The critical challenge facing banks and

regulators under Basel II: improving

risk management through
implementation of Pillar 2

Simon Topping
Hong Kong Monetary Authority
28 September 2004
GARP Asia Pacific Convention
1
 Implementation of Basel II in Hong Kong

• Hong Kong is one of the first jurisdictions to publish

detailed implementation plans for Basel II
• Re Pillar 1, we will allow institutions to choose between
standardised approach, foundation IRB and advanced IRB
for credit risk, and between basic indicator approach and
standardised approach (not AMA) for operational risk; we
will also allow smaller institutions to choose a “basic”
approach
• Institutions can now plan accordingly. The first big
question is whether - and when – to adopt IRB
• But focus is now shifting to a second key consideration
– what plans to make in relation to “Pillar 2” risks

2
 Main objectives of Pillar 2

 Ensure that banks have adequate capital to support all

the material risks in their business
More comprehensive recognition of risk, including risks
not covered (e.g. interest rate risk in the banking book)
or not adequately covered (e.g. credit concentration risk)
under Pillar 1

 Encourage banks to develop and use better risk

management techniques
Focus on banks’ capital planning and risk management
capabilities (not just on setting of capital)

3
 Four Pillar 2 Principles
 Principle 1 : Banks should have a process for assessing their
overall capital adequacy in relation to their risk profile and a
strategy for maintaining their capital levels (i.e. CAAP)
 Principle 2 : Supervisors should review and evaluate banks’
internal capital adequacy assessments and strategies
 Principle 3 : Supervisors should expect banks to operate
above the minimum regulatory capital ratios and should have
the ability to require so
 Principle 4 : Supervisors should seek to intervene at early
stage to prevent capital from falling below the minimum levels
required to support the risk characteristics of a particular bank
4
 Principle 1
• Banks should have a process for assessing their overall capit
al adequacy in relation to their risk profile and a strategy fo
r maintaining their capital levels
• Banks must be able to demonstrate that chosen internal capital t
argets are well founded and that these targets are consistent wit
h their overall risk profile and current operating environment. I
n assessing capital adequacy, bank management needs to be mi
ndful of the particular stage of the business cycle in which the b
ank is operating. Rigorous, forward-looking stress testing that i
dentifies possible events or changes in market conditions that c
ould adversely impact the bank should be performed. Bank ma
nagement clearly bears primary responsibility for ensuring that t
he bank has adequate capital to support its risks

5
 The five main features of a rigorous process
for assessing capital adequacy
• Board and senior management oversight
• Sound capital assessment
• Comprehensive assessment of risks
• Monitoring and reporting
• Internal control review

6
 Fundamental elements of sound capital
assessment

• Policies and procedures designed to ensure that the bank ident

ifies, measures, and reports all material risks
• A process that relates capital to the level of risk
• A process that states capital adequacy goals with respect to ris
k, taking account of the bank’s strategic focus and business pl
an
• A process of internal controls, reviews and audit to ensure the
integrity of the overall management process

7
 Existing supervisory framework
Risk-based Process for setting
CAMEL rating system
supervision minimum CAR

To assess AIs' overall To assess AIs' overall To determine minimum

safety and soundness risk profile CAR for local AIs

Board and senior

management oversight
Risk management
Management No formal process
system
Comprehensive internal
controls

Inherent risks
Assets Factors for consideration
- CAMEL rating
Liquidity Direction of risk - Risk profile
- Parental support
Capital - Other relevant factors
specific to AI concerned
Earnings

8
COMPOSITE RATING RISK PROFILE MINIMUM CAR
 Enhanced supervisory framework
CAMEL rating system Risk-based supervision
To assess AIs' overall To assess AIs' overall
safety and soundness risk profile
Process for setting
minimum CAR
To determine minimum
CAR for local AIs

Board and senior Board and senior

management oversight management oversight
Risk management
Risk management system
system
Management Internal control system and
environment
Comprehensive internal
Infrastructure to meet
controls
business needs
Other support systems

Pillar 1 risks
(standardised at 8%)

Assets Inherent risks

Pillar 2 risks
(stress / scenario tests
and peer group comparison
to be incorporated)

