Speech

McDonough: Risk Management, Supervision, and the New Basel Accord

February 4, 2003
William J. McDonough, President and Chief Executive Officer

Remarks by President William J. McDonough before the Bond Market Association 2003 Legal and Compliance Conference, New York City Thank you, Paul, for your kind introduction. It's a pleasure to be here today, especially since the important work that compliance and legal officers carry out in their own institutions complements very well the responsibility financial supervisors have to promote safety and soundness across the entire financial services sector.

As legal and compliance professionals, the issue you are really addressing is how, and to what extent, your institution is managing risk. To outsiders, this process can appear, superficially, to be formulaic and rules-based. You and I know, however, that corporate governance depends on more than just a company's compliance with rules. We are all learning that effective corporate governance emerges from the business culture that a company nurtures throughout all of its operations. In recent months, we've witnessed what happens when firms fail to develop the commitment to manage risks appropriately. Avoiding the corporate debacles of the recent past requires a clear and consistent message, as well as a transparent pattern of behavior, that must first emerge from the boardroom. It must then filter down to the executive offices, the front offices, and the back offices.

In a similar vein, the work of financial supervision is moving away from a purely retrospective, rules-based approach. This is particularly true in the banking world. Bank supervisors in the United States and many countries around the world are assessing the safety and soundness of banks based less on the strength of the balance sheet today, and more on the strength of controls that will safeguard a bank's financial health tomorrow.

Still, we believe that evaluating the strength of controls is, in itself, not enough. Indeed, the tremendous competitive spirit and ingenuity of the financial services sector drives rapid innovation in the goods and services offered. As those offerings evolve, so, too, must the structures evolve that are intended to control the associated new risks. Against this backdrop of constant evolution and inventiveness, the job of bank supervisors is certainly not to hinder the responsible pursuit of new opportunities and profits. Rather, it is our job to encourage banks to ensure that their controls evolve with their businesses.

The members of the Basel Committee believe that public policy can best support the enhancement of risk management by building incentives directly into our system of supervision, the foundation of which consists of regulatory capital rules. Along that line, the Committee is now engaged in an historic effort to revise the international rules governing the minimum capital levels required of internationally active banks. In doing so, we have endeavored to ensure that the "New Basel Accord" is not merely another set of rules, but rather a framework that recognizes the important innovations in risk management that banks have achieved and encourages continued improvement over time.

In my remarks today, I'd like to share with you some thoughts on how bank supervisors have worked to embrace and encourage those developments. My remarks will cover three related areas. I'll begin with thoughts on how enhancements in banks' risk management processes, driven by business imperatives, have concurrently led supervisors to move to a more process-oriented, risk-focused approach to supervision. Next, I'll spend a few moments discussing how provisions in the New Basel Accord - or "Basel II" - support further changes in our supervisory approach, and promote further enhancements in risk management. Finally, I will describe how these developments will be coming together in our supervisory approach going forward --- particularly in terms of our supervisory expectations for management of market risk, credit risk, and operational risk by large banking organizations. While I will offer my views as a former banker and now as a bank supervisor, I believe that many of the themes offer insight for other sectors of the financial services industry as well.

Complementary effort by Banks and Supervisors to Assess Risk

Let me begin by sharing some thoughts on the efforts banks themselves have undertaken to develop a more forward-looking approach to risk management. Progress has clearly been made in the management of market and operational risks, but the advances made in the area of credit risk are, I think, particularly illustrative. Loan officers and risk managers now have at their disposal an ever-expanding array of software, databases, models, and risk rating systems intended to provide empirical insight into a risk once not readily quantified. Our examiners have noted growing sophistication in banks' internal risk rating processes, portfolio management methodologies, and the use of stress testing. As you know, all of these new tools and processes were developed and refined to promote a bank's competitiveness and to protect it against loss - and not just to respond to a regulatory mandate.

The resulting benefits to the stability of the financial sector can be seen objectively in the much lower number of problem banks, and the lower level of problem loans, in the recession that began early last year, compared to the previous one. For bank supervisors, the industry's own growing emphasis on enhancing risk management practices has allowed us to shift our approach from evaluating financial results to understanding and assessing the quality of internal processes. By looking at the strength of internal controls and the quality of analysis and judgement that management applies, we are better able to understand how well a bank will weather potential future challenges or business downturns.

In this context, one area that has come under increased scrutiny is how firms manage their compliance activities across the organization. Firm-wide compliance management is an important element of good corporate governance and one that can reveal much about a bank's culture and commitment to managing not only legal and reputational risk, but credit, market and operational risks as well.

This shift in emphasis should be evident in the examination findings that the U.S. bankers in the room are receiving. We do not want our examiners to give you back your own numbers, or to limit their evaluation of your institution to where you stand in terms of some rigid regulatory parameters. Such information should hardly be news to you. Nor should it be the principal basis on which we assess your institution.

