from compliance to competitive advantagesep2003

Basel II: From Compliance to Competitive Advantage

FileNet in Financial Services

Christopher McLaughlin, Director, Financial Services Marketing

September 2003

Executive SummaryThe seat of first world finance capital is Basel, Switzerland. It is here that theCentral Banks of the Group of Ten (G10), the 10 wealthiest nations in the world,form the directorate of the Bank for International Settlements (BIS)aninternational bank for central bankers. The Basel Committee on BankingSupervision is a committee of bank supervisory authorities from the G10. Theymeet regularly at the BIS in Switzerland and are now making the final revisionsto an international agreement known as the Basel Capital Accord, or Basel II.This accord sets bank supervision, risk-based capital, and disclosurerequirements for banks operating internationally and is anticipated to befinalized at the end of 2003.

The original Basel Capital Accord, which was established in 1988, was intendedto level the playing field in the international Financial Services community byaddressing geographical inequities in regulation and establishing a uniformminimum capital requirement for Financial Services Institutions (FSIs). However,over the past decade the effectiveness of the original accord has diminished.The new Capital Accord, Basel II, addresses some of the root causes andexcessive risk-taking behind such notable financial upheavals as the LatinAmerican debt crisis, the various Asian financial crises, and the US Savings andLoans debacle. The new Accord is intended to bring a greater rigor to riskmeasurement and management practices in Financial Services and to betteralign capital reserves with actual risk exposure. As with the first Accord,Basel II is again intended to levelthe playing field in FinancialServices, bringing parity to themarketplace and ensuring faircompetition across geographies.

However, as many FinancialServices Institutions are quicklyrecognizing, Basel II may, in fact,have the opposite effect. ManyFinancial Services Institutionshave chosen to focus solely upon compliance with the new Basel regulations.They view Basel II as yet another regulatory requirement that needs to beaddressed and, to a certain extent as cost of doing business in the FinancialServices marketplace.

But there is a group of forward-looking FSIs that is moving beyond simplecompliance and leveraging the more advanced risk management modelsavailable under the Basel II Accord. They view Basel II as an opportunity togain competitive advantage in the marketplace. Their compliance activities arenot viewed as cost items, but rather as investments that are expected to paylonger-term dividends for their organizations and their stakeholders.

FileNet in Financial ServicesBasel II: From Compliance to Competitive AdvantageSeptember 2003

FileNet Corporation 3565 Harbor Boulevard, Costa Mesa, CA, USA 92626-1420www.filenet.com Phone: 800.FileNet (345.3638) Outside the U.S. call 714.327.4800 page 2

Under Basel II, FSIs which have gathered the appropriate historical data andinstalled proven risk management processes and internal controls can develophighly granular models for accurately measuring and managing both credit andoperational risk. This, in turn, will allow FSIs to reduce their overall capitalreserves due to reduced risk exposure. As these organizations become moreeffective in measuring and monitoring risk, they are able to focus on highrisk/high return business to actively mitigate risk across the enterprise, furtherreducing their exposure and corresponding capital reserve requirements.

To achieve compliance and accomplish competitive advantage, FSIs need toestablish an Enterprise Risk Management (ERM) architecture that will allowthem to actively measure, monitor, and respond to risk. Enterprise RiskManagement is not a single point solution; rather, ERM is comprised of anumber of foundational technologies with Enterprise Content Management(ECM) comprising the core component.

Effective risk management is the result of efficient business processes.Therefore, it is essential that any ERM architecture incorporate robust businessprocess management capabilities. FileNet Enterprise Content Managementsolutions are uniquely focused on managing complex business processes andthe corresponding data and information that drive these processes, enablingeffective process controls, triggering organizational response to risk, anddriving continuous process improvement.

In the following document, we will discuss some of the issues and opportunitiesassociated with the Basel II Capital Accord. We will also explore the centralrole that Enterprise Content Management will play in enabling FinancialServices Institutions to achieve true competitive advantage.

