After five years of discussion and revision, Basel II, an international accord that will improve operational-risk standards for all financial institutions, is about ready for the last rounds of comment, which Ferguson expects will happen this spring and summer, with implementation beginning in late 2006.
The core driver behind Basel II has been that banks have consolidated internationally and therefore placed fewer large institutions in control of more money while still operating in heterogeneous environments. That could spell trouble in the future, Ferguson says. "Significant weakness in one of these entities, let alone failure, has the potential for severely adverse macroeconomic consequences. It seems clear that the regulatory framework should encourage these banks to adopt the best possible risk-measurement and -management techniques while allowing for the considerable differences in their business strategies," Ferguson says. "Basel II presents an opportunity for supervisors to encourage these banks to push their management frontier forward."
Earlier this week, the Basel Committee on Banking Supervision, an international group of bankers and regulators working on Basel II, a revised framework for risk management in the world's banks, published best-practice guidelines advising banks and supervisors about how to deal with unforeseen events such as fraud, system failures, and fires and floods that could increase operational risk.
While the issues as presented by the Fed might seem more geared toward credit risk that would be addressed by risk-management or compliance offices, everyone--especially the CIO--needs to be involved in this endeavor, says Catherine Allen, CEO of BITS, a technology and strategy group whose members are the 100 largest financial institutions in the United States. "In operational risk, there are consistent themes: technology, business continuity, cybersecurity, operations, and processing and transaction risk," Allen says. "But those are things that traditional econometric models don't address, and people in other departments don't understand the technology."
That puts the burden on the technology department to bring the institution to a minimal-risk environment. Says Allen, "CIOs need to think and act strategically on operational risk."