Rather, our dialogue with you should be focused on our evaluation of the rigor of your control processes, and particularly on our view of your risk management practices and systems relative to evolving industry standards. We have the tremendous advantage of breadth of access to firms engaging in a given business line, allowing us to develop a clear perspective on evolving best practices. At the New York Fed, we have looked to maximize this advantage by setting up specialized teams to review specific business lines across the industry in order to develop that informed perspective. A key goal of our new organizational approach is to enable us to share with you our specific insights on best practices across a range of institutions.

In the past year or so, I think we have made quite good progress in providing this peer perspective on risk management and controls. In such areas as corporate governance, economic capital estimation, and anti-money laundering, I think we have been able to be quite specific on how well a given banking organization measures up to evolving industry standards --- including what needs to be done to move up to the top rung of performance.

I also recognize that there is a tremendous demand for us to provide even more guidance in these dimensions. In the numerous feedback sessions we have had with individual institutions on the quality of our supervisory process, we have heard that message loud and clear. With the maturation of our organizational approach, I fully expect that we will register further improvements in this dimension.

The New Accord's emphasis on risk management processes

This brings me to my second broad theme - how the New Basel Capital Accord supports further adjustments in risk management and supervisory approaches and how it fits with the current focus on corporate governance practices. Since many of you do not hail from banking organizations, I'll take a moment to summarize the objectives the Basel Committee set for itself in re-writing the international rules on bank capital adequacy.

The existing rules, which stem from the relatively simple 1988 Basel Accord, represented an important step in answering the age-old question of how much capital is enough for banks to weather economic downturns. Widespread acceptance in over 100 countries of the first Basel Accord as the international "yardstick" has strengthened the capital base and leveled the playing field for banks that compete internationally.

As you may know, by the late 1990s, it became clear that the original Accord was becoming outdated. Its broad-brush nature - where required capital generally does not differ by degree of risk - has had a tendency to discourage certain types of bank lending. It has also tended to encourage transactions whose sole benefit is regulatory capital relief.

Further, the improvements in risk management tools changed the way that banks monitor and measure risk in a manner that the 1988 Accord could not anticipate or address. Today it is quite clear that the original Accord provides internationally active banks, for which it was intended, with less meaningful measures of the risks they face and of the capital they should hold against them.

To respond to these challenges, the Committee began a few years ago to develop a more flexible and forward-looking capital adequacy framework - one that better reflects the risks facing banks and encourages them to make ongoing improvements in their risk assessment capabilities. The Committee believes that all banks should be subject to a capital adequacy framework comprising minimum capital requirements, supervisory review, and market discipline. These are the three pillars of the New Accord. As you may know, the current Accord only has one pillar - minimum capital requirements.

The Committee seeks to align minimum capital requirements more closely with the best industry risk management practices available. This goal is accomplished by giving banks a range of increasingly sophisticated options for calculating capital charges. Banks will be expected to employ the capital adequacy method most appropriate to the sophistication and complexity of their operations and risk profiles.

For credit risk, the range of options begins with the standardized approach and extends to the internal ratings-based ("IRB") approach. The standardized approach is similar to the current Accord. Banks will be expected to allocate capital to their assets based on the risk weights assigned to various exposures. It improves on the original Accord by weighting those exposures based on each borrower's external credit risk rating.

Without question, the IRB approach is a major innovation of the New Accord. For the first time, banks will be permitted to rely on their own assessments of a borrower's credit risk. The close alignment between the inputs to the regulatory capital calculations and banks' internal risk assessments will facilitate a more risk-sensitive approach to minimum capital. Changes in a borrower's credit quality will be directly reflected in the amount of capital held by banks.

How will the New Basel Accord promote better corporate governance and strengthened risk management practices? Here, I will limit myself to emphasizing two key points.

First, the Basel Committee has expressly designed the New Accord to provide tangible economic incentives for banks to adopt increasingly sophisticated risk management practices. Banks with better measures of their economic risks will be able to allocate capital more efficiently and more closely in line with their actual sensitivity to the underlying risks. By doing so, the Basel II framework encourages developments in the management of a wide range of risks on a firm-wide basis and developing a more comprehensive approach to managing those risks together.

Second, to achieve those capital benefits, the more advanced approaches to credit and operational risk require banks to meet strong process control requirements. Again, the increasing focus on a bank's control environment gives greater weight to the management disciplines of measuring, monitoring and controlling risk.

As an example, by relying on banks' own internal credit assessments, the IRB approach builds on the risk management practices that most internationally active banks are already in the process of adopting for their internal purposes.

To qualify for the IRB approaches, banks will need to adhere to various specific parameters and standards that may not be fully in place as yet. Our pilot reviews of U.S. bank readiness do indicate that there are a number of areas that both banks and supervisors will need to work on to be ready for full IRB implementation. These include addressing concerns about independence of the rating process, and accumulating necessary internal default and loss data to be able to produce more reliable quantitative estimates. Enhancements in these areas will be important, not just to ensure readiness for IRB, but for further improvement in credit risk management more generally. I expect that there will be further public supervisory guidance on these and other key elements of the IRB approach this year.

