CMYK CMYK

The Indian Journey to Basel II:

Wo r k i n g P a p e r
Implementing Risk Management in Banks

Dr. SS Satchidananda
Sanjeev Shukla

CBIT Centre of Banking and And Oracle India Pvt. Ltd.,

Information Technology DLF Corporate Park Block I
Indian Institute of Information Technology DLF City Phase III
26/C, Electronic City, Bangalore Gurgaon 122002

CMYK CMYK
CMYK CMYK

CBIT Centre of Banking and And Oracle India Pvt. Ltd.,

Information Technology DLF Corporate Park Block I
Indian Institute of Information Technology DLF City Phase III
26/C, Electronic City, Bangalore Gurgaon 122002

CMYK CMYK
CMYK CMYK

The Indian Journey to Basel II

Implementing Risk Management in Banks

“Banking in modern economies is all about risk management. The successful negotiation and
implementation of Basel II Accord is likely to lead to an even sharper focus on the risk
measurement and risk management at the institutional level. Thankfully, the Basel Committee
has, through its various publications, provided useful guidelines on managing the various facets
of risk. The institution of sound risk management practices would be an important pillar for
staying ahead of competition. Banks can, on their part, formulate ‘early warning indicators’
suited to their own requirements, business profile and risk appetite in order to better monitor
ABSTRACT and manage risks.”
Dr. Y.V.Reddy,
Governor, Reserve Bank of India in Banking Sector in Global Perspective,
In this paper, we provide a perspective on the Inaugural Address at Bankers Conference 2004 on 10 November 2004.
international regulatory framework for capital standards
and its focus on implementation of risk management systems in I. Introduction The objective of a risk management framework is to
facilitate identifying, assessing, measuring, positioning,
banks with particular reference to the Indian scenario. Banks deal in risks. Each activity they undertake monitoring and mitigating/controlling risk in the
involves risks and therefore, they need to have a robust institution. The framework includes components that
We also discuss the Indian regulatory approach to this important risk management framework to generate consistent and support the abovementioned functions for all the risks
challenge and the major issues involved in the Basel II reasonable risk adjusted returns. The new international the institution is susceptible to, the principal risks being
framework for regulatory capital standards, Basel II Credit Risk, Market Risk (also including Interest Rate
implementation in the Indian context. We conclude with guidance requires banks to give focused attention to risk Risk and Liquidity Risk) and Operational Risk.
for developing an implementation plan for ushering in effective management and give incentives to adopt improved
risk practices. Regulatory Concern with Risk Management and
and efficient risk management in banks.
With the finalisation of the Basel II Accord, the Basel Evolution of Basel II
Committee on Bank Supervision (BCBS) has been Financial stability is a prerequisite for economic
{SS Satchidananda1 Sanjeev Shukla2 } concentrating on the implementation process. For this growth. Therefore, ensuring orderliness in financial
purpose, dedicated forum has been set up. The Accord markets is a matter of global regulatory concern. In
Implementation Group with a view to accelerating this order to achieve this objective, the Basel Committee
work and achieving consistency in the application of on Bank Supervision has been focusing on the risk
the Basel II rules.1 Therefore, the focus the world over management framework for banks. The cornerstone
is currently on the implementation aspects. This paper of the Basel initiative is to ensure the banks have
discusses issues relating to risk management arising enough capital to cover the risks they assume.”
from Basel II particularly with reference to the Indian Basel II aims to build on a solid foundation of
context and attempts to identify challenges facing prudent capital regulation, supervision and market
CBIT Centre of Banking and And Oracle India Pvt. Ltd., banks, and approaches for implementing a robust risk discipline, and to enhance further risk management and
Information Technology DLF Corporate Park Block I management framework. financial stability.”4
Indian Institute of Information Technology DLF City Phase III
26/C, Electronic City, Bangalore Gurgaon 122002 Risk Management Framework Reserve Bank of India Guidelines
Banks need to manage risks profitably. They can pool The Reserve Bank of India (RBI) has been at the
risk, diversify exposures and manage risk in a manner forefront of developing risk management regulation
1 S.S.Satchidananda (sssatchidananda@iiitb.ac.in) is Research Director and Professor of Banking and Finance that makes them unique. The more effective the risk suitable for different segments of the Indian banking
at CBIT Center for Banking and Technology, Indian Institute of Information Technology, Bangalore. management framework of the institution, the more community. RBI’s association with the BCBS dates
successful will the institution is in the long term 2 . The back to 1997 as India was among the 16 non-member
2 Sanjeev Shukla (sanjeev.shukla@oracle.com) is Specialist, Financial Services Solutions, strategic decision that the banks have to make is
Oracle India Limited, Mumbai countries that were consulted in the drafting of the
whether the type and amount of risks assumed by them Basel Core Principles. The RBI has laid down detailed
Views expressed in this paper are those of the authors and do not necessarily reflect the position brings them adequate compensation in terms of guidelines for asset liability management in 19975 and
of the organisations they belong to. earnings in short term and helps them maximize the 20026 . In October 1999, RBI has also issued guidelines
economic value3 in the long term.

