Basel II - Implications for Risk Management

September 17, 2003
William L. Rutledge, Executive Vice President in charge of the Bank Supervision Group

Remarks by William L. Rutledge before the Capital Allocation USA 2003 Conference

1. Introduction

Let me begin by thanking the organizers for inviting me to speak, and more broadly, for arranging this conference on the implementation of Basel II. My participation here — as well as that of my colleagues — reflects what has clearly been a longstanding policy of the Basel Committee to engage the industry in open dialogue on Basel II. Such discussions will I think continue to play an important role as we work towards implementation domestically — they allow us to lay out our objectives and approaches, they enable us to understand more clearly legitimate industry concerns, and they help us to make adjustments to best meet our objectives given those concerns.

In similar fashion, at the NY Fed, we have long recognized the value of having a dialogue with the industry on the major changes we have made to our supervisory approaches — changes that have moved us from reliance on essentially fixed examination routines for all institutions to customized reviews directed at the integrity of banks’ business processes. We’ve been able to improve our processes by asking you whether we are focusing on where the risks really are at your organizations; whether we are leveraging effectively off of the risk management and control systems that well-managed firms have in place; and whether our new approaches are adding value towards improving your risk management and controls over time. Questions that have obvious parallels to those before us in the Basel context.

That should not be surprising. As I see it, the conceptual basis and expectations for Basel II are quite consistent with the way in which our supervisory processes and expectations are evolving here in the U.S. They each have been heavily built on the recognized advances in risk management within the industry, and they each look to encourage and to incentivize further advances. How the prospective new regulatory capital regime of Basel II and our evolving supervisory processes are intertwined will be a major theme of my remarks this morning. This reflects a perspective flowing from the two hats that I wear — one as the head of supervision at the New York Fed and a second as a member of the Basel Committee.

This morning I will be focusing first on some of the broad issues involved in Basel implementation in the U.S. — issues that are laid out in several of the documents that the U.S. agencies formally issued for public comment a month or two ago.

That release included an advance notice of proposed rule making (also known as the ANPR) and draft supervisory guidance. I’ll focus my remarks today on that draft guidance — one set for the IRB treatment of corporate exposures, and another set on the AMA for operational risk. This should help set the stage for some more detailed discussion to follow in several of the segments later in this conference.

Then, I will get into how the evolving Basel expectations will fit into our ongoing supervisory process, highlighting some of the challenges that the industry and the supervisors will need to address. Throughout my remarks, my focus will be on what I believe our perspective should be as supervisors, rather than on the detail of what will be included as specific regulatory requirements for Basel II.

2. Objective of Supervisory Guidance

Backing up a step, I view the principal goal of regulating and supervising banking organizations as to promote and to enforce sound practices while allowing, and encouraging, banks to innovate and compete. In other words, to create an environment that promotes healthy, disciplined risk-taking by banks.

The terms “regulation” and “supervision” are often used interchangeably. However, I think it is important to view them as providing distinct, though highly complementary, functions. Regulations establish the rules that banks must satisfy — for example, the level of minimum risk-based capital to be maintained. Supervision is the process by which we strive to ensure that individual banks understand the risks they face and have appropriate processes in place to manage and control them. Together they are meant to ensure that banks operate in a safe and sound manner and comply with all applicable legal requirements.

The complementary roles of regulation and supervision are well illustrated by the issuance of a package that includes both an ANPR and documents providing supervisory guidance — the first, to provide a framework of rules, and the second to flesh them out with detailed explanations of what our expectations are for meeting them. Implicit in this approach is a clear recognition that the subject is far too complex to address fully with a set of hard and fast rules. You do need a well-defined regulatory framework — you do need enough structure to enable bankers and supervisors to operate with a similar perspective. But it is critical to imbed within that structure sufficient flexibility to allow responsible judgment to be exercised. We do not want to constrain the development of the next generation of risk management systems with an overly rigid set of requirements that “hardwires” current reality into the future.

To provide more context on how we are looking to create a common framework without establishing a set of overly prescriptive rules, let me illustrate with some comments on the structure and use of the minimum standards for the Basel II advanced approaches.

Since their introduction in CP2, the structure of the minimum IRB standards has changed — they are now considerably more “principles-based.” The objective of the revised standards is to promote an appropriate degree of consistency in banks’ own estimates, while also recognizing differences in banks’ risk profiles, risk management approaches, and day-to-day operations. Based on the CP3 proposals, U.S. supervisors believe that an appropriate balance has been struck such that the standards in their current form will help to strengthen the integrity of banks’ risk inputs while providing flexibility where appropriate.

A key point to make is that satisfying the standards should not be viewed as a compliance exercise — that is, satisfying the standards should not mean simply ticking off items in a regulatory checklist. Rather, we envision a process that begins with banks conducting self-assessments of the state of their risk management systems relative to the standards embodied in the new framework, determining where weaknesses may lie, and putting into place appropriate modifications to address those shortcomings. The supervisor’s role is to review critically how each of these steps is carried out.