Operational risk is another area where the Basel Committee is developing a new regulatory capital approach that seeks to provide incentives for banks to improve their management of risk --- one that is designed to build on banks' rapidly developing internal assessment techniques, and to accommodate industry innovation over time. Now that the industry is developing a more refined sense of operational risk - the risk of losses caused by failures in processes - the New Accord will "unbundle" this risk and allow banks to differentiate between, and manage separately, their exposures to credit, market, and operational risks.

As with market and credit risk, supervisors will use a number of qualitative and quantitative criteria to ensure the integrity of the approaches that banks develop internally --- but with the criteria structured to be flexible enough to allow for a wide range of qualifying approaches. By allowing banks to test and experiment with a variety of operational risk methodologies and measures, we think that the New Basel Accord's approach to operational risk will be a true catalyst for innovation.

Timing for the New Accord

As you may know, the revision of the international regulatory capital framework has represented a monumental commitment on the part of both banks and supervisors worldwide and has been, so far, nearly four years in the making. Let me now turn to some of the thinking that has already begun surrounding implementation of the New Accord.

To ensure that our new rules have gotten it right, the Basel Committee has just completed collecting data for its third Quantitative Impact Study - or "QIS 3" - in conjunction with supervisors around the world. The industry demonstrated tremendous support for this survey, and 265 banks from nearly 50 countries performed concrete and comprehensive assessments of how the Committee's proposals will affect them. At this early stage, the results suggest that the incentives built into the New Accord are functioning as we had hoped. We are completing a detailed study of the results and will ascertain the need for any adjustments prior to the release of an updated proposal for public comment during the spring. The Committee intends to finalize the New Capital Accord in the fourth quarter of 2003 such that it can be implemented in each member country at year-end 2006. During this three-year period, banks and supervisors are expected to adapt and develop the systems and processes necessary to conform to the standards of the New Accord.

In that regard, the supervisory agencies represented on the Basel Committee are making good progress in their preparation for the new framework. To ensure that the New Accord is implemented in a consistent manner across various jurisdictions, such that market competition is driven by each bank's strengths, rather than by differences in each country's rules, the Basel Committee established the Accord Implementation Group. This group is responsible for promoting the consistency and quality of implementation of the New Accord and facilitating the exchange of information among national supervisors about bank and supervisory practices. Through the AIG, senior line supervisors - that is, the people who actually assess banks' risk profiles - are seeking ways for examiners to validate and supervise internal risk assessment processes in a more consistent fashion across jurisdictions.

Implications of Basel II on the supervisory approach

We've also continued to think about how we should adjust our method of supervision to incorporate the tenets of the new framework, which brings me to the third and final area that I would like to address today. Naturally, allowing banks to rely on internal models in determining their capital requirements has led, and will continue to lead, to changes in our supervisory process. Fortunately, we have the benefit of some experience already at our side.

In 1996, under the "market risk amendment" to the original Basel Accord, qualifying banks with large market risk positions were first permitted to incorporate internal estimates of the associated risk in their regulatory capital requirements. When determining whether a bank may rely on its market risk model for capital purposes, our examiners have had to evaluate the technical underpinnings of the model, as well as the risk management and control processes surrounding its implementation and use. They review such issues as whether the model is based on reasonable assumptions, whether the firm is making appropriate use of backtesting, and how the model performs under normal and stressed market conditions. In addition, they are spending significant time on key controls related to the overall use of models, including the model validation process and the new product approval process.

Likewise, as banks rely increasingly on their own assessments of credit and operational risk when determining their capital needs, our examiners will have to become well versed in the changing technical aspects of those models. Some of the conventional, static metrics that we now use - such as those to judge asset quality and to assess the adequacy of credit loss reserves - are likely to be supplanted by more quantitative and more sophisticated measures.

As is the case with credit risk, supervisors are in the process of developing a more integrated framework for assessing the adequacy of banks' operational risk management and measurement approaches. Our approach focuses heavily on how banks are managing operational risk from a corporate-wide perspective. As with any aspect of corporate governance, a key element of our analysis is developing a feeling for the "tone at the top" - that is, the board of directors' and senior management's commitment to effectively manage its operational risk. Bank examiners will be assessing whether that commitment translates into an effective operational risk management and control structure --- including the quality of management reporting and how well operational risk is integrated into a bank's overall risk management approach.

Our analysis includes banks' assessments of their economic capital requirements for operational risk, and how this capital is allocated to business lines to reinforce efforts to improve internal controls. With respect to those specific business lines, we are increasingly looking to drill down to test key controls. The aim is to ensure that the internal processes in place are in fact working and are effective in mitigating relevant risks.

Closing Thoughts

Clearly, we are making significant progress in the area of risk management - and our supervision of it. However, supervision, and risk management, and indeed our notions of what constitutes good corporate governance cannot be static in this environment. Recent history has proved that some of our greatest challenges and risks lie in not what we know, but in what we have failed to acknowledge or to anticipate.

While enhanced risk management can and will lead to better corporate governance through a more accurate measurement and therefore management of those risks, it must be nimble enough to evolve to address the challenges that are ahead, wherever they may lie.

Thank you very much.