Subscribe

Basel II compliance to stimulate spend on IT


Johannesburg, 16 Sep 2004

Basel II, less commonly known as the International Convergence of Capital Measurement and Capital Standards: a Revised Framework, will have a major positive impact on IT budgets and spend in the next few years.

This is the message from Escrow Europe director, Andrew Stekhoven, who returned this week from a conference in the Netherlands where he presented a paper on the implications of compliance for chief technology officers.

According to Stekhoven, the management of software use and compliance with accords are becoming increasingly popular and necessary applications for today`s CIOs.

For example, he quoted, the IDC states that compliance is the number one IT investment focus for organisations in 2004. Furthermore, AMR Research indicates that more than $5 billion will be spent on compliance-related activities and IT purchases this year alone in the US.

With respect to Basel II, Stekhoven said most corporations are heeding the call for compliance. Referring to a survey conducted by the Global Association of Risk Professionals (GARP), he highlighted that over 70% of firms polled expected to be Basel II compliant by 2006, as the following results show:

* What is the likelihood that your firm will be fully compliant with Basel II by the current 2006 deadline?

No chance: 7%
Unlikely: 19%
Somewhat probable: 40 %
Very probable: 33%

* After Basel II is implemented, internal risk management at my firm will be:

Greatly improved: 30%
Somewhat improved: 56%
Unchanged: 9%
Somewhat hampered: 4%

* Which of the following tasks do you anticipate being the largest `Basel II-inspired` credit-risk challenge?

Deployment of new technology: 19%
Capital allocation calculation: 26%
Data aggregation: 32%
Data cleansing: 18%
Other: 4%

"Today`s firms face an alphabet soup of compliance requirements - for companies doing business in or with the US there`s Sarbanes-Oxley; globally there`s ISO 17799, Basel II and the IDC/BSA Piracy Report; and locally King II and the FAIS Bill to name but a few.

"As with any complex regulatory pronouncement, business-risk service providers such as the management consultants will initially gain the most business since they provide advice and counsel to clients on understanding and interpreting the regulation and developing a strategy and approach to address it.

"IT service providers then play a role in defining and implementing supporting IT tool solutions. The challenge these IT service providers and outsourcers face is that, overall, the regulations make their business models and offerings more complex and expensive, and most are still working through how to address them in an adequate and profitable manner."

Stekhoven said it was critical CIOs realise that, at the same time as they become more reliant on IT to ensure their compliance, they become more reliant on software systems that do not `lock, stock and barrel` belong to them.

"This dependence implies risk, particularly if the system is directly related to the core business process. In this instance, it is crucial to minimise the company`s exposure and escrow is the pre-eminent vehicle to do that," he said.

Software escrow provides for the deposit of the source code of a vital software product with a neutral third-party. This third-party is authorised to release the source to the end-user under conditions agreed upon by the supplier and end-user in the escrow agreement.

"Companies should opt for escrow because it guarantees availability and continuity of use of vital know-how as well as safeguards critical business process," said Stekhoven. "In addition, it protects software, hardware and industrial investments, and reduces dependency on third-parties or employees.

"Escrow Europe is among the world leaders in active escrow. The difference between passive escrow and active escrow is that the latter warrants that the items held under escrow are up-to-date.

"A simple comparison could be made to a first aid kit: someone playing a passive role may simply ensure there is a kit; the person playing an active role would, however, open the kit regularly, and, according to a consistent set of rules, check there are sufficient supplies, check that none of the medicines it contains are past their `sell by` dates, and confirm the contents by means of a written report for the record.

"In SA, we have formed a strategic relationship with Buys Inc, a leading `new age` law firm, to provide practical and cost-effective solutions to address the risks governed by ISO 17799 and other local and international IT governance guidelines.

"Step one in the solution is active source code escrow and step two is a software and intellectual property compliance audit combined with a software licence and use policy. Buys Inc has also developed an extensive checklist to assist companies evaluate their risk," he said.

For more information about Escrow Europe`s South African office, visit www.itweb.co.za/office/escroweurope/ and for the global operation see www.escroweurope.com. To view Buys Inc`s checklist, go to http://www.buys.co.za/gbDownloads.asp?field=file&RID=94.

Share

Note 1: IDC

IDC is a subsidiary of IDG. A privately-held company, IDG publishes more than 300 magazines and newspapers including Bio-IT World, CIO, CSO, Computerworld, GamePro, InfoWorld, Network World and PC World. The company features the largest network of technology-specific Web sites with more than 400 around the world. IDG is also a leading producer of more than 170 computer-related events worldwide including LinuxWorld Conference & Expo, Macworld Conference & Expo, DEMO and IDC Directions. IDC provides global market research and advice through offices in 50 countries.

Note 2: Basel II

The parents of Basel II are the members of the Basel Committee on Bank Supervision. Very briefly, this was established in 1974, with the remit of formulating a standardised set of supervisory principles. The committee reports to the central bank Governors of the Group of Ten (G10) countries and seeks the Governors` endorsement for its major initiatives.

The Committee formulates broad supervisory standards and guidelines and recommends statements of best practice in the expectation that individual authorities will take steps to implement them through detailed arrangements - statutory or otherwise - which are best suited to their own national systems.

One important objective of its work has been to close gaps in international supervisory coverage in pursuit of two basic principles: that no foreign banking establishment should escape supervision; and that supervision should be adequate.

In 1998, the committee introduced the Basel Capital Accord, which was a framework for credit risk measurement. This has now been superseded by the International Convergence of Capital Measurement and Capital Standards: a Revised Framework, the new capital adequacy framework commonly known as Basel II.

Basel II therefore affects financial institutions and enforces the need for a risk management strategy based on operational risk.

The fundamental technical challenge for both banks and supervisors has been to determine how much capital is necessary to serve as a sufficient buffer against unexpected losses:

If capital levels are too low, banks may be unable to absorb high levels of losses. Excessively low levels of capital increase the risk of bank failures that, in turn, may put depositors` funds at risk.

If capital levels are too high, banks may not be able to make the most efficient use of their resources, which may constrain their ability to make credit available.

The overarching goal for the Basel II Framework is to promote the adequate capitalisation of banks and to encourage improvements in risk management, thereby strengthening the stability of the financial system.

This goal will be accomplished through the introduction of `three pillars` that reinforce each other and that create incentives for banks to enhance the quality of their control processes.

These three pillars are:

* Minimum capital requirements, which seek to refine the measurement framework set out in the 1988 Accord (dealing with credit risk, operational risk and market risk).

* Supervisory review of an institution`s capital adequacy and internal assessment process.

* Market discipline through effective disclosure to encourage safe and sound banking practices.

Editorial contacts

Petra Peacock
C-Cubed Communications
(011) 794 4665
petrap@iafrica.com