The Indian Journey to Basel II: Implementing Risk Management in Banks 1

CMYK CMYK
CMYK
for Risk Management in Banks covering credit risks,
market risk and country risks and advised banks “ to
develop suitable methodologies for estimating
economic capital.” 7 The banks were asked to build up
Investment Fluctuation Reserve on their investments
portfolio to cover the interest rate risks. In June 2004,
banks were asked to maintain explicit capital charge for
market risks in respect of the trading portfolio and the
AFS category, on the lines of the standardized duration
method of the 1996 Amendment to the Basel Capital
Accord 1988. RBI has also taken measures to increase
market disclosure in regard to risk management. From
the March 2003 balance sheet onwards, all banks are
required to disclose their risk management policies and
procedures in the balance sheet. Other measures in
this direction include the institution of risk-based
supervision by the RBI and the requirement of risk-
based audit by the banks themselves. Various policy
statements of the RBI over time have highlighted
the importance of risk management and indicated
the road map for the Indian banks to progress in
this regard.
As far as Basel II Accord is concerned, the RBI
has accepted the Accord, in principle, with three
important riders, namely:
(i) that for the purpose of determination of the credit
risk, external credit rating agencies may be
substituted by domestic credit rating agencies;
(ii) that there should be a simpler and less exacting
requirement for domestic banks; and
(iii) that there should be flexibility and special
dispensation for developing countries to
operationalise this Basel II Accord capital charge
requirements.
In the recent past, the Reserve Bank has advised the
banks to assess the soundness of their risk
management systems in the light of Basel II and to
draw up a road map for migration to Basel II by
December 2004 and review the progress made thereof
at quarterly intervals.8 The RBI will closely monitor
progress made by banks in this direction. Hence, at a
minimum, all banks in India, to begin with, will adopt
Standardized Approach for credit risk and Basic
Indicator Approach for operational risk. After adequate
skills are developed, both in banks and at supervisory
levels, some banks may be allowed to migrate to
IRB Approach9 .
The Indian Journey to Basel II: Implementing Risk Management in Banks
CMYK
Basel II and RAPM: Beyond Compliance
Though the present stimulus for establishing the Basel
II-type risk management systems in banks is the
regulatory mandate from the BCBS and RBI rules, the
case for such action goes far beyond mere compliance.
Basel II Risk Management framework provides the
methodology for transforming banks into vibrant yet
stable entities in the globally competitive and dynamic
financial market place.
Basel II points towards a Risk Adjusted Performance
Management (RAPM) methodology for measuring
performance after adjusting for risk. A bank could
otherwise have traders in the treasury taking high-risk
positions that could result in inflating profits in the
short term (and therefore inflating their bonuses) but
could, as in the case of Barings, potentially ruin the
institution in the medium or long term. Risk Adjusted
Returns on Capital (RAROC) is a popular Risk
Adjusted Performance Management methodology
popularised by risk managers at Banker’s Trust in the
late 1970s. This adjusts returns with funding costs,
operational costs and provisions for expected losses
and is benchmarked with risk capital to arrive at an
acceptable risk adjusted return to shareholders.
Banks need to consider Basel II as an opportunity to
put their houses in order and adopt world class risk
management practices, instead of taking a tactical
approach to Basel II around meeting compliance
requirements. Basel II is designed to reward better risk
measurement with lower capital charges. Banks that
adopt / migrate to the advanced approaches identified
in Basel II will benefit their shareholders
by creating long-term sustainable shareholder value.
II. Credit Risk Management (CRM)
Credit risk is defined as the risk of loss due to default
or deterioration in credit quality of an obligor. The
definition of credit risk was originally limited to
loss due to default in repayment of interest and/
or principal, but has now expanded to include
deterioration in credit quality of an obligor (borrower).
The latter definition became prominent with mark to
market (MtM) credit portfolio models. BCBS has also
recognised the MtM concept and the capital
determination algorithm in the new Basel Accord
contains an element of MtM credit models based on a
maturity indicator10 .
Credit Risk and Basel II
The new Basel Accord released in June 2004 specifies a
continuum of approaches for banks to traverse the path
from basic capabilities towards sophisticated risk
management. The two sets of approaches specified by
BCBS include the following:
• Standardised Approach
The standardised approach requires institutions to set
aside capital on the basis of ratings given by External
Credit Assessment Institutions (ECAIs) to obligors.
In the case of sovereign lending the ratings of Export
Credit Agencies (ECA) would be used13 . However, the
local banking supervisor (the RBI in the Indian case)
needs to accord recognition to the ECAI or the ECA
before such ratings could be used for the purpose of
capital determination14 . BCBS has also specified different
methodologies to attach risk weights to different obligor
categories (sovereigns, individuals, banks, security firms)
and also different lending categories (project finance,
commodity finance, object finance etc).
Once the risk weighted assets of the financial institution
are calculated, the regulatory conversion factor will be
applied to compute the amount of capital required to be
held by the institution.
• Internal Ratings Based (IRB) Approaches
The IRB approaches involve an assessment of the
characteristics of both the borrower and the specific type
of transaction. The essence of the IRB approach is that
the capital allocation is not based on the supervisor -
determined risk buckets.
The components of an IRB approach are the following:
(i) Probability of Default (PD)
(ii) Loss Given Default (LGD)
(iii) Exposure at Default (EAD)
(iv) Maturity of Exposures (M)
As mentioned above, there are two sub-approaches
within the IRB approach – the foundation approach and
advanced approach. In the case of foundation approach,
the banks need to quantify the probability of default and
CMYK
they can assign risk weights based on the data on LGD
and EAD provided by the national supervisors. Under
the advanced approach, banks can use their own
estimates of PD, LGD and EAD that could be
validated by the supervisors.
• Foundation IRB
• Advanced IRB
These approaches not only define the progressive
sophistication required in determining capital
requirements for financial institutions, they also define
the progressive rigor in policies, processes and systems
across the approaches. As the new Accord seeks to
improve the risk sensitivity of banks, it has built in an
incentive for the banks to adopt the IRB approach. For
this reason, it provides for a reduction in the risk
weighted assets in the foundation IRB approach
calibrated vis-à-vis standardised approach, and a further
reduction on adopting the advanced IRB approach vis-
à-vis the foundation IRB approach. The intention is to
encourage banks to adopt more sophisticated risk
management practices11 . BCBS, in 2000, has also
defined best practices for credit risk management12 .
Approaches to Measurement of Credit Risk
There are various approaches to measurement of
credit risk based on different data sources, including
the following:
1. Using accounting (and other firm specific) data
2. Using demographic data, lifestyle etc. data (for retail)
3. Using bond pricing
4. Using credit derivatives pricing
5. Using equity price data
Except for the first two approaches above, all the other
approaches assume market efficiency. This assumption
may not be entirely robust in the Indian setting, or in
most other countries, with the exception of a handful
of countries in the developed world. The list above is
also not exhaustive. Hybrid models have emerged from
combinations of different categories of data.
The rating /scoring models are obviously the
foundation for robust credit risk management. Various
techniques have been used to develop rating/scoring
models for obligors. These range from basic statistical
3
CMYK
CMYK
techniques regression, discriminant analysis, logit/
probit models, and on to usage of machine learning
techniques including neural networks, genetic
algorithms, support vector machines etc.,
Transition Matrices are matrices that capture the
trend in migration of obligors across rating categories
over a defined time period, usually a year. Transition
Matricesare used to analyze migration patterns across
different obligor categories and as proxies for variability
of obligor ratings. Certain types of credit risk models
for economic capital also require correlation matrices
between obligors, and analysts use equity market
correlations as proxies for credit correlations with
econometric adjustments in line with observed
correlations. Transition matrices and correlation
matrices are used in certain credit risk portfolio models
for determining economic capital and are not required
for Basel II regulatory capital calculation.
There are various components that require validation in
the realm of credit risk management, the most
important of which constitute the credit rating/scoring
models themselves. Various quantitative techniques are
used for testing and validating models including
confusion matrices, lift curves, ROC curves, accuracy
ratios, Kolmogorov-Smirnov test etc.,
Technology Framework for Credit
Risk Management
Technology is vital for enabling credit risk
management. Key system categories for credit risk
management include the following:
• Credit rating/scoring engines specific to key
business segments
• Credit appraisal and sanctioning workflow
• Capital computation and allocation models
• Recoveries/collection systems and delinquency
management systems
• Data analysis systems for analysing trends and quality
of portfolio/sub-portfolio
Capital computation systems that accurately calculate
regulatory capital in lines with the requirements of
