G L O B A L A S S O C I AT I O N O F R I S K P R O F E S S I O N A L S

E N T E R P R I S E R I S K M A N AG E M E N T

Basel II and Sarbanes-Oxley

Fuel ERM Push
Regulatory initiatives such as Basel II and Sarbanes-Oxley have increased the demand for enterprise risk
management. Vidyasagar Pulavarti demonstrates how ERM can both support regulatory compliance
and improve the risk mitigation of new products and services.
ecent corporate failures in the United States have
triggered increased scrutiny by both economic
and financial regulators, resulting in a radical
corporate governance legislation in the form of
the Sarbanes-Oxley Act. Whats more, scandals
involving the likes of Barings and Long-Term
Capital Management have compelled banks to reassess the
robustness of their internal risk frameworks.
On top of facing internal reassessment pressures, banks
that need to comply with the Basel II capital accord also
now have to allocate capital against operational risk for the
very first time.
Taking note of Basel IIs comprehensive operational risk
rules, KPMG, a global accounting firm, recently referred to
the accord as a revolution disguised as a regulation.
As a result of the significant regulatory and quasi-regulatory changes, the role of the enterprise risk management
(ERM) has increased. Banks now realize that they must
employ a comprehensive risk management strategy and
develop flexible systems, with an eye on the long term. But
how can an ERM approach optimize risk management performance at a bank that must comply with a host of regulations?
This article will provide concrete examples of ERM,
demonstrating how the process works in decision-support
and new-product environments.

Well, lets consider a hypothetical example. If, for

instance, a corporate banking unit is considering a venture
capital investment proposal for a start-up company, it
should first consult with the banks credit risk, accounting,
asset liability and corporate secretarial divisions before
reaching any final decision.
This process should work as follows: after reviewing the
investment proposal, the corporate banking division
should submit it to credit risk for vetting and approval. The
credit risk division should then be able to use a decisionsupport system to evaluate the impact of the proposed deal

Decision Support Infrastructure

As a result of the significant

regulatory and quasi-regulatory
changes, the role of the enterprise
risk management has increased.
Banks now realize that they must
employ a comprehensive risk
management strategy and develop
flexible systems, with an eye on the
long term.

For Basel II and other conventional banking projects,

banks often rely on decision-support systems. These systems not only act as a control mechanism for Basel II but
also help banks achieve compliance with Sarbanes-Oxleys
governance and oversight rules.
Enterprise risk managers must ensure that a banks decision-support infrastructure not only supports business
objectives but also is comprehensive enough to weigh all of
the organizations risks. But how, exactly, do all the links in
the banking chain work in an ERM-driven decision-support environment?

on risk ratios, including exposure ratios (like industry and

geographic concentration ratios), Basel II capital requirements and capital adequacy ratios. In addition, the credit
risk division must evaluate the compatibility of the proposed deal with the banks risk-adjusted return on capital
(RAROC) expectations.
Simultaneously, the accounting and reporting team has
to assess whether there are any undesirable consequences
of the proposed transaction. After evaluating the potential

42

GLOBAL ASSOCIATION OF RISK PROFESSIONALS

J A N UA RY / F E B R UA RY 0 5 I S S U E 2 2

G L O B A L A S S O C I AT I O N O F R I S K P R O F E S S I O N A L S

E N T E R P R I S E R I S K M A N AG E M E N T

consequences, this group must submit its analyses and

insights to the approval committee that oversees potential investments. The asset liability committee (ALCO),
meanwhile, has to examine the proposals potential impact
on the banks liquidity ratios and cash flows.
Lastly, the corporate secretarial division should conduct
a prima-facie examination to investigate potential conflicts
of interest and assure that the parties involved are not engaged in any
related transactions.
The role of the enterprise risk
manager in this process is to facilitate effective decisions by making
certain that all aspects of risk are
considered and mitigated.
Although the approval committee would rely on individual busiVidyasagar
ness units like corporate banking,
Pulavarti
credit risk and ALCO to make the
ultimate call on such a proposal, it
would also presume that the ERM team has guaranteed
that all risks are being presented to them.

New Products and Services

The rapid evolution of the banking sector, especially in previously non-industrialized nations, has led to the fast creation of products and services. Driven by a desire to launch
new products and services at a frenetic pace, the money
earning divisions of banks might be inclined to ignore
potential warning signs for such products and services. In
some instances, the push for growth outweighs any apprehensions these businesspeople may have about the risks
being assumed.
Once again, this is where the enterprise risk manager
must enter into the equation. He or she must play a crucial
role in tempering the cycle of unregulated and competitive
frenzy.
Specifically, to guarantee that all of the risks associated
with the rollout of a new product or new service are
addressed, the manager needs to take the following steps:
(1) ensure that the in-house risk management teams (for
credit, market and operational risks) have reviewed and
provided analysis on the product or service proposed; (2)
acquire legal opinions on the product or service, with specific attention paid to taxation issues and anti-money laundering regulations; (3) confirm that the new product or service is placed into an operational procedures framework

that has built-in risk controls; and (4) obtain support for
the product or service from business units like information
technology and human resources.
Although the business division that is rolling out a new
product or service is primarily responsible for assuring
that sufficient staffing is available and that the banks IT
systems can handle the launch, the enterprise risk manager must make certain that these factors have been
addressed.

Final Thoughts
If you take a closer look at Sarbanes-Oxley testing
requirements and Basel II requirements on operational
risk (excluding disasters and other low-frequency/highimpact items), there are many similarities. Basel II
requires operational risk to be assessed on the possibility
of failures by people, processes or systems; similarly, the
success of a Sarbanes-Oxley implementation is determined, in part, by the absence of errors in a firms corporate governance controls.
In fact, there are a significant number of metrics that can
be commonly measured and used for Basel II and Sarbanes
Oxley. It therefore makes sense for the enterprise risk manager to attempt to integrate systems when designing the

Enterprise risk managers must

ensure that a banks decisionsupport infrastructure not only
supports business objectives but is
also comprehensive enough to
weigh all of the organizations risks.
measurement and testing framework for these regulatory
initiatives. Ultimately, this strategy should lead to better
alignment of risk mitigation with a firms business goals.
Evolution, as history has proved, is rife with obstacles
and opportunities. While some people may only see the
hurdles presented by major regulatory initiatives such as
Basel II and Sarbanes-Oxley, I see opportunities for convergence. Is this outlook realistic or flawed? Only time
will tell.

VIDYASAGAR PULAVARTI, a freelance consultant, is a Chartered Accountant from India. Over the course of his career, he has worked
at three of the worlds largest accounting firms: PriceWaterhouseCoopers, KPMG and Deloitte & Touche. He is currently consulting on
projects in Bermuda, UK and India and can be contacted at vidyasagar_p@hotmail.com.

J A N UA RY / F E B R UA RY 0 5 I S S U E 2 2

GLOBAL ASSOCIATION OF RISK PROFESSIONALS

43