A SAS White Paper

Comply and Exceed

Credit Risk Management for Basel II and Beyond
Table of Contents
Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Market Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Credit Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Operational Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Basel II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Industry Regulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
From Basel I to Basel II. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Credit Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Operational Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Credit Risk management beyond Basel II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Implementing Internal Ratings Based Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Business processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Software and systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SAS Risk Management for Banking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Risk Management
Life has always involved risk. And people who are best able to weigh risks and make
appropriate decisions have always been the most successful. Sometimes this can mean
being bold. Often it means being conservative. As in the game of poker, risk and return
have to be carefully balanced. Or imagine hunting in the Stone Age: is it worthwhile going
for the big mammoth, even if this may place the whole group in peril? The essential risk
and reward questions have remained the same throughout the centuries. What has changed
is the size of the group.
In todays business world, risk has to be managed by and throughout very large organiza-
tions. This also means that gut feeling and basic instincts count less. The history of risk
management has been one of making tacit knowledge explicit, of validating and supporting
expert judgments by quantitative analysis and of surfacing key insights to an ever larger
number of players. In short, decision making in the presence of risk is becoming a more
and more rational task, to a degree where it even can be partially automated.
Think in the context of banking. Risk-taking has always been at the heart of banking to a
degree that banking has been defined as the business of managing and transforming risk.
From an economics point of view, one of the main ways that banks are productive is by
placing themselves in between a few corporate enterprises that demand high-volume long
term financing, and a large number of private individuals who are willing to make low-volume
short-term deposits. Two major types of risk need to be managed in this process, the risk
of counterparty default (credit risk) and the risk of market price changes, especially changes
in interest rates and share prices (market risk).
These risks can only be appropriately managed when there is a sufficient degree of
information about counterparties and markets. In fact, economically speaking, the banks
information transformation function, i.e. the liberation of the depositor from the need to
be thoroughly informed about counterparties and markets, is another major way in which
banks are productive. However, the Information Age has brought new dimensions of
volume, automation and speed to the business of banking. In order to fulfill its promise of
informational efficiency, the banks capacity to turn data into intelligence needs to increase
at the same rate.
This leads to the central question of how risk is best identified, quantified and measured,
and how risk measurements are utilized by management for improved decision-making.
The answer to this question lies in the application of information technology, in particular
in using computerized statistical measurement and information delivery systems.
Comply and Exceed
1
Comply and Exceed
Market Risk
For example, in market risk banks calculate statistical measures that express price
variability, or volatility as it is often referred to within the industry. The volatility associated
with individual exposures is then aggregated across the portfolio of all exposures to a
Value at Risk figure. Value at Risk summarizes the expected maximum loss (or worst loss)
over a target horizon within a given confidence interval
1
. Value at Risk and risk adjusted
performance figures are then disseminated to decision makers, often with overall figures
broken down by a variety of categories such as time, geography or business unit. Not only
do these reports help management better adjust business strategies to risk, they are also
required by regulators who have determined that Value at Risk serves as the basis for
regulatory capital requirements.
Credit Risk
Capital lending is a core banking function and it takes a large variety of different forms.
In the broadest form, lending can be categorized based on the type of counterparty
involved, such as lending to private individuals (retail lending), small businesses or
(large) corporate businesses.
The risks and returns associated with lending are very asymmetric. Unlike in market risk,
where prices move up or down with largely equal probability, in the credit area moderate
interest revenues from a large number of loans have to cover high losses associated with
only a few default events. Another important difference between credit and market risk lies
in the characteristics of the operations. Lending differs from trading in that transactions tend
to be fewer in number and that human decision making is involved in a more complex way.
The process of making credit decisions is also more regulated and less automated. Even
in retail lending (when compared to non-retail lending), the fundamental differences to
market risk characteristics remain: the number of transactions is increased, the revenue/cost
proportions are less extreme and automated decision systems are more pervasive.
Operational Risk
The new dimensions of volume, automation and speed in which banks operate today have
also brought with them the new possibility of failure of these operations, which represents
a risk in itself. The fact that humans or systems can fail, or that external events can disrupt
operations, is by no means new. However, both the frequency and the impact of operational
loss events are strongly increasing. More importantly, until recently operational risk has been
a largely unmeasured risk that was managed through qualitative rather then quantitative
approaches.
