Basel II & Risk Ratings – a New Risk Rating Standard for All Banks

By Kevin Crowe, Senior Compliance Counsel, Harland Financial Solutions

I. Introduction

Despite the recent turmoil in the credit markets, it is expected that in the month and years ahead the Basel II regime for risk management will continue to be utilized at financial institutions throughout the world.

In the U.S., the Basel II Advanced Approaches have been adopted, and the qualification process has begun. Evidence of the march towards the implementation of Basel II is found in the U.S. federal banking regulators issuance in June 2008 of a joint notice of proposed rulemaking (the “Basel II Standardized Approach NPR” or “NPR”). The NPR would give banks, bank holding companies, and savings associations that are not subject to the Advanced Approaches of Basel II the option of using the Basel II standardized approach to compute their risk-based capital requirement. All institutions larger than $250 billion on a consolidated basis (“core banks”) must use the Basel II Advanced Approaches. Other large banks, with regulatory approval, may opt in to use the Basel II Advanced Approaches. It is likely that the new Basel II Standardized Approach rules will become effective in early 2009.

Implementation of the Basel II risk-based capital rules in the United States will have wide-ranging and profound impacts on risk management practices at U.S. financial institutions. But the impact of the Basel II Advanced Approaches will go beyond the core and opt-in banks that expressly operate under the new rules. We believe that over time all banking institutions will be affected by certain Basel II-based “best practices” that will develop in the industry.

In our opinion, the most important effects of Basel II will be the expectation by bank regulators that all financial institutions should adopt the basic elements of the Basel II Internal Ratings-Based risk rating system architecture. We also believe that all banking institutions will be expected to provide more detailed, Basel II-like risk disclosures similar to those contained in Basel II’s Pillar Three.

This article provides a high-level overview of the new Basel II risk rating system and disclosure requirements that we believe represent future best practices. In this article, the term “Basel II” means the Basel II Advanced Approaches as set forth in the U.S. version of the Basel II rules.

II. Risk Rating and Disclosure Standardization

The push for standardization of risk rating systems and risk disclosures at U.S banks will come from a number of directions. First, the push will come from the U.S. federal banking regulators, as they continue to bring the U.S. banking system into uniformity with global risk management and capital adequacy standards. Most of the developed world has already adopted Basel II and its risk rating and disclosure requirements. We expect the U.S. regulators to move U.S. banks increasingly in the direction of the Basel II-type risk management systems, even if U.S. banks are given the option to remain under the Basel I capital rules.

Secondly, the equity and debt markets, along with external auditors, will eventually demand that all banks provide Basel II-like risk-related disclosures to investors and ratings agencies. To obtain a commonality among banks with respect to risk-rating disclosures, there will be pressure for all banks to use the same basic internal risk-ratings system, the Basel II system. It has been suggested that there may be a pricing advantage afforded to those institutions that provide greater risk-related transparency to the market.

Lastly, bank senior management and boards of directors will (or should), adopt as robust a risk rating and disclosure system as is reasonably possible for their banks. The corporate best practices standard against which they will be judged will be the basic risk rating system structures and disclosure standards contained in Basel II.

III. Bank Risk Rating Systems

Credit risk is the primary risk facing banking institutions, and rating credit risk is the essential first step in effectively managing credit risk. The bank regulators expect all institutions to have credit risk management systems that produce accurate and timely risk ratings. Furthermore, credit risk ratings are also essential to other important functions, such as credit approval and underwriting, loan pricing, relationship management and credit administration, allowance for loan and lease losses (ALLL) and capital adequacy, portfolio management information systems (MIS), and board reporting.

The federal bank regulators require that management identify, measure, monitor, and control credit risk. Management will be assessed on their adoption of risk monitoring systems that are appropriate for the institution's size, complexity, and risk profile .

As the OCC has noted, for years banks have been developing more robust internal risk-rating processes to increase the precision and effectiveness of credit-risk measurement and management. We note the emphasis that the regulators have placed on capital adequacy and increased risk management of commercial real estate loans. This trend will continue as banks continue to implement advanced portfolio risk management practices and improve their processes for measuring and allocating capital for credit risk. The adoption of Basel II will further accelerate this trend.

To illustrate the direction that we believe the industry will head with loan risk rating systems, we have set forth below a summary of the Basel II risk rating system that is used for wholesale credits (corporate and commercial loans).

IV. Basel II Risk Rating System Requirements

Section 22 of the Basel II rule sets forth the essential qualification requirements for a Basel II IRB risk rating system architecture.

