Basel II focusses more on operational risk
II compliance involves a strict focus on operational risk, which is why information
security comes into the picture. Jeffrey Hoo, Services & Management Systems
Field Director, Regional Product Marketing, Asia Pacific, Symantec, discusses
the details of Basel II compliance in a conversation with Anil Patrick R
Are information security and Basel II related concepts?
The difference between Basel I and Basel II is that the latter focusses more
on operational risk. This emphasis is not present in Basel I, which focusses
more on credit risks.
When operational risk was introduced in January 2001, banks were still focussing
on credit risk. This means that they understand how to set policies right to
comply with credit risk management requirements, but not operational risk. Operational
risk brings into the picture day-to-day operational processes and how you conduct
your business. Banks are overwhelmed, and they are still trying to understand
the big picture vis-à-vis operational risk.
This is why banks need to divide it into more manageable units in different
areas to make it easier for addressing risk. Information security is only one
part of the operational risk that they need to address.
How is the information security aspect dealt with in Basel
At first glance there are only 10 principles that talk about information security
risk with respect to operational risk. Yet these are thick chapters of Basel
II which have significant impact on the entire Basel II accord since almost
every banking system used today relies on computers.
Whether it is credit risk or human resources or business units not related to
information technology, computers are used. These have to interact with each
other by means of connectivity, internal or external. In addition to these,
there are added security risks due to e-commerce, Internet banking, etc.
Technology reaches more than just the business units discussed in Basel II.
The fact is that these systems use electronic forms and rely on computers to
do business; these put all business units at risk. This is the role of information
security in Basel II.
IT plays a role in all channels whether it is ATMs, net
banking or core banking systems. Will banks have to change existing security
infrastructure or policies to comply with Basel II?
I cannot comment on Indian banks because I do not represent them. But I can
provide some aspects based on our research and observations from interactions
with Indian banks.
It looks like Indian banks are more familiar with the
credit risk type of compliance than the information security aspect of
operational risk. They are not able to piece together the inter-operability
between information security risk and operational risk. They feel that
these two are the samethey are not
It looks like Indian banks are more familiar with the credit
risk type of compliance than the information security aspect of operational
risk. They are not able to piece together the inter-operability between information
security risk and operational risk. They feel that these two are the samethey
In a Basel II template which talks about how banks should set up a risk management
environment, it actually mentions that banks should conduct an internal audit
regularly to ensure the absence of loopholes and non-compliances with policies.
It seems that Indian banks were not able to separate the internal auditing of
systems and the people who are actually managing day-to-day operations of security
My guess at this point of time is that Indian banks are still not putting sufficient
emphasis on security. They are looking at all other aspects related to credit
risk and operational risk, but information security is under-addressed. They
are not able to piece things together for a holistic approach. They are approaching
it part by part, and several times they might not be able to connect well from
these principles to the general credit risk.
If a bank wants to go the Basel II way, where does it start?
First of all, we need to be specific. If a bank wants to go the Basel II way,
it is a very complex process.
If you specify information security, first of all you need to understand the
security position with respect to Basel II. There are 10 principles which talk
about how banks should set up risk management environments.
The first portion is meant for corporate directors who have to be aware and
approve the systems that have to be in place. Then come senior staff who manage
day-to-day operations. These are the two sides that have to be taken care of.
Then there are other processes that have to be defined by Basel II in that area.
The second part of Basel II relates to regulators. For example, what should
regulators do in their country when it comes to corporate governance? This includes
checking banks to ensure that they have the system in place and do external
audits. In Indias case, that would be the RBI.
The last part deals with the market. This is about people like you and me who
have to be sure that proper credit systems are in place to safeguard our money.
By this I mean that there are sufficient safeguards in the form of security
technologies, people and processes in place to ensure that my money is not being
transferred by hackers to their accounts.
These are the three portions in the 10 principles that address the risk management
environment. Once you understand these right, you need to figure out how to
translate these guidelines into a multi-tech process. This process has to be
more precise in order to manage all the risks associated with an organisations
Although the process varies for different banks, is there
a typical timeframe within which a bank can become Basel II compliant?
First of all, no one today can give the correct answer since this a learning
phase for all banks. But a path has been defined and agreed upon in 2001.
If you are doing business with international banks, they are all subject to
Basel II compliance. I think that compliance is an ongoing process. Lets
say that you are compliant to Basel II today. But what if there is a merger
or acquisition or if there is a system upgrade? The moment you touch the systems,
whether small or big, you alter your security posture and become non-compliant.
So compliance is an ongoing process.
Are there any best practices in place for organisations
to get a jump start?
You dont have to search the entire library to find such best practices.
There are already a set of best practices in place in the form of ISO 17799.
This gives you details of all the best practices that are in place to prepare
various infrastructure systems.
Do you think Indian banks will be able to comply with Basel
II by the new deadline?
Im not surprised that the deadlines have been shifted. From the last research
I have done, it is now March 2007, according to the release from the Reserve
Bank of India.
I do not know if this is achievable. We cannot say that Indian banks will be
Basel II compliant by then unless the banks look at information security seriously
and at its role in the entire Basel II accord. That can be achieved only by
looking at all business units at different levels.