BCBS are essential to meet regulatory requirements.
The Indian Journey to Basel II: Implementing Risk Management in Banks
CMYK
The following diagram shows various components of
typical credit risk management system architecture:
III Operational Risk Management
Operational risk refers to the risk of losses resulting
from inadequate or failed internal processes, people,
and systems or from external events. This includes
legal risks but excludes reputational risks1 .
Operational Risk and Basel II
The Revised Capital Accord requires banks to maintain
capital charge on their operational risks. For quantifying
the operarational risks, it provides a menu of the
following three approaches:
• Basic Indicator Approach
The basic indicator approach requires institutions to set
aside capital equal to 15 percent of the average annual
gross income over the previous three years when gross
income was positive.
• Standardized Approach
The standardised approach requires institutions to set
aside capital equal to the sum of capital required for
eight identified lines of business that cover all banking
activities of that institution. The capital for a particular
CMYK
line of business is calculated as the product of the • Systems for storage, analysis and reporting of loss
average gross revenues of that business line and a data and data related to key risk indicators
beta factor for that business line specified by BCBS.
An important distinction must be made between
As an alternative to the Standardised Approach, systems that identify, assess, monitor, measure or model
BCBS has also defined an Alternative Standardised operational risk, and others that have inbuilt capabilities
Approach (ASA) that allows banks, with the permission to minimise/limit operational risks relating to business
of the national regulator, to use total assets for supported by the system. For example, a core
computation of capital in the case of Retail Banking transaction system may have superior capabilities to
and Corporate Banking. control risks, due to features such as maker-checker,
• Advanced Measurement Approaches (AMA) alerts, over-ride and prohibitions, but these are not
considered risk management systems.
BCBS has permitted banks having sophisticated
The following diagram captures various
operational risk management frameworks (both
components of a typical operational risk management
qualitative and quantitative) to develop internal
system architecture:
measures of capital requirements, with the approval
of the local regulator. BCBS has refrained from
mentioning any specific measurement approach and has
deliberately left the definition ambiguous in view of the
heated debate generated in the consultations leading up
to the Second Capital Accord. However, BCBS had
mentioned three approaches (the Scorecard Approach,
the Internal Measurement Approach and the Loss
Distribution Approach) in the second consultative
paper3 . Institutions are using various techniques
including regression type models based on key risk
indicators for forecasting losses, and different
statistical distributions for modelling probability
and severity of loss events, including the Weibull
distribution, Poisson distribution.
For each of the above approaches, the Basel II
document lays down both quantitative and detailed
qualitative prerequisites for banks to comply with to
qualify for the approach. The qualitative requirements
relate to organisational structure, policies, processes, data
and systems in the organisation. BCBS has also identified IV. Market Risk Management
the principles for management of operational risk 2 .
Market risk is defined as the risk of losses in on and
Technology Framework for ORM off-balance sheet positions arising from movements in
market prices1 . Market risk is the risk of loss due to
Technology is vital for enabling operational risk
price volatility. The price could relate to foreign
management. Key system categories for operational risk
currency prices (exchange rates), price of funds
management include the following:
(interest rates), prices of securities/equities, commodity
• Systems for assessing and monitoring risks prices, or price of instruments like derivatives.
Liquidity risk is not strictly a market risk since it is not a
• Systems enabling event reporting, with capabilities
result of price volatility. However, both liquidity risk
for workflows, alerts and escalations
and interest rate risk require the same kind of data and
• Capital computation and allocation are usually managed by the same group within financial
5
CMYK
CMYK
institutions and are often handled together. The
Reserve Bank of India has defined guidelines for
liquidity risk management along with guidelines for
other market risk categories in its Guidance Note on
Market Risk Management (October 2002)2 .
Market Risk and Basel II
In 1996, BCBS introduced an amendment to the first
capital accord, to require capital charge for market risk.
The amendment defined two methodologies for
calculation of capital, including a basic methodology
(called the standardised measurement method) and a
more sophisticated methodology based on use of
internal models. Broadly, the amendment covered the
following categories of risk:
• Interest Rate Risk (only in the trading book)
• Equity Position Risk
• Foreign Exchange Risk
• Commodities Risk
• Risk from Options
The new Basel Accord places continued emphasis on
the Basel I Market Risk Amendment (1996). Under the
Internal Model Based Approach, banks are required to
build up value-at-risk models for determining the
potential loss with 99 percent confidence level and
compute the total value at risk / earnings at risk and
provide capital for the market risk by multiplying the
amount at risk by application of a multiplication factor
of 3 to 5, depending upon back testing results.
BCBS recommends that banks compute capital for
interest rate risk and equity risk in their trading book,
and commodities risk and forex risk across the balance
sheet. The revised capital accord also requires banks to
manage interest rate risk in the banking book also
under supervisory reporting and market transparency
requirements.
Regulatory Requirements and Calculation
of Capital
The Reserve Bank of India released a ‘Guidance Note
on Market Risk Management’ in October 2002, which
gives comprehensive guidelines on policies, procedures
and systems banks should follow for liquidity risk
management, interest rate risk management and
The Indian Journey to Basel II: Implementing Risk Management in Banks
CMYK
currency risk management. RBI has advised banks to
adopt a phased transition for Indian banks in
implementing capital charge for market risk prescribed
in the Basel document by March 2006. However, since
1998 RBI has put in place several surrogates such as an
Investment Fluctuation Reserve of 5 percent of the
investment portfolio, both in the AFS and HFT
categories and a 2.5% risk weight on the entire
investment portfolio (in contrast to the Basel norm
requiring capital only on the trading book).
Technology Framework for Market Risk
The following diagram captures various components of
a typical market risk management system architecture:
V. Basel II Implementation in India
The Challenges
Risk management functions are in place in most banks
and financial institutions. However, it would appear
from anecdotal evidence that in many institutions, this
initiative was motivated by compliance to regulatory
requirements, rather than an internal recognition of the
strategic role that a dedicated risk management
function could play in optimising the risk return trade-
off for a bank. Moreover, only a handful of banks are
doing risk management in the sense of assessing,
positioning, modulating the risks not only at the macro
level but also at the micro level, that is, at the level
of transaction. However, there is no published data
available regarding the status of the functioning of
risk management departments. If detailed information
in this regard is collected and analysed, it may provide
a firm basis for establishing comprehensive risk
management systems. Based on the available
information, certain challenges have been identified.
Firstly, there needs to be a keen awareness of the
risks at the transaction level on the part of even
the lowest functionary involved in the financial
transaction in order that the bank or the financial
institution gets compensated for the amount of
risk it is assuming by performing a certain
transaction. This implies embedding a risk culture
across all activities of an institution. As Governor
Bimal Jalan had pointed out in his address to bankers,
“ultimately risk management is a culture that has to
develop from within the internal management systems
of the banks.”1
For instance, a staff member accepting a fixed deposit
needs to be as much aware of the implications of his
transaction to the risk profile of the bank as the Risk
Manager at the Head Office. In the absence of such
kind of ground level appreciation of the risks in
concrete particularities, risk management becomes
more a ritual to be completed than a meaningful
exercise in increasing the sophistication and capabilities
of the business.
The second issue is operationalisation of the risk
function. Each bank has a unique risk profile
depending upon multiple factors including scale of
business, geographical focus/break-up, segmental
focus/break-up, risk profile, products offered,
organizational culture, underwriting/control
environment and growth rate. A risk solution designed
for one institution or geography cannot therefore be
indiscriminately applied to another institution.
The procedures, the techniques and the methods
available for risk management are varied and manifold.
Each institution needs to choose the right technique
which is required by its own business profile and which
are also cost effective, subject, however, to the legal and
regulatory requirements. It is in this area of adaptation
of the Western techniques that there is a serious
CMYK
difficulty as such techniques may not be applicable
mutatis mutandis to the Indian scenario because of
the difference of the behavioural dimensions and the
environmental differences. Therefore, the more
difficult route of developing indigenous models
using the available statistical techniques needs
to be adopted by the banks in order to do risk
management in a meaningful way at the
micro level.