To enable banks to determine their state of readiness for implementing the New Accord, it became clear that we needed to outline our expectations for meeting the Basel II standards. This was the impetus for the draft supervisory guidance. Many observers have tended to focus on the potential capital benefit stemming from adoption of the advanced approaches. In my mind, as a supervisor, that leap to the bottom line could well provide insufficient focus on the integrity and rigor of the processes that produce that statistical result. That is, how well the risk management principles underlying Basel II correspond to the banks’ own risk management practices.

I would like to emphasize that the supervisory guidance is in draft form. Feedback from the industry will be critical to shaping its final form and informing the examination procedures that are being developed separately. In this regard, we are seeking comment on specific elements of the guidance, as well as on the broader question of whether an appropriate balance has been struck between flexibility and specificity. Naturally, the U.S. supervisory agencies are interested in all views on the draft supervisory guidance, including any instances where current sound risk management practices might not fit neatly into -- or be considered appropriate under -- the proposed supervisory guidance. As you may know, written comments are invited through November3rd.

Let me get into a little more detail on what the supervisory guidance says — first, about expectations for credit risk management, and then, second, those for operational risk management.

3. Draft Guidance on IRB Systems for Corporate Credit

When you look at our draft supervisory guidance for credit risk, I think it is important to note that it is heavily influenced by our review and synthesis of the better practices observed at well-managed firms. Our aim has been to leverage-off of knowledge gained from the joint agency reviews of banks’ internal credit rating systems, so as not to set rules in an arbitrary way. Those reviews allowed us to learn more about the range of practices in internal ratings across institutions that seemed likely potential candidates for the IRB approach.

The minimum standards outlined in the Basel Committee’s third consultative paper served as a starting point for developing the supervisory guidance. As I have suggested, the guidance should not be viewed as a “how to” manual. It is not intended to dictate the exact path that institutions must follow to meet supervisory expectations for use of the IRB approach. Rather, the guidance lays out an acceptable framework for a qualifying IRB system, which ought to vary, bank by bank. The guidance describes four interdependent areas:

  • the design and structure of rating systems;
  • the quantification of IRB systems;
  • the maintenance of credit data; and, finally
  • the bank’s control and oversight mechanisms.

Let me comment on each:

Rating System Design

It almost goes without saying that the design of a risk rating system is key to the integrity of the bank’s internal assessments, and, in turn, its measurement of risk-based capital. The draft guidance in this area is built on the strongest risk management practices observed in the industry. We have found that many organizations already have, or are in the process of developing, a rating system that captures both the risk of borrower default, and transaction-specific factors that affect the extent of loss in the event of default.

An important challenge for banks going forward will be to define clearly and objectively the criteria for each rating category. We view clearly defined and commonly understood criteria as critical to providing more meaningful assessments of individual credit exposures and, ultimately, the bank’s overall risk profile.

Banks also will be expected to have a robust validation system. By validation, I am referring to the application of various tools to assess the performance of a bank’s IRB system. Validation should be viewed as a multi-faceted and continuous process rather than a single and discrete litmus test.

Statistical tests of ratings outcomes (like back testing of PD estimates against actual default experience) have an important role to play in the validation process. However, they should not be relied on exclusively. Banks will be expected to supplement their use of statistical tests with other assessment tools. We are not looking to move to a world where judgment’s best features are replaced by statistical models. Rather, we are looking for banks to incorporate sophisticated statistical analysis in a structure that builds in at every stage a reliance on informed and experienced business judgment. Reliance on a range of tools is particularly critical in situations where there are insufficient data to achieve statistical comfort in a backtest, such as for higher quality credits that have experienced very few defaults.


The second area, quantification, refers to banks’ processes of estimating numerical values for the key inputs to the IRB risk weight function. These inputs include the probability of borrower default, the loss severity rate should the borrower default, and the likely credit line usage at the time of default. Here also, the guidance does not dictate how banks must estimate each parameter. Rather emphasis is placed on developing well-documented processes, regularly revisiting the values produced, and incorporating independent review and appropriate conservatism in those processes. This latter point speaks to providing additional comfort in situations where banks may have less confidence in their estimates. It is not meant to introduce a conservative bias to those estimates that are finely-tuned.

Availability of Data

A risk measurement system is only as good as the inputs that go into it. Therefore, we see it as critical that banks obtain and maintain appropriate loss data — the third area I want to discuss

The Basel II standards allow banks the flexibility to rely on data derived from their own experience, or from external sources, as long as the bank can demonstrate the relevance of the external data to its own exposures. The standards also outline the data history banks will need to use the IRB approach — a data history covering the life of a facility from cradle to grave.

