Angsuman Dutta and Prasad Sista
Effective January 2008, Basel II stipulates the minimum capital requirements that financial institutions must possess in order to manage their risks. In addition to providing multiple risk capital calculation options, Basel II introduces operational risk as part of the risk portfolio. Operational risk is defined as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”1
The Basel II framework uses three pillars.2 Pillar I provides detailed methods for calculating minimum regulatory capital. Organizations have the option to choose estimating credit risk exposures with a standardized approach, the foundation internal rating-based (IRB) approach, or the advanced internal rating-based (AIRB) approach. To calculate the capital requirements per the Pillar I directives, organizations need to collect various types of credit risk, market risk and operational risk information (e.g., loan information, market information) from multiple, often disparate, sources, including external sources. The trustworthiness of the calculated capital requirements will depend largely on the quality of the underlying information. In addition, the reliability of the internal models (as an alternative to the standardized approach to calculate regulatory capital requirements) depends on the quality of the information used for validating the model.
Pillar II refers to supervisory review standards that provide regulators with oversight, discipline and action over Basel II, and involves the demonstration of an adequate governance system, including the implementation of an effective enterprise risk management (ERM) system. A large percentage of the operational risk stems from information quality issues. For example, duplicate payment or service level agreement (SLA) violations can be attributed largely to poor information governance issues and stem from inherent information risks present within an information-driven environment. To effectively mitigate information risks, financial organizations need to use appropriate controls to detect and prevent information quality issues in their transactional systems.
Pillar III refers to market disclosure, and aims at promoting financial stability through increased transparency and disclosure requirements. This final pillar requires financial institutions to publicly provide details of their risk management activities, risk-rating processes and risk distributions. While reporting itself may be a daunting task, the reconciliation of financial information between Basel II and other statutory reports, such as International Financial Reporting Standards (IFRS)/Generally Accepted Accounting Principles (GAAP), will be a challenge. However, without such reconciliation, there will be questions around the accuracy of the reported risks.
To reduce information risk exposure through appropriate risk mitigation processes, financial organizations need to put a stronger focus on information quality management. Poor information quality in risk information repositories increases the uncertainties about the information used for risk calculation, possibly resulting in inaccurate risk capital calculation. In addition, poor information quality in transactional systems increases operational losses (e.g., fines incurred due to SLA violations). While this article primarily addresses the Basel II requirements applicable to financial services organizations, the information quality issues and mitigation principles outlined in this article are equally applicable to financial, insurance and nonfinancial corporations. Standard and Poor’s, 3, 4, 5 a leading credit-rating agency, recently incorporated ERM, using frameworks similar to Basel II and Solvency II, as a factor in its credit- rating methodology. This is reflective of a growing market need to understand an organization’s risk exposure and its ability to address risk. To achieve favorable ratings, organizations should be able to demonstrate sound practices in dealing with risk, including information risk.
The Basel Committee classifies operational loss data in seven distinct categories. Figure 1 summarizes the result of the internal loss data collected from 119 institutions from 17 countries, representing a total loss of €59.6 billion.6
As shown in figure 1, approximately 30 percent of losses can be attributed to execution, delivery and process management. This category captures the losses due to, for example, failed or duplicate transactions, SLA-violation- related losses with trade suppliers and vendors, incomplete data, accounting errors, and compliance failure errors.
Based on the authors’ work with large financial organizations and review of categories of operational loss events,7 a large percentage of losses of this particular category (execution, delivery and process management) can be attributed to information-risk-related errors.
Based on the authors’ work with large financial organizations and analysis of operational risk data,8 the following four categories of information risk (figure 2) can be identified:
IRB or AIRB approaches require financial organizations to collect transactional details of credit risk exposures from a diverse set of systems and lines of business supporting various credit-related products. Data from the source systems are often extracted and transformed to ensure a consistent format for risk calculation. For example, a large financial institution captures credit exposure information from 26 different systems for calculating credit risk under the IRB approach.9 This organization identifies the following information risk factors that could result in information errors in the credit risk repository, resulting in inaccurate credit risk calculation:
To ensure the accuracy, consistency and reliability of the risk calculation process, the bank uses the following checks and balances:
Figure 3 depicts the high-level architecture of information controls deployed within the Basel II credit risk repository of one large financial institution. This organization is currently assessing information risk exposure in its market risk calculation process.
Data in financial organizations have primarily two states, and both states are susceptible to information quality issues:
While several factors can be attributed to information quality issues, the following are the major causes of information errors experienced in most financial institutions:
Most financial institutions recognize the importance of information quality and have some form of an information quality program in place. However, current approaches are often fragmented, ad hoc and costly, as a result of organizational silos and varying departmental needs. In most cases, the primary focus of the current initiatives is on data at rest (e.g., names and addresses in a customer relationship management system). The scope of these initiatives is often limited to periodic review and cleaning of critical information provisioning systems.
