This tip is part of our Basel II risk management and implementation guide.
Determining the impact of regulations on information security practices is often a tricky business. For example, when the Sarbanes Oxley Act was introduced, it was difficult to predict that a regulation with a goal to hold executives accountable for the accuracy of public company financial records would require such tight IT controls on all financial IT systems.
A similar situation exists in the financial community in determining the effect of the Basel II accords on information security.
Basel II, also known as the International Convergence of Capital Measurement and Capital Standards, is a set of requirements, defined by The Basel Committee on Banking Supervision, for large internationally active banks to ensure they maintain enough capital on hand to offset their risks. The purpose of these rigorous controls is to make banks more resilient to failures in the banking industry.
The U.S. Federal Reserve recently announced that it will require large U.S. banks to follow a set of risk management rules based on Basel II, because of its more sophisticated risk management approach. The current banking regulations (based on the Basel I accords of 1988) combine credit and operational risk, and require the use of elementary models to account for this risk. The Basel II accords require separate treatment of credit and operational risk. Section 644 of Basel II defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Basel II acknowledges that with the increased reliance on information systems and complex financial instruments, operational risk has become a significant factor in the success and failure of financial institutions.
More complex risk model
The original Basel accords stated financial institutions could maintain a fixed percentage of what they loaned to parties as capital for a certain amount of failures and mitigate both credit and operational risk. However, with more complex financial instruments and more exposure to operational risk, the Basel committee determined that more sophisticated methods for measuring and managing risk were necessary. In short, the advanced models recommended by Basel II separate credit and operational risk measurements.
The financial benefit of good risk management
It is the introduction of the separate treatment operational risk that makes information security such an important part of Basel II compliance. Institutions need to establish a risk measurement, management, and reporting system that demonstrate to regulators the effectiveness of their risk management approach. Banks that adopt the more sophisticated approaches to risk modeling can benefit financially by reducing the amount of capital that needs to be set aside to mitigate risk. This can be a real business benefit.
Focus on risk management systems
The potential financial benefit comes from the risk management system itself. In this new model, the very systems used in managing risk become critical IT resources. An attack on them, or even a failure due to human error, could undermine an institution's ability to prove the effectiveness of its approach. Consequently, financial organizations need to have adequate policies and mechanisms to ensure that these systems and the processes surrounding them are well under control. As with all critical systems, the need for quality and control will depend on the standard security components. In other words, identity management, access control, system and application administration, change control, monitoring, and business continuity will feature prominently in risk management systems.
Protect critical IT systems
All of a bank's critical IT resources need to be analyzed for its contribution to operational risk. Consider the effect that exposure of confidential information about particular investments might have on the investments' value. If that type of exposure poses a financial risk to a bank, it needs to be accounted for in the risk management system. Mitigating that risk through effective security controls can help a bank's bottom line in both lowering the probability of loss and decreasing the institution's capital requirements and insurance bills (where insurance is an acceptable method of accounting for operational risk).
Implementation of the Basel II accord requires assessments of technical risk, establishment of controls, testing, and regular audits. In the past, operational risk groups have largely locked away in financial institutions doing important but largely invisible jobs. Basel II not only exposes the workings of these groups to the light of day, but shines the spotlight on all the activities and systems used to calculate risk.
About the author:
Richard E. "Dick" Mackey is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA, and SOX. He has also provided guidance to a wide range of companies on enterprise security architecture, identity and access management, and security policy and governance.
This was first published in February 2008