2
1
Philippe Jorion, Value at Risk,
McGraw-Hill Trade; ISBN:
0071355022; 2nd edition
(August 17, 2000)
Comply and Exceed
3
Basel II
Industry Regulation
Banking is one of the most heavily regulated industries. This is because banks can only
transform deposits into loans if the depositors trust in the stability of the banking system,
and dont all suddenly withdraw their deposits. Such a banking run is a catastrophic event
that needs to be rendered as unlikely as possible, because it can seriously affect the
economy as a whole.
One way in which regulatory requirements contribute to ensuring the necessary trust and
stability is by limiting the level of risk that banks are allowed to take. In order for this to be
effective, the maximum risk level needs to be set in relation to another amount which cannot
arbitrarily be increased by the bank, such as the banks own capital.
At the same time, the high cost of acquiring and holding capital makes it prohibitive to have
it fully cover all of a banks risks. As a compromise, the major regulatory body of the banking
industry, the Basel Committee of Banking Supervision, proposed guidelines in 1988 whereby
a solvability co-efficient of eight percent was introduced, i.e. the total assets, weighted for
their risk, must not exceed eight percent of the banks own capital.
From Basel I to Basel II
The exact figure of eight percent is somewhat arbitrary and has always been subject to
debate, but the first Basel accord nevertheless has been adopted by over 100 countries
worldwide and is a major milestone in the history of global banking regulation. However, a
number of the accords shortcomings, in particular with regards to the way that credit risk is
measured, have become apparent over time.
Many banks today have already chosen to use internal risk measurement systems as the
basis of resource allocation and even executive compensation, even though this level of
detailed insight into the structure of credit risk is not reflected in regulations today. This then
led to the creation of two separate capital calculation systems within these banks, and the
regulatory calculations became less and less important.
With market risk, for example, the first accord allows banks to calculate their capital charge
on an internally measured Value at Risk, but for credit risk only a simplistic approach based
on a broad supervisory categorization of counterparties into risk weight buckets exists.
Because these buckets dont consider all relevant information on actual counterparty risk
that is available to banks through external rating agencies or internal experience, banks
can engage in risk arbitrage, amassing those high-return/high-risk counterparties that fall
into a low-risk regulatory bucket.
In order to reduce arbitrage and to introduce advanced credit risk measurement to a broader
set of banks, a second accord, due by the end of 2003, proposes improved credit risk
regulation. The general strategy that the Basel committee has adopted is to offer a capital
incentive to those banks that move their credit risk management up towards best practice.
The accord ensures capital adequacy in three ways, referred to as the three pillars:
The accord prescribes various approaches for determining the minimum capital
requirements, including more risk-sensitive standardized and internal ratings-based
approaches;
It offers guidelines for the supervisory review process, including the
approval of internal rating systems;
It demands detailed disclosure, not only to the supervisor but also to all
market participants.
The accord is a set of broad policy guidelines that each countrys supervisors can use
to determine the supervisory policies they apply. It has been drafted in the expectation that
it will be followed more closely by supervisors world-wide. The accord will be applied on a
consolidated basis to internationally active banks. The scope of application of the accord will
be extended to include, on a fully consolidated basis, holding companies that are parents of
banking groups to ensure that it captures risks within the whole banking group. The accord
will also apply to all internationally active banks at every tier within a banking group, also on
a fully consolidated basis
2
.
Credit Risk
Three approaches to the calculation of capital requirements
The Basel II accord offers three approaches to calculating minimum capital requirements in
the credit risk area. In short, they can be described as follows:
The standardized approach is an extension of the existing risk weight buckets approach,
which is made more risk sensitive by including external ratings in the bucket definition;
The internal ratings-based (IRB) foundation approach substitutes discrete risk weight
buckets with a continuous risk weight function. The risk weight depends on an internally
estimated probability of default (PD) and a loss given default (LGD) that is calculated
using standard supervisory rules;
The IRB advanced approach additionally allows the LGD to be internally estimated and
includes maturity (M) as an explicit risk component in the risk weight function.
Risk weighted exposure amounts are added to give total Risk Weighted Assets. This figure
is then multiplied by eight percent to give the credit risk-related capital charge. This charge is
added to other capital charges from market and operational risk.