Liquidity Direction of risk

Capital Capital adequacy and

capability to withstand
risks (stress and scenario
Earnings tests to be incorporated)

9
COMPOSITE RATING RISK PROFILE MINIMUM CAR
Inherent Risks - Mapping between Pillars 1 & 2
Eight inhe re nt risks
unde r risk-ba se d Pilla r 1 risks
supe rvision
- Counterparty default risk
Credit risk
- Transaction risk
(e.g. through recognition of
CRM)
Trading risk arising from
adverse movements in interest
Market risk
rates, FX, security and
commodity prices
Interest rate risk in the trading
Interest rate risk
book
Liquidity risk
Risk of loss resulting from
Operational risk inadequate or failed internal
(including legal risk ) processes, people and
systems / from external events
Strategic risk
Reputation risk
Pilla r 2 risks
- Credit concentration risk
- Portfolio risk (aggressive
expansion / deterioration
in asset quality etc)
- Res idual risk (from using
CRM / securitisation etc)
Residual risk (e.g.
vulnerability under stress and
scenario tests)
Interest rate risk in the
banking book
- Funding (c ash) liquidity
risk
- Ass et (market) liquidity
risk
Residual operational ris k
(e.g. risk of loss resulting
from low-frequency, high-
impact events)
Risk due to:
- bad / imprudent or
inproperly implemented
business decisions or
strategies
- lack of response to
external changes
(industry, economic or IT)
Risk due to contagion,
negative publicity or
susc eptibility to market 10
rumours
 Pillar 2 factors (1)

 Risks not directly captured under Pillar 1

– Credit concentration risk
– Interest rate risk in the banking book
– Liquidity risk
– Risks arising from portfolio analysis / aggregation (other
than credit concentration risk) – e.g. aggressive credit
expansion, rapid deterioration of asset quality etc.
– Strategic / reputation risks
– Business cycle risk

11
 Pillar 2 factors (2)
 Risks not fully captured under Pillar 1
– Residual operational risk (including legal risk)
– Residual credit risk (e.g. ineffective credit risk mitigation)
– Risks arising from securitisation / complex credit
derivatives (e.g. insufficient risk transfer, market
innovations, etc.)
 Systems and controls
– Risk management system
 Policies, procedures and limits for managing inherent
risks
 Risk measurement, monitoring and reporting systems /
processes to ensure compliance with established policies,
procedures and limits
12
 Pillar 2 factors (3)

 Systems and controls (cont’d)

– Internal control system and environment
 Segregation of duties and responsibilities
 Audit and compliance functions
– Infrastructure to meet business needs
 IT capability and reliability to support business
initiatives
 Competence, sufficiency and stability of key staff
 Outsourcing arrangements
– Other support systems
 Anti-money laundering system / accounting system
etc.
13
 Pillar 2 factors (4)

 Capital adequacy and capability to withstand risks

– Adequacy and effectiveness of CAAP
– Capital adequacy to meet current and future business needs
and to withstand business cycles and adverse economic
conditions
– Quality of capital
– Access to additional capital, particularly under stressed
situations
– Strength and availability of parental support, where
applicable
– Capital contingency plan

14
 Pillar 2 factors (5)
 Corporate governance
– General compliance with corporate governance guidelines
– Risk management knowledge and experience of the board
and senior management
– Awareness of the board and senior management in relation
to risk management and control issues
– Participation and involvement of the board and senior
management in :
 risk management processes
 risk management development and enhancement
– Responsiveness of the board and senior management to
supervisory concerns in respect of risk management and
control weaknesses
15
 Conclusions
 Planning for Pillar 2 is possibly even more challenging than for
Pillar 1, as it is not simply a matter of choosing between a
limited number of options
 Rather, banks need to raise their awareness of risk and determine
a long-term strategy for improving the identification, assessment
and management of their risk
 While improved risk management should bring its own rewards,
it may also translate into lower regulatory capital requirements
as the regulator’s degree of comfort with the bank’s risk
management practices increases
 Ultimately, a little further down the line, it should be banks
themselves that decide how much capital they need, not
regulators. But the process will have to be highly developed,
systematic, and all-encompassing – quite a challenge
16