Basel II: Business Challenge or Opportunity?There is no doubt that Basel II introduces additional complexity for mostFinancial Services organizations. Compliance will be challenging and manyorganizations will struggle simply to meet the established deadlines for the newAccord. Smaller FSIs in particular will find it difficult to amass the historicaldata necessary to validate their models for risk measurement and management.Basel II compliance represents a true business challenge for every FinancialServices organization.

Forward-thinking FSIs have elected to look past the immediate challengesposed by Basel II. These organizations are aggressively pursuing compliancetoday as an opportunity for competitive advantage tomorrow.

It is intended that the Standardized Approach for risk management proposedunder Basel II will not increase the aggregate regulatory capital requirementsfor banks that elect to employ this model. But it is obvious that banks thatleverage the advanced Internal Ratings-Based (IRB) approach for credit riskand, more importantly, the Advanced Measurement Approach (AMA) for



While many institutions still look at

Basel II with a mindset of basic

compliance, others are actively

pursuing a more advanced approach

to risk management for competitive

advantage and operational

efficiency. Financial institutions that

are exposed to even moderate levels

of credit risk and operational

complexity should benefit by

embracing a more advanced Basel II

risk management framework.

- The TowerGroup, Inc. [1]

operational risk will gain greater benefit from the new Capital Accord.

Simply put, firms that leverage these advanced risk measurement approacheswill be able to more accurately represent their risk to their respectiveregulatory agencies. This will result in reduced aggregate capital requirements,effectively lowering the cost of capital to the organization. By managing riskmore effectively, these organizations will be able to realize greater profitmargins or more competitively price products and services and seize marketshare from the competition. Additionally, as their risk management capabilitiesevolve, these firms may also find that their organizational credit ratings improve,resulting in even less capital requirements under the new Basel Accord.

Focusing on Operational RiskMost FSIs seeking competitive advantage from Basel II have chosen to focuson operational risk. Why? Because most of these firms feel that adopting theAdvanced IRB approach to measuring credit risk is more a matter of avoidingcompetitive disadvantage than establishing differentiation. The bottom line isthat most large FSIs are expected to adopt the Advanced IRB approach andthose that do not are going to be faced with a long, uphill battle in themarketplace.

In a recent authoritative survey, 70% of respondents felt that Operational RiskManagement represented the best opportunity for differentiation andcompetitive advantage under Basel II. [2] As a result, many firms are nowputting in place the necessary processes, technology, and internal controls tofully adopt the AMA approach for measuring operational risk.



What is Operational Risk?

For the sake of simplicity, here is the definition of operational risk put forth bythe Basel Committee:

The most important types of operational risk involve breakdowns in internalcontrols and corporate governance. Such breakdowns can lead to financiallosses through error, fraud, or failure to perform in a timely manner or cause theinterests of the bank to be compromised in some other way, for example, by itsdealers, lending officers or other staff exceeding their authority or conductingbusiness in an unethical or risky manner. Other aspects of operational riskinclude major failure of information technology systems or events such as majorfires or other disasters. [3]

The following diagram, provided by Gartner Inc., depicts the three major riskclassifications that Basel II addressescredit, operational, and marketandprovides several different examples of potential operational risk incidents:

It is important to note that the lines between operational and credit or evenmarket risk are often blurry. At some point, operational issues can lead directlyto credit issues and loss of position in the marketplace. The balance of thisdocument will focus on the various aspects of operational risk as outlinedabove.

From Compliance to Competitive AdvantageThere appears to be an emerging, logical progression in how firms arepreparing for the new Basel Accord. This progression incorporates threedistinct phases:



Source: Gartner Inc. [4]



Risk Measurement

The ability to accurately measure and report risk to regulatory agencies is thefirst priority for most Financial Services Institutions. This involves a top-downrisk measurement approach that will allow FSIs to become compliant with theregulatory requirements of Basel II. While some FSIs may proceed directly tomore advanced risk measurement approaches for assessing credit risk, mostwill begin by adopting the standardized approach, especially in the area ofoperational risk. During this phase, most firms will focus on gathering historicalrisk data to establish the necessary baseline for risk measurement activities. Itis important to note that many firms and most notably smaller firms mayelect to stop investing in Basel II once they have achieved the required level ofcompliance. It is important to note that this is largely a rearward-lookingapproach to risk managementemploying past risk events to predict andmeasure future exposure.

