When the Basel Committee on Banking Supervision released its capital adequacy framework in 1999, the first iteration of a revamping of its 1988 Capital Accord, it seemed like everyone had something bad to say about the proposal. Some griped about its seemingly arbitrary risk weightings; others complained about its fuzzy treatment of credit-risk-mitigation techniques.

The committee took those criticisms to heart and, in February, released a far beefier version of the 1999 proposal. The new plan retains the 1999 proposal's three-pillar approach, which includes minimal capital requirements, supervisory review and market discipline, but expands on it in new and important ways. Perhaps most important: whereas the old plan was thought to be too simplistic in its approach, the new plan offers three distinct methods to calculate minimum capital requirements—a standardized method, and two internal methods.

In the standardized method, which is geared toward smaller banks, exposures to various types of counterparties—primarily sovereigns, banks and corporates—will be assigned risk weights based on assessments by external ratings agencies like Moody's and Standard & Poor's. The old plan rather arbitrarily assigned risk weightings of 20 percent to credits rated AA- and above, 100 percent to credits rated A+ to B-, and 150 percent to credits rated below B. In the new plan, a more reasonable 50 percent risk bucket for highly rated corporates has been added. Moreover, the 150 percent weighting is better defined, and expanded to include not only poorly rated corporates, banks and sovereigns, but also unsecured credits 90 days behind in their payments and certain venture capital and private equity investments.

The internal-ratings-based approaches to credit risk are geared toward internationally active banks involved in relatively complex risk transfers. They treat corporate, bank and sovereign credits one way, and retail, project finance and equity exposures another way. (We'll concentrate on the former.)

For each exposure class, the treatment is based on three main elements: risk components, for which a bank may use either its own or standardized supervisory estimates; a risk-weight function, which converts the risk components into risk weights to be used by banks in calculating risk-weighted assets; and a set of minimum requirements that a bank must meet to be eligible for internal-ratings-based treatment.

The most important category is bank risk components. But first, some background. Banks' internal measures of credit risk are based on assessments of borrower and transaction risk. Most banks base their rating methodologies on the risk of borrower default, and assign a borrower to a rating grade. A bank then estimates the probability of default associated with borrowers in each of these internal grades. This default-probability estimate must now be a conservative view of a long-run average default probability for all the borrowers assigned to the grade in question. But default probability isn't the only component of credit risk-banks must also measure how much they'd lose should the borrower default. That depends on how much per unit of exposure the bank expects to recover from the borrower, and the bank's exposure to the borrower at the time of default.

Whereas the old plan was thought to be too simplistic in its approach, the new plan offers three distinct methods to calculate minimum capital requirements.

Banks opting for an internal-ratings-based approach must be able to calculate a default probability for each credit. (If they can't, they must fall back on the standardized method.) The foundation approach is geared toward banks that aren't able to calculate how much they'd lose as a result of default, known as "loss given default” or LGD. In this case, a banking supervisor figures it out for them. Under the advanced approach, the bank calculates both of these inputs itself.

In terms of risk weights, a credit's risk weight will depend on its default probability, its LGD and its effective maturity. The minimum requirements to be eligible for the internal-ratings-based approach are talked about in detail in the report, but fall under the following categories: meaningful differentiation of credit risk; completeness and integrity of rating assignment; oversight of the rating system and processes; criteria of rating system; estimation of default probability; data collection and IT systems; use of internal ratings; internal validation; and disclosure.

The new proposal also addresses operational risk in detail, providing three new methods for determining operational risk charges. It defines operational risk as "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events,” and its three-pronged system is similar to the approaches outlined for credit risk.

The "basic indicator approach” links the capital charge for operational risk to a single indicator that serves as a proxy for the bank's overall risk exposure. For example, if gross income is the indicator, each bank will hold capital for operational risk equal to a fixed percentage of its gross income.

The "standardized approach” builds on that by dividing a bank's activities into a number of standardized industry business lines—such as corporate finance and retail banking—into which banks map their internal framework. Within each business line, the capital charge will be calculated by multiplying an indicator of operational risk by a fixed percentage. Across business lines, both the indicator and the beta factor may differ. The total capital charge for operational risk will be the sum of the regulatory capital charges across each of the business lines.

The "internal measurement approach,” meanwhile, allows banks with fairly rigorous supervisory standards to use internal data for regulatory capital purposes. Banks will collect three data inputs for a specified set of business lines and risk types: an operational risk exposure indicator, plus data representing the probability that a loss event occurs and the losses given such events. To calculate the capital charge, the bank will apply to the data it has collected a fixed percentage based on industry-wide data. Again, the total capital charge for operational risk will be the sum of the capital requirements for each business line.

There are other changes in the new proposal as well. Securitization, for example, is dealt with for the first time. "Although asset securitizations can serve as an efficient way to redistribute a bank's credit risk to other banks and non-bank investors,” the proposal says, "the Committee has become increasingly concerned about some banks' use of such structures to avoid maintaining capital commensurate with their risk exposures.” The result: the committee has developed some standardized and internal-ratings-based approaches to account for securitization risk as well.

Got all that? If not, don't worry—you'll have plenty of time to delve into the finer points of the plan at your leisure. The Basel Committee is accepting comment on the proposal until May 31 of this year, and the final rules will go into effect in 2004. Hopefully, risk managers will have digested the nearly impenetrable 500-plus-page document by then.

For a copy of the proposal, see the Bank for International Settlements' web site, at www.bis.org/.

More Disclosure, More Often

A Who's Who of risk management experts says banks should disclose more of their risks to the public—and should do so more often. In January, the Working Group on Public Disclosure, convened by the Federal Reserve with the support of the Office of the Comptroller of the Currency and the Securities and Exchange Commission, issued a report calling for better disclosure practices by the nation's biggest banks. The group, headed by Chase Manhattan chairman Walter Shipley, recommended that banks disclose certain risk data quarterly rather than yearly, and that they disclose more of it. The group called for several specific steps. First, it advocated quarterly disclosure of aggregate high, average and low trading value-at-risk by major risk category (fixed income, currency, commodity, equity and so on). It also called for some sort of quantification of how well market risk models performed, such as a histogram of daily trading revenues compared with average VAR over the period. It said banks should provide current credit exposures by internal rating, reflecting the effects of netting, collateral and other forms of credit protection. And the group called for information about the maturity profile of transactions, and insight into credit concentrations, either by industry sector or geographical region. Shipley, in a letter to the Fed, stressed that one single approach wouldn't do the trick for everyone. Banks "have very different, but equally valid, approaches to risk management and monitoring because they approach managing risks differently,” he wrote. The Fed, OCC and SEC seemed to like what they heard. "We…think your recommendation for disclosure of credit risk based on banks' internal ratings is especially useful,” the three wrote in a letter to Shipley in January. "We appreciate the need to strike a balance between quantitative and qualitative information in order to convey a meaningful picture of a firm's risk profile.”