In fact, depending on the need, banks may like to
develop credit scoring models for each sector, if
not for each activity, being financed to achieve greater
accuracy and reliability based on indigenous data
on the institution’s customers profile and their
characteristics. While some of the banks seem to have
made a beginning by introducing internally determined
rating grades, there is a lot of ground that needs to be
covered in this regard.
Third, It might be beneficial to the banks to
approach risk management as a multi-layered task
within the organisation, for instance, at the macro
level and the micro level. Risk management at
the macro level will be effective if detailed data is
available in a consistent format covering the all of
the institution’s lines of business and geographies,
typically in a centralized database, regarding all of the
transactions of the bank. It is well- known that the
risks are inherent in various transactions of the bank
and though for the purpose of understanding we
prepare taxonomy of the risks, they cannot be
disentangled in reality and keep manifesting in
different forms in different circumstances. Therefore,
there is a need to develop a centralized database of
all the transactions, so that banks can analyse various
risks and the interconnections between the various
risks. Apart from the availability of data, there is a
need for sophisticated analytics relevant to the
institution’s circumstances.
It is well known that risks have multiple dimensions.
Financial risk manifests in various dimensions.
Though they are classified into various categories,
defined and dealt with in segmented manner, they
overlap and, often, represent different stages of
business. For instance, a bank may not be in a position
to handle adverse clearing on account of liquidity
mismanagement. We are aware that liquidity constraints
7
CMYK
CMYK
of this bank could translate into a counterparty risk for
the institutions on the other side of the transaction.
Thus, investment transactions and foreign exchange
transactions all have counterparty risk and credit risk
embedded in them. Likewise, a floating rate credit
facility of a corporate may be hit by raising interest
rates, which may adversely affect the corporate’s
capacity to repay the loan. Therefore, what began as a
market risk may culminate into a credit risk as far as the
bank is concerned. Though, for the purpose of
analysis and appreciation, banking risks are classified
into various specific risks like liquidity risk, credit risk,
interest rate risk, foreign exchange risk, equity position
risk, operation risk and legal risk. The issue in all these
risks is to ensure that the bank has assumed the type of
risk and the level of risk based on its loss- absorbing
capacity and appetite for risks and adequate
compensation for the risk assumed. Therefore, banks
need to have an integrated approach to risk management.
A sine qua non for this is an integrated
information system. As is well known, risk
management requires a lot of historical data to provide
the basis for forecasting and building of models in
respect of various activities. In order to take a view
about the future, there is a need to have sufficient
historical data as well as appropriate techniques for
analysis and skilled human resource. In the Indian
context, the major handicap is the absence of data
series, particularly regarding the transactions in
individual loan accounts since such of the data as is
available is not consistent enough to facilitate taking an
integrated view of a particular financial entity, let alone
for being used for preparing models. It may be noted in
this context that the leading credit rating agencies in
India do not rate the issuers of debt but provide rating
for the issues.
It is against this background that one stresses the
need for the banks to go in for comprehensive
computerization solutions to ensure that all of the
bank’s data is available for viewing and monitoring and
processing by those authorized for the purpose. The
prerequisite for this is that banks should network all
their branches and create a centralized data store that
will serve as a warehouse for the bank for accessing the
data for model building, model validation and risk
management.2 The second major step would be to
conduct all transactions in the electronic mode to
The Indian Journey to Basel II: Implementing Risk Management in Banks
CMYK
ensure consistency, integrity and comparability of the
various transactions across the banks and even across
the industry.
Establishment of the Credit Information Bureau in the
recent past augurs well to the extent that it enables the
availability of data about the defaulters to the banks in
the public domain. However, it might be useful to
arrange for a detailed survey of the loans granted by
the banks during the last decade so as to create an
industry-wise database. Given the non-availability of
significant amount of data either within the bank itself
or in the public domain regarding the various banking
transactions, it is imperative to undertake a detailed
exercise to find out if the available data, or the
databases within each of the banks can be used to build
some preliminary models.
Fourth, yet another requirement for establishing
risk management system is trained and skilled
manpower. Sophisticated risk management requires
employees with knowledge and skills commensurate
with the complexity of the policies, processes, models
and systems required. A quantitative orientation across
the organization also needs to be developed (in
addition to emphasis on processes) so that all people
are sensitized to the importance of the information,
accuracy and consistency. Besides this general
orientation, there is also a need to have people who
are well versed in analytics and are able to construct
and periodically validate and refine models for the
purpose of the bank. Apart from building models,
there is a need for functional specialists with an
information technology orientation who can
operationalise these models in actual practice. This is
a major challenge in most of the banks as the required
human resources are rather scarce.
Fifth, the Board of Directors and the Management
should be in a position to identify the risk appetite
of the bank. Since the goal of a bank or a financial
institution is maximization of the shareholder value,
there is a need to ascertain and identify the stance of
the shareholders in regard to the risks to be assumed
by an organization. This can be done through greater
disclosures to the shareholders and more meaningful
discussions at the annual general meetings and by
establishing a continuous interaction system with the
shareholders. One quick way of identifying the
shareholders preferences for the risk appetite is to
make analysis of the share price movements before and
after the bank had taken up certain new lines of
business or types of activities. Perhaps, this is the
reason why Basel Accord considers market discipline
as a third pillar of supervision.
Having determined the risk management policy and
having provided for an integrated information network
and requisite human resources, the management of
a bank will have to determine in concrete terms as to
which are the lines of business they would like to
grow, on the basis of detailed analysis of the risk-
return trade-off of various activities as applicable
to their operations.
Sixth, for external credit rating agencies as well as
for banks adopting the standardised approach to
credit risk, the issue of issue ratings versus issuer
ratings has gained importance, because most
credit rating institutions in India have been rating
the issues and not the issuers. While the new capital
accord provides methodologies for accepting issuer
ratings in lieu of issue rating, this is applicable on
claims senior to the claims covered by the issue. There
is also the challenge of rating a large number of
obligors across the nation, especially since the new
accord recommends banks use only solicited ratings. A
moot point is whether the Indian rating industry has
reached a stage of maturity that should encourage the
national regulators to accord recognition to these rating
entities for the purpose of computing capital adequacy
in banks.
Seventh, a key dimension of a Basel II initiative,
given the size and complexity of the initiative,
consists of preparing the organization for change.
For an organisation to metamorphose into an
institution doing sophisticated risk management in a
time bound manner involves changing policies,
processes and systems and fundamentally reorienting
the way business is conducted. Setting up a
communication systems to ensure employees are aware
of organisational policies and priorities is as important
as is an infrastructure for training employees in new
tools, techniques and processes. The human resources
group of the institution therefore requires to be closely
involved in the entire process at a strategic, tactical and
operational level.
CMYK
The risk reporting infrastructure needs to developed in
a manner that not only enables reporting in various
formats and extent of detail to risk managers,
regulators and shareholders, there needs to be adequate
transparency in systems and traceability of transactions
built in to support validation of such reports. This is
essential on account of special requirements as a result
of pillar two (supervisory review) and pillar three
(market discipline – transparency) within the new
capital accord.
Institutions need to prepare not only for capital
calculation based on regulatory prescription, but
also capital allocation among various lines of
business, and capital attribution for risk adjusted
profitability management.
Basel II requires high standards of corporate
governance on banks. Banks would need to create a
committee overseeing the risk management process in
the institution, and preferably designate a director
specifically for risk management in line with global best
practices. The board or the committee must approve all
material aspects of the risk management process. This
also implies that the identified members of the board
and senior management have the appropriate
understanding of the bank’s risk management system
and processes and of issues surrounding the risk
management function. All deviations from the bank’s
approved policy must also be reported to the
appropriate functionaries and deviations should be
