Sargant's major views on Basel II

PeopleSoft''s director for financial management solutions, Murray Sargant says banks are missing the point of Basel II.

You have strong views on Basel II I hear?

Sargant: Some people are getting a bit sick and tired of talking about Basel II, which is quite refreshing really. There's huge hype around the Basel II area and you really have to separate the hype from reality.

Could you talk more about this hyped-reality?

If you did a study three years ago there was really very little knowledge of what Basel II was. Obviously, you had the whole study going on from the late eighties and most if not all banks participated in the study. They were engaged, but due to risk requirements being so subjective, spent many years arguing and disagreeing with the findings and recommendations.

They met every year to change the rules and argue about many points that in many cases boarded on the pedantic. It's taken 10 years for Basel II to come into fruition and now in the past three years, the technology sector has joined the band wagon and decided to pick up on this important area.

There are well over 100 Basel II-type risk consulting firms in the marketplace today. Unfortunately, this has only further confused the marketplace rather than help us understand what the important issues are, particularly around driving an enterprise risk infrastructure rather than simply modelling interest volatility, which was the original Basel 1 premise.

When you speak with consulting like PWC, IBM, Accenture they all have Basel II consulting practices and are engaged in studies worth millions of dollars, working with customers to understand Basel II. At the end of these studies in most cases, you get a couple of large telephone directories of ideas and concepts and yet no real roadmap for driving a pragmatic solution that the banks can drive. That's were PeopleSoft can help.

We take a different perspective and look at it a different way. We feel, based largely on observation, that banks these days have continued to build silo-based technology fixes to very complex enterprise business problems. This is unfortunately the way they've always built solutions and can explain many of the issues currently facing banks today with regard to fragmented data and lack of financial transparency.

This fragmented implementation process is also clearly effecting the Basel II implementations that we see in the market today. The original concept came about because we said the Basel I concept was too simplistic, too broad and not specific enough for the investor and analyst community.

So banks and regulators went away and made it much more prescriptive and by default, incredibly complex. Banks and regulators banks have then taken that prescriptive concept and instead of looking at things from an enterprise perspective they went to the current risk owners within the bank - the people who knew how to do the complex traditional modelling approaches used in Basel I and gave them the task of looking at Basel II ; even though it required a fundamentally different approach.

These Credit Risk Officers (CRO's) have now captured this and have effectively gone straight back down the same problematic path followed in Basel I; where the risk data was not captured with enough links to the leading business processes of the organisation and the markets in which they operate. It's in effect a silo-modellingarchitecture and they're not making any major jumps forward. Remembering that Basel I to Basel II is a big jump this is disappointing and we would hope that organisations could change their traditional approaches and move beyond probability modelling to proactive policing and prevention.

Take National Australia Bank (NAB), the largest retail bank in Australia. It is widely thought of as a very good risk manager, and has been building traditional risk models for many years. It is a marquee example for Basel II, yet in the past few months they lost A$180 million through rogue trading within their FX business.

What was the probability measure and also what capital provisioning position did they put in place to stop this occurring? How does that help an investor gain confidence when a bank's discipline and management processes fail to prevent four forex rogue traders making such an impact on the business?

The way I see it we have created the world's best police force in Basel II but unfortunately all the doors in the city are not locked across the organization and that is were the main issue of risk to the business needs to manage.

Is that defined as operational risk management, and isn't that part of Basel II?

It is part of Basel II. You've got market risk, you've got interest rate risk and you've got operational risk. Basel II tends to primarily be a discussion about market and credit risk. Operational risk however was one of the primary new idea's that Basel II brought in, and made banks look at how their operations manage risk internal to the bank. The simple fact as demonstrated by NAB is that operational risk comes down to human behaviour and we have to ask what are banks doing to manage this issue better?

We have many examples of banks throwing up their hands saying, "We don't know how to capture and model operational risk. We don't put the proper controls around procurement, we don't run to budget asaccurately as we should and, we certainly don't workflow and understand what key risk processes are running in our operation and which people are accountable for them running to the risk rules that we have in agreement."

That's one of the reasons why everybody has come back and said operational risk is too difficult, it's hard to define, it's something we're having a hard time to come to terms with, we'll just do interest rate modelling and credit risk and worry about operational risk later.