At this stage, we recognize that banks looking to use the IRB approach are in the process of developing or obtaining the needed data. We encourage banks that plan to adopt IRB to consider their data needs very seriously and to further develop the techniques needed to derive appropriate default and loss estimates.

Control and Oversight

Finally, to promote greater comfort in the integrity and reliability of the ratings process, a sound corporate governance framework must be in place. There are three major structural elements that are necessary in any good rating system control structure.

  • The first is independence in the process of assigning ratings — the people assigning ratings (and even approving extensions of credit) should be independent of the deal makers and relationship managers.
  • A second check is having a subsequent review of ratings by an independent review group. This group is charged with reviewing ratings after the fact — that is, after origination — for accuracy, timeliness and consistency. Moreover, both the ratings system and individual ratings should be subject to review by the internal audit department.
  • The third critical element is transparency in the ratings process. Here, what we would expect is that the ratings criteria are objective, and that the bank has in place policies and procedures that clearly document the rationale for each ratings category. The more transparent the process, the easier it is for a third party to audit the ratings through some form of replication of the analysis.

    These three elements — independence of the ratings process, internal review of those ratings, and transparency — all contribute toward stronger controls over the ratings process. And it goes without saying that the involvement of senior management and the board of directors is critical to good oversight and control of the bank’s overall rating process.

4. Draft Guidance on Operational Risk AMA

Let us now turn to operational risk. Neither the concept of operational risk nor the notion of capital to backstop it is new. Supervisors have had increasingly exacting expectations for bank management of operational risk for some time, and, at the same time, banks have clearly been holding economic capital against operational risk. In this area, the Committee has definitely sought to build on banks’ rapidly developing internal assessment techniques, but also, to an extent even greater than with credit risk, to provide incentives for banks to improve those techniques — and more broadly — their management of operational risk over time.

We have been very encouraged by the feedback we have been receiving on developments in this sphere. For those interested in getting a perspective on the nature of developments, I would direct you to look at a set of bank presentations available on the New York Fed’s website. Those presentations, I think, show quite convincingly that numerous internationally active banks are making real progress in operational risk quantification in advance of Basel II. Indeed, many have acknowledged that the Basel process already has encouraged them to explore new methods for measuring and managing this risk.

The AMA draft guidance establishes a very close link between risk management and measurement. Here too the message is clear that it is not enough for banks to look exclusively to quantitative outputs in managing their risk exposure. First and foremost, determinations of capital for operational risk must be embedded in sound risk management and control environments.

A strong corporate governance and management structure for operational risk also starts with the bank’s board of directors and senior management. Those individuals must oversee and be accountable for the bank’s overall operational risk framework. At major organizations, there should also be an independent firm-wide risk management function responsible for the development and application of policies and procedures governing all facets of operational risk.

Where sound risk management and control environments have been achieved, the Basel II proposals provide banks with considerable flexibility to estimate the key drivers of operational risk. In this respect, the AMA guidance outlines the expectations for obtaining loss data and validating the results, but does not prescribe a particular measurement approach.

To reiterate a major theme of my remarks this morning, our goal is not only to establish rigorous supervisory standards, but also to allow for enough bank-level flexibility to encourage innovation over time. We are interested in your feedback on whether the AMA guidance achieves this, including answers to such key questions as: Does it allow for differences in the way you manage risk? And does it outline our supervisory expectations sufficiently clearly?

5. Impact of Basel II on U.S. Supervisory Process

After having given you an overview of the draft guidance, let me provide some perspectives on the impact of Basel II on how we conduct supervision here in the U.S. In some ways, I see the development of Basel II as presenting the supervisory community with an opportunity to step back and reflect on our approaches to monitoring banks. Yet at the same time I see it as one more step — albeit an important additional step — in the natural evolution of the U.S. supervisory framework.

As I indicated at the outset, I view the New Accord’s emphasis on risk management as strongly supporting our current focus, particularly for the largest and most complex banking organizations.

For example, over the past few years, we have paid increasing attention to evaluating banks’ internal capital management processes to judge whether the bank meaningfully ties the identification, monitoring and evaluation of risk to the determination of its capital needs. The Federal Reserve’s emphasis in this area is shown both in the policy guidance that it issued in 1999 on bank assessments of internal capital, and in the targeted examinations we have conducted of banks’ economic capital methodologies over the past four years.

But focusing on Basel issues should lead to further shifts in our supervisory approach over time. As banks generate more and better metrics to assess risk, it is only reasonable that supervisors also develop more sophisticated tools and approaches for evaluating the soundness of their operations. In many cases, the approaches that I personally think we should consider represent a significant departure from how we have traditionally gone about supervising banks. Let me take a moment to offer a few examples in the credit risk arena.