approved in a manner laid out in the bank’s risk
management policies. The bank’s management must
also periodically ensure that the risk management
framework is functioning appropriately and issues
in this relation need to be discussed. The board and
senior management must have access to information
to allow satisfactory fulfilment of their responsibilities
in this regard.
Some of the questions banks need to ask themselves
are highlighted in the following paragraphs.
Strategy and Policy Related Issues
Has the bank defined its risk appetite? Is there a
conscious attempt of the board and the top
management to create and encourage development of
a risk management culture across the bank? Do top
management and members of the board understand
9
CMYK
CMYK
the risk-return trade-off ? Are policies designed and
implemented to identify, measure, monitor, control and
mitigate key risk categories facing the institution?
Structure Related Issues
Have banks established a risk management department
that has an independent reporting line to the board of
directors? Is the department staffed with competent
resources to operationalise, implement and oversee risk
management activities in the organisation? Is the
structure based on principles of independence,
competence and adequate oversight?
Process Related Issues
Do banks have the risk management processes in place
to enable sophisticated risk management? Have banks
begun to assess existing risk management policies,
processes and procedures and introduce new / redesign
existing risk management processes? Have the
organisational changes for new / redesigned processes
been put in place? Have banks acquired systems /
modifying existing systems to support new /
redesigned processes? Are processes and systems
robust to ensure that the institution is not exposed to
substantial risks?
Model Related Issues
A lot of uncertainty surrounds the modelling
requirements required of banks in the new accord.
How do banks develop models to model LGD and
EAD? Which kind of models should be employed for
modelling PD across different product categories?
Have banks identified their modelling methodologies?
Which tools and techniques will they use? Have banks
identified model testing and validation methodologies?
Which groups will develop and test the models? Who
will audit the model development, testing and
validation processes? Are the requisite skill sets
available internally or do they need to be outsourced?
Even if models are developed and need to
operationalised, how is this to be done?
Data Related Issues
Data is central for scientific risk management.
Designing the data management infrastructure is
therefore a key activity in putting in place a risk
management framework. On the data front modelling
The Indian Journey to Basel II: Implementing Risk Management in Banks
CMYK
requirements pose another set of questions. Do banks
have the data to meet the needs of models? Is the data
comprehensive and structured in a manner amenable to
modelling? Has it been stored consistently for a period
of time large enough to ensure reliability of modelled
outputs? Is the data available in a consistent manner
across organisational units, geography and lines of
business? Most importantly, is the data clean? Have
banks identified ‘golden sources’ of the following
categories of data:
• Instrument/Account Data
• Customer/Counterparty Data
• Ledger Data
• Risk Mitigation Data
• Dimensional Data
• Incident Data
• Multiple Scenario Inputs
• Historical Data
• Limits and Loss Provision Data
Have banks identified integration requirements with
internal systems, other applications, and legacy data stores?
While the lack of data is a constraint, it would appear
that the lack of the ability to use the available data is
a bigger impediment in the management of risks in
the banks.
System Related Issues
Has the bank identified banking activities requiring to
be automated? Do risk and technology managers
cooperate in determining which system components
need to be introduced, and whether it would be
necessary to build, buy or enhance existing
functionality to meet requirements? To what extent are
the activities in the institution automated? IT systems
are today a pre-requisite for sophisticated risk
management for several reasons. Not only do systems
enable institutions to capture the data required for risk
management, they can be used as a source of key risk
indicators for operational risk management. Banks in
India have done well to migrate to centralised banking
systems, as these are the source of a large part of the
data for risk management. Most banks have, however,
not yet automated other activities using process
automation workflow and imaging tools, or activities
like human resource management, customer relationship
management and financial management.
VI. Approach to Implementing the Risk
Management Framework
While there is a general kind of appreciation of the risk
management among Indian banks, there is a continuing
need to work on the modalities of operationalising this
system in a customized manner for each of the
institutions. Banks need to urgently benchmark
themselves against Basel II norms across the entire
range of approaches for credit, market and operational
risk. Once they have identified gaps, they can identify
what potential alternatives can be adopted to address
these gaps. Banks can then evaluate which option to
adopt based on their resources and organisational
priorities. What we attempt here is to provide some
generic guidance for operationalisation of the risk
management in Indian banks in the context of the
new Capital Accord.
Critical factors for Basel II Implementation
• Basel II initiatives cannot be viewed in isolation from
business and technology areas and, therefore, the risk
strategy needs to be integrated into the business
strategy and the technology strategy of the institution
• A holistic approach needs to be adopted to the
implementation; institutions must avoid the pitfall of
catering purely to regulatory requirements and focus
instead on long-term shareholder value creation and
banks should therefore use this opportunity to
benchmark themselves against national / international
best practices
• Banks need to recognise that they have the flexibility
to adopt various approaches and they may adopt
different timelines for migrating to different
approaches (e.g. target the standardised approach to
credit risk within two years, foundation IRB within
five years and advanced IRB within six years); their
implementation roadmap must recognise and
reflect this
• The Basel II implementation must not only cover the
key risk areas (credit risk, operational risk, market risk,
CMYK
liquidity risk) but must also cover integration of risk
in the sense of defining uniform methodologies to
store, analyse and report information across risks in
a consistent format and also identify interaction
between various risk categories
• There is a need to further develop the risk transfer
markets in India to enable the banks to spread risks
across institutions and investors. Such markets
include the securitization market for bank-originated
credits, secondary markets for loans and credit
derivatives markets.1
• The banks should make an “ AS IS “ analysis of the
risk management practices. An essential part of this
exercise is to make comprehensive review of the
quantity of data available with them for the credit
risk and operational risk like the historical loss data,
and subject them to verification of integrity and
consistency. They should also identify the
information / data requirements in detail and
establish systems for their collection, archival
updation and retrieval for analytics. In fact, it is
advisable for the banks to build own indigenous
credit models using the local data so as to better
reflect the behavioural and environmental factors.
• The banks should carefully design the internal rating
systems in such a manner as to be able to
differentiate various degrees of risk in individual
credit exposures with accuracy and reliability2 .
If the rating system uses objective criteria, its
transparency and auditability would increase.
• The involvement, understanding and commitment of
top management are critical for the implementation
of risk management. 3
Developing the Implementation Roadmap
The primary responsibility for establishing an effective
risk management system rests with the management of
the banks. Broadly, banks need to follow a four step
methodology to put in place a risk management / Basel
II framework.
1. Identify Goals
a. During this initial phase banks will determine
intermediate and long-term goals and targets under
Basel II. A good final goal for a bank will be to make
11
CMYK
CMYK
an accurate and holistic assessment of its risks using
the sophisticated approaches (like Advanced IRB for
Credit Risk and Advanced Measurement Approaches
for Operational Risk) and lay out the “economic
capital “ for it irrespective of the fact whether the
regulatory rules require it or permit something lower
since such robust and full-fledged risk management
would certainly strengthen the market position of the
bank and would enable it pursue new opportunities.
However, the actual milestones for reaching this will
have to be set out taking into account the specific
circumstances prevailing in each bank.
b. Banks will also begin awareness building and
training of resources as a pre-requisite for
change management
c. Requirements will be governed by regulatory
requirements both local and global
2. Gap Analysis – during this phase the bank will
identify any gaps in their current framework to migrate
to a sophisticated framework
3. Define alternatives to address identified gaps
a. Identify alternatives
b. Evaluate alternatives based on institutional
resources and priorities
c. Identifying timelines / phasing /sequencing of
identified alternatives including determining of
interim targets and goals
d. Deciding upon resourcing of projects
The Indian Journey to Basel II: Implementing Risk Management in Banks
CMYK
4. Implementing identified alternatives projects
The Basel II initiative would cover various elements
including policies, processes, systems, data, models and
technology considerations. The following sections
explore some implementation considerations in each of
these elements.
Process Automation and Redesign
Basel II would imply introducing new processes or