Advanced Risk Assessment

As firms move into the second phase, they will begin to embrace the advancedIRB and AMA approaches. To effectively leverage these processes, FSIs willneed to employ more detailed, bottom-up methods for gathering and reportingrisk information. These activities will produce a more granular view of riskexposure and events, enabling firms to be more accurate in representingcurrent market, credit, and operational risk. This phase of response will begin tomove firms from compliance to achieving some level of competitive advantage,especially as they begin to adopt the AMA approach for operational risk.Banking firms should begin seeing a reduction in their required capital reservesas they communicate their reduced exposure to their respective regulatoryagencies. It should be noted that moving to the Advanced IRB and AMAapproaches for risk measurement significantly increases the complexity ofactivity. Rigorous processes for gathering risk data and information andeffective internal controls must be established to validate the informationgathering process.

Risk Management and Mitigation

Finally, FSIs will begin to actively manage and mitigate risk in areas of highexposure. Most will employ a two-fold approach by asking:

What activities or processes typically incur the highest incidence of riskevents?

By incident, where does the organization incur the greatest monetaryexposure?

For example, an activity may have a very high incidence of risk events, but verylow overall monetary exposure assigning it a lower priority for risk mitigation.

In the United States, already there are examples of Financial Servicesorganizations beginning to actively examine their core business processes forrisk exposure. The next step in this activity will be to stack-rank theirprocesses. Once a priority order has been established, these firms will begin toincrease internal controls and enable continuous process improvement toreduce their overall risk exposure. It may very well prove out that roughly 80%of their risk exposure is incorporated in the top 20% of their prioritizedprocesses.

The Geographies of Basel IIThere is tremendous variance in how Financial Services organizations areresponding to Basel II. However, some key trends are emerging in variousgeographies.

Europe has proven to be the most active in implementing Basel II withwidespread activity across the European marketplace and most FSIs activelypositioning themselves for full compliance. However, in general, the approachto Basel II compliance in Europe has been fairly conservative. With notableexceptions, most firms have elected to focus primarily on compliance and, inmany cases, on minimizing Basel II expenditures. Many banks are finding itdifficult to develop the necessary historical data required under Basel II andwill be initially forced to adopt the Standardized approach to credit riskmanagement. Firms focusing more on operational risk management appear tobe the exception rather than the rule.

In the United States, where it is likely that only a small percentage of bankingfirms will be required to comply with Basel II, there has been a more aggressiveresponse. Most of the large US Bancorps (which will likely be subject to BaselII) have been subject to stringent credit risk regulation for some time. They arecomfortable with the requirements of the Advanced IRB approach and are nowbeginning to focus heavily on operational risk management. The most forward-looking of these firms have begun to actively catalogue and review theiroperational risk processes, seeking to identify areas of high-risk exposure forfuture mitigation efforts.

It would appear that the Asian market has been slow to come around to the realcompetitive implications of Basel II. Issues with non-performing loans havedistracted the Japanese banks and concerns about funding have hamperedbanks in other parts of Asia. Unfortunately, these same organizations alreadyare suffering from intense competitive pressure and Basel II will, in allprobability, make it even more difficult for Asian banks to compete effectivelywith many of the international firms. China recently submitted a letter to the BISindicating they would not adopt the Basel II Accord in compliance with the



One process that received specialmention was a formal new productreview process involving business,risk management, and internalcontrol functions. Several banksnoted that necessity of updating riskevaluation and assessments of thequality of controls as products andactivities change and as deficienciesare discovered.

