Basel II Pillar 2 and the Supervisory Review Process – Why This is More Important Than Pillar 1

Most banks spend most of their resources that have been allocated for Basel II compliance, to meet the  Pillar  1 requirements. This is definitely wrong.  Pillar  2 is more important than  Pillar  1.

Basel II is a risk management and a compliance exercise. Banks have to quantify risks ( Pillar  1), but at the end of the day they have to persuade their supervisors that they meet the Basel II related minimum international standards.

What do supervisors expect from banks? Do they expect a number that is the capital allocated for the risks? Do they expect this number explained? No, they expect much more. Starting from a good corporate structure, best practices, international standards in risk management, a link between risks and capital allocated for these risks. If the corporate governance elements are missing, supervisors can not rely on the  Pillar  1 capital allocation calculations, and impose a  Pillar  2 capital add on.

Institutions and its supervisors must first understand each other. A clear and consistent dialogue that is proportionate to the complexity and importance of the bank is of paramount importance.

Basel II is not a quantification exercise. Under  Pillar  2, this is what is really important:

A. The legal and corporate structure.

It must be effective, efficient, transparent and clear. The position of the bank within a group is very important as well.

B. Authority and responsibility of the board, management and employees.

It must be precise, well defined, and meaningful. The reporting lines must work. The staff must be aware of these policies and everyone must have the power to do what is needed and described in his job description.

C. Good risk management.

An enterprise wide approach in the management of risks is needed. A centralized office understands better best practices and international standards, and promotes more effectively a consistent implementation.

All material risks must be identified (a difficult task), understood and quantified. Risk assessment and risk monitoring procedures must be advanced and updated regularly.

D. Documentation and evidence for doing what is required.

Banks have to provide evidence that they did what is required: The minutes of the meetings of the board, the documentation of the risks, the controls and the tests that explain why the controls are effective, are all very important. Banks should help the supervisors understand and evaluate the operations.

E. Monitoring and review.

A systematic review of the strategies for risk management is necessary. The old controls may not be effective in a new, different and challenging environment. The cycles of the economy, the macroeconomic environment, the business cycle, the internal and external factors must be taken into account.

F. Strong internal control systems.

Banks are in the business of taking risks. When the risks exceed the board’s risk appetite, banks have to mitigate them. Effective internal controls are essential. The risk control, compliance and internal audit functions can provide reasonable assurance that banks control our risks.

G. Effective risk and compliance function.

Compliance risk is the (very important) risk that banks do not comply with laws and regulations. What follows is definitely bad for the reputation of the bank: Legal sanctions, regulatory sanctions, financial loss, negative publicity.

The risk and compliance officers must advise the management and the board of directors on new laws, regulatory obligations and standards. The Chief Compliance Officer and the Chief risk Officer should provide assurance that new products or procedures are in compliance with the legal and regulatory environment.

In small and less complex banks, according to the proportionality principle, the same persons may perform the tasks of the compliance function and the risk control function. This should never be acceptable for larger or complex institutions.

H. Effective internal audit function.

The board of directors has to ensure that the internal auditors are qualified and capable to assess risks and the adequacy of internal controls. Auditors are required to report significant deficiencies and material weaknesses to the board and senior management. The reports of the internal auditors are very important, so a formal follow up procedure is necessary.