Section 22(b) provides that:

“(1) A bank must have an internal risk rating and segmentation system that accurately and reliably differentiates among degrees of credit risk for the bank’s wholesale and retail exposures.

(2) For wholesale exposures:

(i) A bank must have an internal risk rating system that accurately and reliably assigns each obligor to a single rating grade (reflecting the obligor’s likelihood of default)… The bank’s wholesale obligor rating system must have at least seven discrete rating grades for non-defaulted obligors and at least one rating grade for defaulted obligors…

(ii) Unless the bank has chosen to directly assign loss given default (LGD) estimates to each wholesale exposure, the bank must have an internal risk rating system that accurately and reliably assigns each wholesale exposure to a loss severity rating grade (reflecting the bank’s estimate of the LGD of the exposure)….”

Additional details on the regulatory expectations relating to these specific issues can be found in the proposed supervisory guidance on Basel II implementation that was issued on February 28, 2007 (the “Proposed Implementation Guidance”).

The Proposed Implementation Guidance states that banks will have latitude in designing and operating wholesale risk rating systems, subject to four broad principles:

1. Two-dimensional risk rating system – Banks must be able to make meaningful and consistent differentiations among credit exposures along two dimensions – obligor default risk and loss severity in the event of a default.

2. Rank ordering of risks – Banks must rank obligors by their likelihood of default, and wholesale exposures (e.g., loans, facilities) by the loss severity expected in the event of default.

3. Quantification – The risk rating system must be designed to facilitate quantification of obligor ratings in terms of probability of default (PD) and loss severity in terms of expected loss given default (ELGD) and LGD.

4. Accuracy – The risk rating system must be designed to ensure that ratings are accurate, so that obligors within a rating grade have similar default risk and wholesale exposures within a loss severity rating grade have similar risk of loss in the event of default.

What do the Basel II rules and the Proposed Implementation Guidance tell us about how corporate and commercial loans must be risk rated? At a minimum, Basel II banks will be required to:

1. Assign a risk rating to each obligor;
2. Utilize a risk rating system that has at least seven (7) rating grades for non-defaulted borrowers, and at least one (1) rating grade for defaulted obligors; and
3. Assign a loss given default (LGD) or internal rating grade to each commercial exposure.

From this, we see greater quantification of risk. Quantification is the process of assigning numerical values to the key risk parameters (e.g., PD and LGD) that are used in the Basel II risk analysis and capital calculation process.

Section 22(c) of the Basel II rules states that banks must have a comprehensive risk parameter quantification process that produces accurate, timely, and reliable estimates of the risk parameters for the bank’s wholesale and retail exposures. The risk-rating system must be designed to facilitate quantification of obligor ratings in terms of PD, and loss severity in terms of an LGD. PD estimates for wholesale and retail exposures must be based on at least five years of default data, and LGD estimates for wholesale exposures must be based on at least seven years of loss severity data.

Furthermore, banks will have to review their risk rating policies. Sections 22(b)(4) and (5) of the Basel II rules state that a bank’s internal risk rating policy for wholesale exposures must describe the bank’s rating philosophy (i.e., it must describe how wholesale obligor rating assignments are affected by the bank’s choice of the range of economic, business, and industry conditions that are considered in the obligor rating process). In addition, the bank’s internal risk rating system for wholesale exposures must provide for the review and update of each obligor rating and each loss severity rating whenever the bank receives new material information, but no less frequently than annually.

The basic principles and process of the Basel II risk rating system requirements can be applied to all types and sizes of banks. We think these requirements will become the minimum best practice standards in the future. Every non-Basel II bank should compare its risk rating system to these basic Basel II risk rating system requirements. If the bank’s risk rating process or system lacks some of these basic features, then that best-practices gap should be closed to the extent that reasonably makes sense for that bank. At a minimum, the bank should be prepared to explain why the Basel II risk rating system requirements are not necessary.

V. PD Mapping for Community Banks

One interesting risk quantification technique useable by banks of all sizes, and that would work with the Basel II risk rating system quantification paradigm, is calculating PDs by using a risk rating model that incorporate both internal company-specific information and external industry-related market information. This process quantifies risk by incorporating financial information found on the borrower’s balance sheet, income statement, and statement of cash flow, together with additional information known to the lender. This internal, borrower-specific information is combined with public information about the borrower’s industry. The combination of internal and external information is used to produce a PD for the borrower. We note that one of the Basel II approaches used globally, the Foundation Approach, requires institutions to produce PD values, with the regulators providing the other Basel II risk parameters (LGD and exposure at default (EAD)). If the U.S. regulators move in the direction of adopting the Foundation Approach, then banks covered by that rule will be required to generate PDs for their credit exposures. All banks should consider how they would respond if they were asked to provide PDs to their regulators. In addition, we think that the calculation of borrower PDs is a worthwhile exercise for all institutions.

