What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto

Thursday, May 17, 2012

ISO 31000 for banks

ISO 31000 is a risk management standard that provides generic guidelines for the design and operation of an enterprise risk management framework. Released in 2009 by the ISO standards board, the standard itself has been crafted in such a manner that it makes ISO applicable for any organisation type. Theoretically banks to manufacturing firms can benefit from implementing ISO 31000.

What we are exploring in brief today is: Should the banking sector entertain ISO 31000 when it already has an established global risk standard of its own?

The presentation for this posting can be found by following this [link]

Basel vs ISO 31000
Today banks are mandated to meet a risk standard (among many) that is set down by the Bank for International Settlements known as Basel III. This is nothing new and the Basel risk standard(s) have been knocking around for quite a few years now. Basel was originally introduced in 1988 as a minimum capital requirement for all deposit taking institutions and came into existence in part as regulatory response from the Herstatt banking crisis in Germany several years before. To be concise, the Basel Concordat was actually conceived as the outcome to the Herstatt banking crisis and a decade or so later Basel I emerged.

The Basel banking accord is very much part of this "cause-effect-affect" approach to regulation and each banking crisis seems to result in a new target risk agenda from the Bank for International Settlements. The latest Global Financial Crisis has driven out the key requirements of the recently released Basel III program and banks today seem to be channeling their efforts into that end even though they may not have entirely fulfilled their predecessor obligations from Basel II.
Figure 1: Historical Timeline for the Basel Accord

None the less, banks are put on the risk path as defined for them in Basel whether they like it or not and, the Basel risk program has become business as usual for the finance sector. New global initiatives on risk such as ISO 31000 would on the surface appear to be fruitless exercises for banks and, ISO 31000 has certainly found itself more popular with start-up risk practices away from banking.

So then, why would a bank entertain ISO 31000 when it already has its own risk agendas? What novel aspects from the world of risk management will ISO 31000 introduce to a bank and importantly, where is the value-add for a bank entering into the ISO domain?

Benefits of ISO 31000 for banking
Many of the banking risk disasters over the last five years have been an outcome of a poorly aggregated enterprise risk function rather than weak risk control per say. Believe it or not, the risk management practice in a leading financial institution is in much of the part quite sound yet, hundreds of banks failed during the financial crisis, UBS suffered a 2 billion loss from rogue trading mentality and recently it came to light that JP Morgan has thrown the same kind of money at a poorly structured and inevitably risky investment.
JP Morgan is one of the best managed banks, you could have a bank that isn't as strong, isn't as profitable, making those same bets and we might have to step in. 
President Obama | 15th of May 2012
Much of the problem around risk management in a bank isn't the risk measurement end of the game but oversight at a senior level. In both the UBS case as well as JP Morgan, it appears at a superficial level that top level management would have been in a much better place if transparency for comprehending the business objective and the risk within it was clearly spelled out.

I am not saying ISO 31000 is the be all and end all of risk management but the publication does clearly stipulate that business objectives should be stated and the potential risk within them brought into a relatively "known" position at a steering committee level.
Implementing ISO 31000 in a bank
If banks were able to "dashboard" their exposures across their various lines of business, it would follow that these institutions may, just may at the very least, "be in the know" for the scale of potential losses they face. Basel II and Basel III are both trying to achieve the same end as ISO 31000 but it appears in much of the part that the international risk standards for banks don't seem to be working so well.

Why is that?

In my opinion, it is partly because the Basel accord focuses heavily on many areas of risk management but it does this with a silo based mentality. Oversight and board level engagement is encouraged in the Basel accord but it seems to have become an annex to the main program. Basel is built from the bottom up rather than from the top down, while ISO 31000 functions from the objective out and consequently starts at the top of the management chain.

A sound implementation of ISO 31000 in a bank should then address this oversight problem if it is to derive any new value-add for the risk function of a bank. If ISO 31000 does nothing else but address this oversight problem directly, it will be a valuable addition to the risk management arsenal found in the financial institution.

The presentation for this posting can be found by following this [link] and will be delivered along with other material at the ISO 31000 forum in Paris. The conference will be running on the 21st & 2nd of May.


  1. Nice summary Martin, Thank you.
    As you stated the key to success is to be able to integrate top-down approach of ISO 31000 with Basel for banks. Since the Boards have ultimate responsibility on managing risks, they should be able to understand whether they are swimming in a sea of 3m or already have skin dived in 20 m depth

  2. On J.P. Morgan - Such is the nature of banking and the complexity of the risks involved that it would be impossible to find someone sitting at very senior levels of management who would understand all that was happening on the trading floor—irrespective of how many reports they receive.

    Continue reading here http://goo.gl/IqWMx

  3. Good concise summary for some one who does not update on banking

  4. Nice blog here! Also your web site loads up very fast!
    What host are you the use of? Can I get your affiliate hyperlink in your host?
    I desire my website loaded up as fast as
    yours lol
    my webpage - Click Here