What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto

Sunday, January 13, 2013

ISO 31000 supporting Basel II

On the G31000 LinkedIn risk forum, we have decided to open up a new "chat room" that is dedicated to the application of the ISO 31000 enterprise risk management standard in Banking, Insurance, Supply Chain Finance, Markets and Investment.
The link for the new group can be found by clicking on the logo here 

In this blog posting we are going to consider whether ISO 31000 is compatible with Basel II from the outset.

Comparing ISO 31000 to Basel II
For those that don't know, Basel II / III is the international risk standard that all banks globally need to comply with and if ISO 31000 is to be acceptable in the banking domain, it needs to be aligned with this risk standard.
The question actually becomes, can Basel II and ISO 31000 coexist together?
I have already developed a presentation on this which can be found here [LINK]. A synonymous coexistence is only the first step of course, what would be better is; does one standard improve the operation of the other or specifically, is there a value add for running ISO 31000 in a bank? 

Perhaps the question we should be asking is:
Can ISO 31000 be used to support risk initiatives that the Basel banking accord requires a bank to have a grip on?
Answering that question from the operational risk end of Basel II is probably a good place to start and for several reasons but two come to mind immediately.
[1] Enterprise risk analysts and those using ISO 31000, tend to be more knowledgeable with operational risk practices, rather than idiosyncratic risk complexities found in treasury departments or lending units.

[2] The operational risk program in Basel is a tidy and well defined element of the overall Basel II program. It also has less web-like features or interconnected requirements when compared with credit or liquidity risk. Simply, operational risk is less complicated from a requirements perspective than other aspects of Basel and consequently is easier to align to an external standard such as ISO 31000.

So then, if ISO 31000 can be used to meet the chapter V requirements of operational risk and only for the Basic Indicator Approach in Basel II, then we have a starting point.

Now if we were to meet the Basic Indicator Approach requirements in Basel II, we need to look at the key principles of this requirement. We also need to see if ISO 31000 helps us meet these key requirements rather than simply coexisting in harmony with them.

The principles for the very basic indicator approach of Basel II can be found in a document titled "The sound management of operational risk" [LINK] published by the Bank for International Settlements.

In the diagram below, we have taken the Basel II operational risk requirements for the Basic Indicator Approach and applied them on the left side of the table. How ISO 31000 may support these requirements or principles has been referenced on the right side of the table.

Comparing Basel II with ISO 31000 | Causal Capital       [Click image to enlarge]

It looks like we have some good news from the outset which is; we can confidently say ISO 31000 supports the Basel II operational risk Basic Indicator Approach. However, before we become overly excited, we also need to be a little real. The Basic Indicator Approach is what it says, basic.  So than, does ISO 31000 meet the Advanced Measurement Approach for operational risk in Basel II?

Well, the Advanced Measurement Approach or AMA for operational risk requires parametric modelling of potential loss, and if we are going to check whether ISO 31000 explains this technique, we need to look at ISO 31010. ISO 31010 is a booklet of quantification techniques that can be used by a risk analyst to measure exposure. All good yes but when we do this reference check, we will unfortunately draw a blank.

Additionally, if we were to think about credit risk or market risk in Basel II, well these are really different agendas and operate in alternate manners. As it stands, more scoping or case studies for ISO 31000 need to be developed so that ISO 31000 can swing-in these alternate risk areas within a bank.

The three points below would also need addressing to bring ISO 31000 closer in alignment with Basel II.

[1] ISO 31010 needs to deliver a working example of how to generate a probability distribution function of loss, and it should extend that thinking into Value at Risk modelling.

[2] ISO 31010 needs to explain methods for managing loss data, both internal and external.

[3] Away from operational risk, ISO 31000 needs to outline case studies for handling risk areas such as market risk, credit risk and the aggregation of risk factors. Risk aggregation is key in banking, especially in the economic capital end of the game and ISO 31000 doesn't really address this subject matter at all.

No comments:

Post a Comment