To calculate a PD using this type of hybrid model, a bank would:

1. Create internal, industry-based PDs based on publicly available information.

2. Apply those industry-based default probabilities to loans within the portfolio that fall into the corresponding industries.

3. Make adjustments to each PD based on additional financial and non-financial risk factors about the borrower that are known by the bank.

Ideally, a bank would incorporate into its analysis historical data available either in-house or through an external source, and adjust its calculations accordingly, as follows:

1. Capture a sufficient number of defaults in the historical data to validate the PDs that have been assigned by the bank.

2. Check the percentage of companies having defaulted in each internally generated PD for consistency in the model.

3. Validate and adjust the model where needed.

If historical data is not available, the bank should validate going forward. Use data gathered each year to further calibrate the amount to dial up the industry standard PD. If the internal risk rating process is inconsistent over time, it would be difficult to ascertain which portion of the process requires adjusting, so it’s important to reiterate that historical data and consistency are critical to improving the risk assessment process

VI. Basel II Disclosure Requirements

The new Basel II risk disclosure requirement is sometimes overlooked when Basel II is discussed. As stated above, all banks will be expected to supply to regulators, investors, and bank auditors greater information regarding the risk position of the bank, and that all banks will utilize the disclosure requirements that are found in the U.S Basel II rule and in Pillar Three of the Basel II Accord.

The Basel II public disclosure requirements focus on risk issues and capital adequacy. The purpose of these disclosure requirements is to provide improved public disclosure of risk and capital information in order to increase market discipline, which should supplement the bank supervisory review processes. The regulators hope that greater transparency of risk-related details (qualitative and quantitative) will result in more public scrutiny, which will result in improved risk management practices.

The Basel II disclosure requirements consist of significant qualitative and quantitative information relating to a bank’s risk management. In the risk management area, the focus is on bank exposures to credit risk, market risk, risk from equity positions, and operational risk. For credit risk, banks must provide a qualitative discussion of their risk management policies and the key definitions and statistical methods used in their risk analysis. The quantitative disclosures include total gross credit risk exposures after accounting for offsets and without taking account of credit risk mitigation efforts. These exposures must be reported by exposure type (such as loans or off-balance-sheet exposures), by geographic region, by industry or counterparty type, and by residual contractual maturity. Impaired loans and past-due loans must be reported by geographic region and industry type.

Key disclosures include the distribution of exposures across borrower and/or facility grades, key loss characteristics (for example, PD by borrower grade and LGD by collateral type or business line), and internal economic capital allocated to each borrower grade, major line of business, and/or product line. Such disclosures must be accompanied by a description of the rating process and the risk quantification process used at the bank. Basel II disclosures must include reporting of the institution’s overall regulatory capital requirements and a comparison of these requirements to its capital positions.

In addition to these substantive disclosures, a bank must also:

1. Adopt a formal risk disclosure policy, and provide a CFO certification;
2. Disclose the bank’s specific risk disclosure controls and procedures; and
3. Disclose many additional detailed qualitative and quantitative risk disclosures.

We suggest that all banks review carefully the risk disclosure tables that are part of the Basel II rule.

VII. Conclusion

Notwithstanding the criticisms leveled at the over-reliance by some large banking institutions on complicated risk models, the key message of Basel II regarding the goal of obtaining increased quantification of risk and risk ratings is still valid. There is little doubt that the regulators want to see more precise quantification of risk.

The Basel II risk-based capital rules, as well as other recent regulatory actions such as the Commercial Real Estate Lending Concentrations Guidance, show us that the regulators continue to focus on:

1. Risk Analysis – collecting and analyzing data relating to the loan portfolio;
2. Risk Management – adopting policies, processes and systems that address risk issues; and
3. Capital Adequacy – making sure that capital is adequate based on the bank’s actual risk profile following its risk analysis.

Risk Management is art and science. Banks must develop state-of-the-art quantitative and qualitative risk management processes. A bank’s risk rating system, along with the management information system that supports that system, is the keys to compliance with Basel II and the evolving new risk management paradigm.

Kevin Crowe is Senior Compliance Counsel with the Compliance Legal Department at Harland Financial Solutions, with previous experience as Senior Vice President & General Counsel of the Federal Home Loan Bank of Seattle and as general counsel for a multi-billion dollar banking institution. For more information on Basel II and risk ratings visit www.creditquest.com or send an e-mail to moreinfo@creditquest.com.