Some of the conventional, static metrics that we now use — such as those to judge asset quality and to assess the adequacy of credit loss reserves — could well be supplanted by more quantitative and more sophisticated measures. I am quite confident that the measure of weighted classified assets long used by bank supervisors is not the best barometer of the extent of probable loss in a bank's portfolio, or the best yardstick for judging the appropriate level of reserving. In a world where the focus is on rigorous internal rating systems, and where data on historical loss and recovery experience are increasingly available, it is hard to believe that the old approaches will still be the best ones for assessing credit risk, at least at the larger banking organizations.

More broadly, the effective assessment of credit risk at larger banks today — and even more at banks that will adopt the advanced Basel II approaches — is moving us increasingly away from the historical approach, where we focused primarily on the evaluation of individual loan claims to identify those loans that are already troubled. Instead, through targeted transaction testing and other techniques, we are increasingly focusing on assessing the quality of a bank’s overall credit risk management process. Part of this is to turn our attention to banks’ abilities to consistently apply their own criteria in rating all exposures across the spectrum of their internal rating grades — not just their classified or problem assets.

But in addition to ensuring the integrity of banks' internal rating assignments, supervisors will also need to understand how these ratings feed into the models and tools used to manage credit risk, and what the implications of the use of such tools will be.

To illustrate the latter point, the use by larger banking organizations of single-borrower exposure limits that are tied to estimated capital-at-risk, may well make a lot of sense, given that more of a bank’s capital may properly be exposed to a stronger borrower than to a weaker one. However, a borrower’s apparent creditworthiness can change quickly, leaving creditor banks with facilities that are fully drawn, and with far more capital-at-risk than was ever intended. This underscores the need for reliable up-to-date borrower ratings, for an appropriately calibrated economic capital model, and for a well-designed process to address low frequency, high-impact events when they occur. Areas that the supervisors will have to review as well.

Our supervisory process also must find ways to be more effective in evaluating credit risk at a portfolio level. That the extent of a portfolio’s diversification — or putting it the other way around, the extent of concentrations within the portfolio — should be factored into the assessment of credit risk is intuitively very obvious. But the ability of banks and supervisors to quantify the implications of such diversification or concentration is currently very limited. Work is taking place to see what could be usefully added to our supervisory approaches in this area.

Our work in Basel — and banks’ risk management practices that make Basel II possible — has been an important catalyst for shaping the supervisory process to ensure its relevance today and its flexibility to remain relevant going forward. Of course, continuing to make our supervisory approaches more sophisticated is only possible if we have a trained cadre of examiners and other supervisors that is able to understand and critically assess the complex business and risk management practices of major banking organizations.

6. Training and Development Needs

Our ability to do this at the NY Fed is helped by the shift we have made in our supervisory approach to increasingly emphasize specialization — such as by creating specialized teams focusing on particular risk areas. In a lot of ways this structure facilitates training and developing people. For example, through their day-to-day assignments staff will get the exposure they need to maintain state-of-the-art knowledge in their respective disciplines, whether we are talking about credit risk, market risk, or operational risk. As we move, through implementation of Basel II, to having regulatory capital requirements be driven off of internal estimates of these risks, there will be an increased need for expert supervisors able to critically evaluate complex systems. Accordingly, there will be a need to accelerate the process of specialized skill development and to recruit or develop a cadre of true quantitative experts.

We recognize that supervisory staff responsible for the overall oversight of large banking organizations will not require the same level of expertise in technical areas as will the quantitative experts. For the former, training will likely focus on developing a solid understanding of the key concepts, methodologies and risks associated with the advanced approaches of Basel II. Our quantitative risk analysis experts, on the other hand, will be called upon to understand the technical underpinnings of the new methodologies. Our training efforts for these staff will involve the refinement of skills in areas such as statistics, modeling techniques, models evaluation, simulation and stress testing.

More broadly we must ensure that the specialized knowledge of staff remains up-to-date as is required for a dynamic industry with constantly changing risk management practices. To meet this goal, the U.S. supervisory agencies are collaborating on a training and development strategy geared to keeping the skill set of our examination force up to speed.

7. Closing Remarks

Clearly there are great challenges for both the supervisors and the banks in getting ready for Basel II —- much as there have been substantial challenges for all of us flowing from the adoption of our current risk focused approach to supervision. In both instances we have decided not to do things the easy way. We are not looking for supervision to be based on a nice simple but rigid set of examination routines, and we are not looking for capital policy to reflect a simplistic numerical ratio calculation.

Rather, we are looking to establish a framework where risk management, supervision, capital policy, and disclosure work in an integrated fashion — drawing on one another and creating incentives for improvements in each over time. In this way we can do a tremendous amount to help ensure safe and sound operations and the competitive strength of our banking organizations, both in the immediate term and over the longer run. Thank you very much.


By continuing to use our site, you agree to our Terms of Use and Privacy Statement. You can learn more about how we use cookies by reviewing our Privacy Statement.   Close