Basel Committee on Banking

Supervision [5]


FileNet Corporation 3565 Harbor Boulevard, Costa Mesa, CA, USA 92626-1420www.filenet.com Phone: 800.FileNet (345.3638) Outside the U.S. call 714.327.4800

established 2006 deadline and would continue to comply with the tenants of the1988 agreement. In the communication, China specifically cited concerns overopportunities for competitive disadvantage.

Enterprise Content Management: A Key Component ofEnterprise Risk Management SolutionsMany Financial Services organizations are now planning to deploy EnterpriseRisk Management (ERM) architectures. Far from a simple point solution, ERMarchitectures incorporate a broad array of integrated technologies. Thefollowing diagram, produced by Gartner Inc., provides a requirementsframework:

It is important to note that no single-point solution can adequately address thefull spectrum of capabilities depicted in this diagram. Rather, the ERMarchitecture is typically comprised of a central Enterprise Content Managementplatform that has been tightly integrated with other essential technologies,including:

ERP applications;

Business rules engines;

Data warehouses and analytics (OLAP); and

Reporting and querying toolsets.

Understanding Enterprise Content ManagementFileNet Enterprise Content Management (ECM) solutions are designed to giveyour company a competitive edge whenever theres a decision to be made.With the combination of process, content, and connectivity, our solutions allow

page 8

Source: Gartner Inc. [6]


FileNet Corporation 3565 Harbor Boulevard, Costa Mesa, CA, USA 92626-1420www.filenet.com Phone: 800.FileNet (345.3638) Outside the U.S. call 714.327.4800

One area that will gain momentumfrom new regulatory demands is themovement toward straight-throughprocessing. The restructuring ofbusiness and technology processesto enable the simultaneousautomated exchange of informationacross lines of business is key toeffective risk management. Asbusiness processes are increasinglye-enabled, risk identification andmanagement require fasterresponse. Institutions can no longerafford to manage risk using the rearview mirror approach historical dataoffers.

Gartner Inc. [7]

customers to build and sustain competitive advantage by managing contentthroughout their organization, automating and streamlining their businessprocesses, and providing the full-spectrum of connectivity needed to simplifyyour critical and everyday decision making.

Process

Process is at the core of all Financial Services Institutions. Simply put, processis how business gets done. ECM solutions incorporate process managementfunctionality to effectively automate, control, and accelerate businessprocesses. ECM encompasses more than simple workflow automationcapabilities; processes can be modeled, analyzed, and improved to ensurecontinual regulatory compliance and maximum operational efficiency.

Content

Content is simply information. It can include unstructured information such asscanned images, electronic documents (e.g. MS Excel files), rich media, andfaxes, plus structured data such as information typically stored in a database. Inmost Financial Services organizations, unstructured information can representup to 80% of all corporate content.

Connectivity

Technology cannot exist in a vacuum. In order to gain maximum value from bothnew and existing IT investments, systems must be able to connect to oneanother. ECM incorporates business integration capabilities, allowing FinancialServices organizations to leverage their existing IT architectures in developingnew ERM solutions.

ECM and the ERM Architecture Enterprise Content Management plays a critical role in each of the RiskManagement Technology Requirement Framework areas shown in the tableabove:

Connect and Integrate

FileNet ECM solutions incorporate robust connectivity capabilities that allowseamless integration with existing technology. When combined with FileNetsBusiness Process Management capabilities, connectivity allows ECM to delivercritical structured information (data) to process participants and improvedecision-making, efficiency, and process control. FileNet ECM also providesout-of-the-box integration with many of the leading portal providers, allowingfor the rapid development of management/audit dashboards and increasingtransparency of core business processes, events, and outcomes.

page 9



Plan and Oversee

Planning and oversight of compliance and risk management functions is areiterative, process-driven activity. With a strong foundation in BusinessProcess Management (BPM), FileNet ECM enables FSIs to rapidly model newand existing business processes. Through process simulation, new procedurescan be fully tested prior to production implementation. The ability to model andtest new or modified procedures can further reduce operational risk across theorganization.