redesigning existing processes to make them suitable
for risk management. In addition, there is a major need
to automate processes.
Automation of processes is desirable from the
perspective of reducing process- related risk as well as
creating a source of risk indicators for banks. An
additional benefit from workflow automation is the
achieving of transparency and traceability required for
corporate governance. However, banks need to be
realistic in their efforts to automate processes since
there is also technology risk involved in terms of
integration issues and stability issues. Banks would also
need to evaluate the aspect of cost of new technologies
and the fit within the bank’s proposed technology
architecture.
A phased plan to put in place extensive business
process management and automation would involve
the following:
• System analysis and review of all the processes
• Redesigning the processes harnessing the technology
to ensure value creation at every stage
• Plan migration to new / restructured processes
- Define new organisational structure supporting
new processes
- Develop resourcing strategy
- System support
• Identify system requirements
• Examine enhancements to existing systems
• Identify integration and implementation issues
• Acquire and implement new systems
- Change management / training
Developing the Data Roadmap
Accurate assessment of risk requires real time financial
information. It involves the collection and preservation
and archival of huge amount of data to facilitate risk
analysis and positioning. Building and managing
voluminous datasets in appropriate manner is an
important task. The analysis of data to evaluate risk
involves extensive work using advanced statistical and
modelling techniques like time series, multivariate
multidimensional analyses etc., Therefore, there is a
need to prepare a customized database design taking
into account the functional requirements of each bank
in terms of risk management .
In a general way, the following are key inputs in
identifying data requirements:
• Identifying monitoring requirements
• Identifying modelling requirements
• Identifying analysis requirements
Once the data requirements are identified we need to
define the data model – or the logical structure defining
how the data will be stored and analysed. Subsequently,
data readiness needs to be examined by the institution
to build preparedness for extraction. During this
phase, institutions may try to homogenise the data
capturing process across the organisation, improve the
quality of existing data captured and build / enhance /
procure systems to capture additional data required for
risk management.
The next step consists of defining the data capture
mechanism and the data extraction, transformation and
loading (ETL) mechanism.
Once the data-management infrastructure is logically
defined, banks would need to acquire the physical
CMYK
infrastructure consisting of tools / systems to support
the same. While developing the data management
infrastructure, key data architecture requirements include1 :
• A rule-based accounting engine to identify and map
the required financial and transactional data from all
source systems
• Data extraction, transformation and load
capabilities (ETL) to handle high volumes in a
multi-platform environment
• A comprehensive and complete data schema as a
central data repository to control the storage and
utilisation of data. This must be a scalable
environment capable of handling huge quantities
of complex data, but also highly customisable to the
needs of the institution to provide high availability,
high performance, high data integrity, and security
• The data scheme needs to provide a single model to
store customer, account and transaction data to
support all performance and compliance requirements
and provide a single customer view
• A consolidated and reconciled view of all data stored
in the data warehouse enables all necessary analysis
and risk and capital requirement calculations
Banks also need to define data sharing arrangements
between each other to provide better modelling and
measurement of risks across the banking sector.
Defining the Technology Architecture
While technology is considered an enabler, it is probably
the most central to supporting the framework for
advanced risk management practices. In terms of
systems, analytics and the data management
infrastructure, today, risk cannot be managed without
technology. Importantly:
• Technology needs to be in line with the bank’s
technology strategy
• Technology should be comprehensive to support
functional requirements
• A technology road map needs to be drawn by the
institution to ensure that the institution identifies
technology components required at various levels
of sophistication aligned with its risk management
vision/road-map
13
CMYK
CMYK
• Each institution must put in place a technology
architecture in line with best practices and ensure that
all technology components are in line with the
technology architecture
• Institutions will need to define whether to build, buy
or enhance existing systems required to support risk
management; while the institution may have an
overall policy governing such decisions, there should
be sufficient flexibility to ensure that considerations
of ease of implementation, cost and specificity of
requirements are taken into account.
There are three strategic considerations in planning a
technology architecture that underpin a robust and
long-term performance and compliance architecture
necessary to achieving a preferred Basel II status2 .
1. Scalability
The complexity and granularity of account and
transaction level data that needs to be captured and
analysed requires a scalable database and processing
platform – not least because the huge amount of data
to be stored and accessed will grow massively over
time, regardless of the size of the institution.
2. Availability
Continuity of high levels of system performance,
together with proven database reliability, will be
essential to ensure that regulatory data is complete,
accurate and fully reconcilable with the General Ledger.
Systems will also need to prove themselves robust
through rigorous back-testing and stress-testing.
3. Security
Utilising data to the degree of detail and granularity
required by Basel II inevitably puts the spotlight on
data integrity and confidentiality. Complex security
issues are also raised by the need to consolidate and
standardise data across multiple locations and
subsidiaries so that a complete picture of risk across all
trading relationships can be reported.
System Risk: Testing for Performance
From a technology viewpoint, the risk management
systems must be tested to ensure that the systems are
working as desired. Inputs and outputs must be
periodically validated to ensure against system risk.
Documentation of procedures relating to testing of the
technology components is essential.
Issues in Selection of Solutions
Institutions would need to consider some of the
following issues in selecting technology solutions:
The Indian Journey to Basel II: Implementing Risk Management in Banks
CMYK
• Alignment with institution’s technology standards,
architectural considerations and policies
• Stability of vendor
• Functionality provided
• Product roadmap
• Track record of implementations
• Level of support offered
Model Building, Testing and Validation
Capital computation requires institutions to develop in-
house models or acquire models subject to satisfaction
of the criteria of relevance to the institution’s specific
requirements. The latter may be necessary where the
institution does not have access to substantial in-house
data, or where the service provider has wide-ranging
expertise in implementing models in similar
institutions. Institutions need to define model
development procedures, and identify tools and
techniques for the same. There are various statistical
and machine learning tools and techniques that could
be applied to the model development problem. Well
known techniques such as discriminant analysis, logistic
regression, neural networks, support vector machines
may be used for the model building process.
Risk models also need to be tested and validated, both
during design and periodically during their usage (back
testing). Banks also need to define validation / testing
methodologies covering tools, techniques, frequency /
periodicity, benchmarks for outputs / escalations,
validating authority / agency and model audit
requirements. Prior to operationalising these models
banks need to define calibration procedures to ensure
that model outputs tie in with desired predicted outputs
(e.g. tying credit scoring output scores into predicted
variables such as probability of default). There is a need
to conduct detailed error analysis of the model outputs
with a view to recognising the patterns and magnitudes
of error so that appropriate remedial measures can be
instituted to achieve greater accuracy in the
measurement of risk.
In addition, banks need to define how the validation /
testing results will be presented to the local banking
supervisor (RBI). This is of critical importance given
the requirements under Pillar Two of the New Basel
Accord (Supervisory Review).
Finally, institutions would need to identify system
requirements for operationalising the model to
integrate it with the day-to-day processes of the bank.
CMYK
CONCLUSION
With the conclusion of the new
accord, banks now have a concrete set
of guidelines available to impart
direction to their risk management
initiatives. Meeting the 2007 deadline
may not be intimidating to Indian
banks, since the Reserve Bank of India
appears inclined to require banks to
use the simpler approaches like the
Standardized Approach for Credit
Risks and the Basic Indicator
Approach for the Operational Risks to
facilitate a smooth transition to the
new regime. However, banks need to
use this opportunity to implement
effective risk management systems to
achieve competitive efficiency. The
time has come, therefore, to look
beyond compliance in the Indian as
well as the global context as the new
Accord provides an opportunity “ to
enhance further risk management”3
Forward looking banks
can thus provide leadership in the
Indian sector and also ensure that they
protect and advance the long-term
interests of their shareholders while
contributing to the financial stability of
the financial system.
15
CMYK
CMYK CMYK

