committee on Banking Supervision, Operational Risk, Bank for International Settlements, Switzerland, 2001, www.bis.org/publ/bcbsca07.pdf
2 Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital Standards, Bank for International Settlements, Switzerland, 2004, www.bis.org/publ/bcbs107a.pdf
3 Standard and Poor’s, A New Level of Enterprise Risk Management Analysis: Methodology for Assessing Insurers’ Economic Capital Models, USA, 2010
4 Standard and Poor’s, Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings, USA, 2008
5 Standard and Poor’s, Assessing Enterprise Risk Management Practices of Financial Institutions, USA, 2006
6 Basel Committee on Banking Supervision, Results From the 2008 Loss Data Collection Exercise for Operational Risk, Bank for International Settlements, Switzerland, 2009, www.bis.org/publ/bcbs160a.pdf
7 Global Risk Guard, “Operational Risk,” www.globalriskguard.com/html/operational_risk.html
8 Op cit, Basel Committee on Banking Supervision, 2009
9 This example is taken from the authors’ experience with this client.

Angsuman Dutta, is unit leader of the Customer Acquisition Support Team at Infogix. Since 2001, he has assisted numerous industry-leading enterprises in their implementation of automated information controls by providing assessment, advisory, implementation and support services for Infogix clients. Dutta is a recognized thought leader and has published numerous articles.

Prasad Sista, is a manager in the Products Group at Infogix. Prior to joining Infogix in 2011, Sista worked for more than a decade in multiple roles as a product manager, a project leader and an operations strategy consultant across various industry verticals such as high-tech, consumer electronics, food service and automotive.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.