Interest rate risk had nothing to do with NAB losing A$180 million, but clearly operational risk that may have limited this incident. That's why I'm saying banks are trying to look at a new area with an old mindset.

To me, operational risk and understanding how you execute these key business processes are vital. Banks that have worked this out, and there are a few that are making some really interesting decisions about why operational risk should be as high a priority, if not higher, than the better understood credit and market risk areas.

They want to put a total risk and performance infrastructure in place that will concentrate on not only on the probability area but also on prevention by addressing the areas of proactive operational risk management - that's the solution that companies like PeopleSoft can provide.

The new product we have is called the Internal Controls Enforcer. It is a piece of technology that grew out of the lessons learnt at Enron and Worldcom surronding sound corporate transparency and governance.

Effectively, it's a management portal that works across your whole organization. It looks at the streamlining of a process, it looks at how things are measured and captured, and more importantly, gives you an understanding if something is not working properly.

For example, if the forex business process is not setting and maintaining trading limits, if there is not a sign-off on the appropriate level of agreement for a loan process to go through, or if someone from the retail bank (seller) can sell as well as price the loan, there could be a risk of fraud taking place. That's what the Internal Controls Enforcer would stop.

So this new piece of technology that you're talking about would that have caught the NAB rogue trading?

Yes, it would have. The Internal Controls Enforcer is designed and built to comply with Sarbanes-Oxley but also links personal accountability to business process. That's what was required at the NAB. The Internal Controls Enforcer is essentially a window for compliance.

It really says, "Guys, you just have to get your understanding of your business to a much deeper level of detail than your executives have gotten close to before." The siloed approach of having one guy who knows credit risk is not good enough. You're CFO, your CEO, and your head of retail banking all need to be engaged. In that issue and you all have to be responsible for what's going on.

The Internal Controls Enforcer looks at documentation. It really looks at providing a real-time alert system, so if key measures are not met, if sign-offs are not complete, or if executives have not had a full auditable statement before they make decisions, the alarms go off. People get alerted proactively through the application.

The next thing we're seeing is that we can pinpoint hot spots within the organisation and that's really providing an insight for those executives to go and concentrate on. You may not want to know that this is going on but if loan transactions are going through and the sign-off process isn't occurring and you're not capturing the right level of credit data, then that's a risk.

It's like having a camera on top of every home. It's not as good as locking all the doors, but that is too prescriptive. The key is that you have got to have a balance and I think this is ideally how the Internal Controls Enforcer will work to manage operational risks.

Would this system create so many false alarms that it would almost become like a cry wolf situation where you go and investigate a hundred situations and grow complacent because they've all been false alarms, and then the one that you don't investigate comes and hits you?

Someone once said, "You can never mitigate all risk." There are always fraud opportunities, particularly when you have people involved in the process. We are never going to cancel out all risk issues in an organization, as that's impossible to think about.

However, wouldn't it better to provide a single transparent window through which the banks key business processes can be linked to individual managers that would be accountable and that key decisions can be seen to be managed and evidence captured that they have been managed correctly before the business executive concerned, CFO, CEO and most importantly share holders are negatively impacted.

The simple fact is that we don't know what we don't know. Just as we would not ask a bank "Do you have a general ledger?"

Of course, every one has a general ledger.We just assume that banks have a general ledger system.

The more pertinent question is what are you doing to really look at the whole management discipline and accountability question. That is what transparency is all about that's where I'm seeing many organizations investing in a total risk and performance management architecture like PeopleSoft's leading Enterprise Performance Management solution

Which banks do you think do get it on the operational risk management side and are implementing the necessary changes?

I think there are a number of banks in Asia that do get it and have made good progress in this area. Standard Chartered, Westpac, DBS all have current operational risk programs moving forward.

In most cases however, they still are looking at the issue from a tactical perspective of mapping and managing incidents rather than the prevention that comes from linking business process with human accountability.

That's really what PeopleSoft's Internal Controls Enforcer is designed to deliver. It's more than just the ability to assign a capital charge - it's got to be viewed as a way banks can more effectively run their business and more importantly proactively maintain investor confidence and demonstrate what true corporate transparency really means.