While the importance of clean information in data-at-rest systems is paramount, financial institutions must address the information quality issues when information is in motion (e.g., information exchanged between systems, people and organizations) to comply with Basel II. Current approaches to governing data in motion include:
More specifically, current approaches suffer from the following limitations as they relate to supporting the Basel II information quality requirements:
More important, the effectiveness of these initiatives degrades due to the presence of multiple systems, complex information structure and increased adoption of a real-time distributed technology environment. The problem exacerbates when a financial institution is required to provide evidence of information quality in the risk information used for regulatory capital calculation. Typically, risk information is collected from multiple transactional systems and stored in a risk repository, which serves as the source for internal model and risk capital calculations. In this scenario, the requests for information quality evidence will be met by querying a myriad of log files, e-mail chains and risk repository tables. This not only increases the cost, it also, in some instances, may delay the certification of the risk capital calculation.
Current approaches provide short-term respites, but are not sustainable in the long term. The increased labor costs of manual processes and high development costs of ad hoc information quality detection and correction programs increase the ongoing operational costs.
To support information quality management, financial institutions must consider required minimum capabilities as described in the following sections. To reduce cost and increase efficiency, organizations should aim at automating these capabilities to the extent possible.
Information ControlsInformation controls are application-independent, automated routines/procedures that can validate data at rest and data in motion to detect and prevent errors and to identify anomalies. Ideally, information controls should have the following capabilities to validate data at rest and data in motion:
Well-designed information controls can validate information at an aggregate level as well as at a transaction level.
Exception ManagementEven with the most advanced control system in place, exceptions do occur. Exception management is an automated workflow that can support investigation and resolution of errors detected or prevented by information controls. Ideally, exception management should have the following capabilities to support resolution of errors within a certain time frame (figure 4):
Continuous MonitoringContinuous monitoring enables organizations to achieve visibility and improve the information quality across processes. Ideally, continuous monitoring should have the following capabilities to meet the integrated visibility needs by combining process, risk, control and performance information (figure 5):
Continuous monitoring should provide visibility into risk indicators, control performance and exception management status in the context of a process view as shown in figure 6.
Establishing a comprehensive and sustainable information quality management program could be daunting in the absence of a structured approach. Financial institutions may consider adopting the following four-phase approach to achieve the information quality necessary to comply with Basel II (figure 7):
Information quality issues in the information used for capital requirements for credit risk will impact the trustworthiness of the estimated capital requirements. More important, they may limit the method that can be used for risk calculation. Information risk inherently presents, within critical business processes, increases in operational risk, resulting in operational losses. As financial organizations further optimize their risk management processes for supporting Basel II directives, they need to put a stronger focus on managing information risk.
Inefficiencies in existing information risk management processes stem from information silos across product lines, mergers and acquisitions, and the prevalence of manual steps within most processes. Wherever applicable, organizations should use automated methods for mitigating, monitoring and reporting information risks. Leading financial organizations have initiated projects to achieve efficiencies through automation, standardization and centralization of information risk management activities.
1 Basel Committee on Banking Supervision, Operational Risk, Bank for International Settlements, Switzerland, 2001, www.bis.org/publ/bcbsca07.pdf2 Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital Standards, Bank for International Settlements, Switzerland, 2004, www.bis.org/publ/bcbs107a.pdf3 Standard and Poor’s, A New Level of Enterprise Risk Management Analysis: Methodology for Assessing Insurers’ Economic Capital Models, USA, 20104 Standard and Poor’s, Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings, USA, 20085 Standard and Poor’s, Assessing Enterprise Risk Management Practices of Financial Institutions, USA, 20066 Basel Committee on Banking Supervision, Results From the 2008 Loss Data Collection Exercise for Operational Risk, Bank for International Settlements, Switzerland, 2009, www.bis.org/publ/bcbs160a.pdf7 Global Risk Guard, “Operational Risk,” www.globalriskguard.com/html/operational_risk.html8 Op cit, Basel Committee on Banking Supervision, 20099 This example is taken from the authors’ experience with this client.
Angsuman Dutta, is unit leader of the Customer Acquisition Support Team at Infogix. Since 2001, he has assisted numerous industry-leading enterprises in their implementation of automated information controls by providing assessment, advisory, implementation and support services for Infogix clients. Dutta is a recognized thought leader and has published numerous articles.
Prasad Sista, is a manager in the Products Group at Infogix. Prior to joining Infogix in 2011, Sista worked for more than a decade in multiple roles as a product manager, a project leader and an operations strategy consultant across various industry verticals such as high-tech, consumer electronics, food service and automotive.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.