Bibliography
1 Basel Committee on Banking Supervision, Amendment to the Capital Accord to Incorporate Market Risks, January 1996
2 Guidance Note on Market Risk Management, Reserve Bank Of India, Department of Banking Operations and Development
3 Jalan, Bimal, Towards a More Vibrant Banking System in India’s Economy in the New Millennium, UBS Publishers, 2002. See page 96 ibid
4 Business Standard dated February 3, 2005. See report entitled “Computerisation delay blocking Basel II progress in Indian banking”
5 Bank for International Settlements. 74th Annual Report .Basel 2004. See page 133 -4 for a discussion on the need for risk transfer markets
6 Rutledge,William, Implementing the New Basel Accord. BIS Review 15/2003. Page 2-3. Bank for International Settlements.
7 Ibid. Page 4. William Rutledge in his address to the British Bankers Association highlights this in the following words, “As a bank’s capital requirements draw
increasingly on firm-specific performance and systems, there will be a need for its board of directors and senior management to gain deeper understanding of the
conceptual underpinnings, and even operational mechanics, of a bank’s internal rating systems and the measures of risk derived from them.”
8 Mohammed, Nazif, See sub-section on ‘Key Data Architecture requirements’ within ‘Data Architecture Challenge’, Building Enterprise Wide Performance and
Compliance Architecture, Oracle
9 Ibid, See section on ‘Technology Architecture Challenges’
10 Basel Committee on banking Supervision. Implementation of Basel II: Practical Considerations. BIS July 2004.