Collect Data

FileNet ECM provides a fully scalable, enterprise-class foundation for managingunstructured content. It allows FSIs to establish a single, centralized repositoryfor critical Basel II content that is accessible throughout the enterprise and alsocan provide secure third-party access for auditors, regulators, and otherinterested parties. Through Business Process Management, FileNet has theability to collect and report process execution and metrics in great detail. Riskevents can be identified and captured as they occur to provide greateraccuracy in measuring the incidence of risk and the resulting exposure.

Manage Data

Content can be stored indefinitely and then rapidly located and retrieved fromthe enterprise repository. Document retention can be automated ensuring thatcritical records are retained for the appropriate amount of time. ECM alsoincorporates robust versioning and check-in/check-out functionality, allowingcontent to be modified and annotated without adversely affecting the validity ofthe original documentation. Core business processes can also be versioned andreproduced at any point in time to provide an accurate historical representationof compliance and risk management activities.

Analyze Events

One of the key benefits of Business Process Management is the ability to modeland analyze risk events. New and existing risk management processes can belaid out within FileNet ECM so risk events can be simulated and responsemechanisms can be tested for future analysis and response tuning.

Respond to Events

FileNet ECM incorporates an event-driven Business Process Managementarchitecture that allows FSIs to define triggers predetermined events thatinitiate completely automated responses. An automated response can rangefrom a simple electronic notification to a complex, multi-threaded businessprocess that allows a firm to coordinate response across the organization andeffectively mitigate risk at an enterprise level.

Report and Advise

In addition to automated electronic messaging, FileNet ECM can gather criticalmetrics throughout a process lifecycle, enabling FSIs to gain valuable insightinto their core business processes and various risk events. Through nativeportal and application server integration capabilities, FileNet ECM can drive thisaggregated information to any number of available performance dashboards forrapid access by management.

ECM and ERM BenefitsWithin the ERM architecture, FileNet ECM enables Financial Servicesorganizations to better measure, monitor, and respond to operational risk.

Actively Monitor and Respond to Risk

FSIs must actively monitor and rapidly respond to risk events as they occur.Relying exclusively on historical risk information to predict and respond to riskexposure is analogous to driving a car while looking in the rear-view mirror. Itonly provides part of the picture.

FileNet ECM is designed to enable real-time response to critical risk issuessuch as suspected fraud, human errors, governance issues, and more. BecauseFileNet incorporates an event-driven architecture, key individuals in theorganization can be immediately notified when a risk event occurs. Further,FileNet can outline the appropriate response to mitigate and manage the risk.

Out-of-the-box integration with industry-leading business rules engines letsFileNet ECM leverage complex business rules for even greater efficacy in riskresponse.

Drive Operational Transparency

FileNet ECM insures that management is instantly made aware of critical riskevents and actively monitors the organizations response to the incident.Further, by means of a performance dashboard, executive leadership can beprovided with a holistic, enterprise view of risk across the organization. Adifferent view of this same information can be provided to third-party auditorsand government regulators to facilitate continued compliance with Basel II.

Centralize Risk Management Processes

Basel II is also driving FSIs to consider consolidating their risk managementprocesses and procedures into a more centralized approach. FileNet ECMprovides an ideal platform for centralizing risk management processes. Anunlimited number of processes can be developed and stored, rapidly modifiedutilizing a user-friendly graphic interface, and then immediately deployed. Riskprocesses can be easily replicated, allowing for best practices to be leveragedacross the organization.



Under the proposed requirements,an institutions minimum requiredcapital could increase significantly ifit fails to take advantage of the more-sophisticated internal measurementoptions offered under the newaccord, and cannot prove throughhistorical data, current processesand methodologies that it qualifiesfor a lower capital charge. Thisrequires demonstrated compliancewith several expected standardsregarding the identification,measurement, and control of risk thatcan only be achieved with riskpractices that are integrated acrossthe enterprise, including operationaldata capture, analysis, and overallrisk management processes.

Gartner Inc. [8]

Accomplish True Business Agility

Financial Services organizations should not only aim to actively manage andrespond to risk, they should also mitigate risk as new products and services aredeveloped and introduced.