The Indian Journey to Basel II: Implementing Risk Management in Banks

Footnotes
1 Bank for International Settlements. 74th Annual Report .Basel 2004. See page 167-8
2 Jalan, Bimal. International Financial Architecture in India’s Economy in the New Millennium. See Page 76 for a discussion on Basel II and the imperative need for
risk management. “The Asian crisis has demonstrated that problems can arise when excessive leverage is coupled with excessive concentration of risk. Improving the
assessment and management of risks “ is, therefore, another area which requires attention.”
3 The Basel Committee on Bank Supervision defines the economic value of the bank as “ the present value of bank’s expected net cash flows, defined as the expected
cash flows on assets minus the expected cash flows on liabilities plus the expected net cash flows on off balance sheet (OBS) positions.” See Basel Committee on
Banking Supervision, January 2001, Para 20, Pg 6. www.bis.org
4 See “Implementation of Basel II: Practical Considerations”, Basel Committee on Banking Supervision, Page 1, bis.org, July 2004. BIS
5 Reserve Bank of India, Principles for The Management of Interest Rate Risk, January 1997
6 Reserve Bank of India, Asset-Liability Management Guidelines, 2 April 2002
7 Reserve Bank of India, Risk Management Systems in Banks, DBOD.No.BP. (SC).BC.98/21/.04.103/99. dated October 1999. See Para 13.4 Page 52
8 Reserve Bank of India, Annual Report 2003-04. Pages 152-3
9 Udeshi, Kishori J., Implementation of Basel II: An Indian Perspective, 2004.
10 This appeared as a clarification to the Third Quantitative Impact Survey (QIS 3) undertaken by BCBS during the consultative process to developing the new accord
(http://www.bis.org/bcbs/qis/qis3qa_g.htm)
11 See ‘Update on the New Basel Capital Accord’, BIS Press Release, 25 June 2001 for an understanding on the committee’s intention to provide incentives for adoption
of more sophisticated approaches; also see ‘Results of Quantitative Impact Study 2.5’, Basel Committee on Banking Supervision, for a discussion on methodologies
discussed by BCBS for reduction in capital requirements as an incentive to adopt foundation IRB approach
12 Basel Committee on Banking Supervision, Principles for the Management of Credit Risk, September 2000
13 However, to qualify an ECA must publish its risk scores and subscribe to the OECD agreed methodology; See International Convergence of Capital Measurement
and Capital Standards - A Revised Framework, Page 15
14 Ibid. See Page 23 for a detailed treatment of Eligibility Criteria for local supervisors according recognition to ECAIs
15 Ibid. See page 137, the document further defines legal risk as”…risk (that) includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting
from supervisory actions, as well as private settlements”
16 Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk, February 2003
17 Basel Committee on Banking Supervision, The New Basel Capital Accord (Second Consultative Document Issued for comment by 31 May 2001), January 2001
18 Basel Committee on Banking Supervision, Amendment to the Capital Accord to Incorporate Market Risks, January 1996
19 Guidance Note on Market Risk Management, Reserve Bank Of India, Department of Banking Operations and Development
20 Bank for International Settlements. 74th Annual Report .Basel 2004. See page 133 -4 for a discussion on the need for risk transfer markets
21 Rutledge,William, Implementing the New Basel Accord. BIS Review 15/2003. Page 2-3. Bank for International Settlements
22 Ibid. Page 4. William Rutledge in his address to the British Bankers Association highlights this in the following words, “As a bank’s capital requirements draw
increasingly on firm-specific performance and systems, there will be a need for its board of directors and senior management to gain deeper understanding of the
conceptual underpinnings, and even operational mechanics, of a bank’s internal rating systems and the measures of risk derived from them.”231 Jalan, Bimal,
Towards a More Vibrant Banking System in India’s Economy in the New Millennium, UBS Publishers, 2002. See page 96 ibid
23 Business Standard dated February 3, 2005. See report entitled “Computerisation delay blocking Basel II progress in Indian banking.”

The Indian Journey to Basel II: Implementing Risk Management in Banks 16

CMYK CMYK