FileNet ECM incorporates several capabilities that enable FSIs to bettermanage risk associated with new products and to achieve true business agility.ECM allows FSIs to simulate and test the impact of new products and serviceson their existing risk processes and procedures. New processes can then berapidly modeled and existing processes quickly modified to address anydeficiencies.

Looking Beyond Basel IIFileNet Enterprise Content Management is not only a critical component of theERM architecture, but is also an enterprise-class ECM platform capable ofdelivering significant business value across the organization. What is oftenoverlooked in addressing regulatory compliance and risk managementrequirements is the tremendous opportunity for cycle-time reductions andoperational cost savings inherent in many core business processes.

ConclusionsThe Basel II Capital Accord is the latest in a long line of regulatoryrequirements to emerge in the Financial Services marketplace. However, in theend, responding to Basel II isnt simply a costly exercise in achievingcompliance; rather, it is a critical opportunity for gaining competitive advantage.Financial Services Institutions must seize this opportunity to more accuratelymeasure and better manage risk across the entire enterprise. These efforts willyield significant returns in terms of reduced capital reserve requirements,increased profitability, and greater market share.

In order to realize these returns and move from compliance to competitiveadvantage, FSIs must leverage Enterprise Content Management as the centraltechnology in their Enterprise Risk Management architecture. It is only throughECMs robust business process and content management capabilities that FSIscan actively monitor and mitigate risk, improve organizational transparency, andaccomplish true business agility to fully take advantage of the uniqueopportunity Basel II offers.



Organizations must balance the

tactical investments required to meet

short-term regulatory deadlines with

the long-term requirements to

strategically manage overall

regulatory demands while

simultaneously improving business

performance and efficiency.

META Group [9]

About FileNetFileNet Corporation (NASDAQ: FILE) helps organizations make better decisionsfaster by managing the content and processes that drive business. FileNetEnterprise Content Management (ECM) solutions allow customers to build andsustain competitive advantage by managing content throughout theirorganizations, automating and streamlining their business processes, andproviding the full-spectrum of connectivity needed to simplify their critical andeveryday decision-making.

Headquartered in Costa Mesa, California, FileNet serves over 3,900 customers,including 20 of the top 25 US banks, more than 350 global banks, and nearly1,000 Financial Services organizations in total.

Contact InformationBrian Edmondson VP Financial Services SolutionsFileNet Corporation +44 1895 20 [email protected]

Sources[1] TowerGroup Director Guillermo Kopp

Basel II Operational Risk Management Strategies and FSI Performance;March 2003

[2] Your Basel II Implementation: compliant or Catalytic?; IBM, Institute forBusiness Value, 2003

[3] Operational Risk Management; Basel Committee on Banking Supervision,1998

[4] Enterprise Risk Management and Financial Services IT; Gartner Inc., 2003

[5] Operational Risk Management; Basel Committee on Banking Supervision,1998

[6] Technology Suites Begin to Address ERM Processes; Gartner Inc., 2003

[7] Risk Management in the New Regulatory Environment; Gartner Inc., 2003

[8] Ibid

[9] Stocking the Compliance Toolbox to Meet SOX Section 404; META Group,2003


FileNet Corporation 3565 Harbor Boulevard, Costa Mesa, CA, USA 92626-1420www.filenet.com Phone: 800.FileNet (345.3638) Outside the U.S. call 714.327.4800 0903/1663 page 13

Representative FileNet FinancialServices Customers Include:

Allianz

Banco Itau S.A.

Bank of America

Barclays

BB&T

BNP Paribas

Capital One

Charles Schwab

CIBC

Citigroup

Credit Suisse

Deutsche Bank

FleetBoston

GMAC

HSBC

JP Morgan Chase

KeyCorp

M&T Bank

Mellon

Mizuho Corporate Bank

Morgan Stanley

PNC

Prudential

The Royal Bank of Scotland

Standard Bank

U.S. Bancorp

Visa

Wachovia

Washington Mutual

Wells Fargo

from compliance to competitive advantagesep2003

Documents