4
Comply and Exceed
2
Basel Committee on Banking
Supervision, The New Basel
Capital Accord, Consultative
Document, January 2001,
Bank for International Settle-
ments, www.bis.org
Some details of capital requirements calculation
A number of detailed regulations regarding the use of credit risk mitigation techniques
and differences between corporate and retail portfolios make the Risk Weighted Assets
calculation a bit more complicated than they appear at first sight:
In the standardized approach, credit risk mitigation techniques, such as taking collateral,
reduce the exposure amounts;
The risk weight function in the IRB approaches is calibrated by the Committee. It is
different for corporate and retail exposures and the exact values will still change;
The risk weight function is capped at a value of 12.5 so that the capital contribution
of a risk-weighted exposure doesnt exceed its actual exposure amount (since 12.5 is
the reciprocal of eight percent, the product can never exceed 100 percent).
The PD of a corporate exposure is the PD that is associated with the rating grade that
the exposure is assigned to. The PD associated with the rating grade is the long term
average as calculated on internal historical data. The rating rule that slots exposures into
rating grades can be based on an educated guess, a mapping to external data or by
using statistical models that predict individual default probabilities;
In case of guarantees, the guaranteed exposure amount receives a PD that is the
average of the guarantor PD and 15 percent of the borrower PD. The factor is called a
floor, w-factor or guarantee absorption capacity;
In the foundation approach, LGD is determined based on the seniority of the loan
and on the value of financial and physical collateral;
Both in the standardized and the IRB approaches, values of instruments used for credit
risk mitigation (e.g. guarantees, collateral and credit derivatives) must be the current
values as calculated by a mark-to-market analysis. Haircuts are then used to further
adjust these values for volatility of the instrument itself and the currency it is
denominated in, as well as the remaining maturity of the mitigation instrument;
Netting set agreements modify the exposure at default (EAD);
In the advanced approach, LGD is defined by facility grade. The guarantee absorption
capacity as well as the EAD of off-balance sheet items must also be estimated in the
advanced approach;
In the retail portfolio, segments take the place of rating grades and facility grades,
i.e. both PD and LGD are looked up by segment. There is no differentiation between
foundation and advanced approaches in the retail portfolio.
Comply and Exceed
5
Minimum requirements for the approval of internal rating systems
If a bank chooses one of the IRB approaches, its internal rating system has to fulfill a
variety of detailed minimum supervisory requirements. These range from organizational
and business process aspects to data, IT systems and statistical requirements.
For example, the historical data that is used in the estimation of risk components must span
a minimum of five years (foundation) or seven years (advanced). The definition of the rating
grades must be proven to differentiate risk well. The execution of rating-based decisions
must be closely monitored, exceptions must be tracked and the accuracy of the predicted
default rates must be continuously verified. Stress testing and scenario analyses have to
be performed.
On the business process side, the integrity and robustness of the system must be demon-
strated. The system must be well documented and changes must be archived. Any statistical
methods used must be well understood and transparently documented. A dedicated credit
review unit must exist within the bank that is responsible for the system and reports directly
to the board. Management must demonstrate a thorough understanding of the major aspects
of the rating system.
Perhaps most importantly, the concept of use tests ensures that the ratings provided by
the internal rating system are the only ratings used in the bank for risk reporting, capital
allocation, loan approval and any other rating-related activity, thereby proving that the rating
system is indeed a core component of the banks business culture and not simply invented
to satisfy the regulator.
Disclosures
A number of detailed reports are mandated to be made available to the supervisor, as well as
to any interested market participant. These include various reports on Risk Weighted Assets
and unweighted exposure amounts. The effect of credit risk mitigation techniques must be
disclosed. The various measures need to be broken down along a variety of dimensions,
including exposure type, year, industry, country, maturity and current delinquency status.
The requirements also include a large range of reports that ascertain the effective functioning
of the internal rating system, including comparisons of external and internal ratings, actual
and predicted default rates and qualitative information on the systems structure and the
definitions used.
6
Comply and Exceed
Operational Risk
Basel II also makes the first strides toward the regulation of operational risk. Approaches
proposed for calculating capital charges include the:
Basic indicator approach, that suggests to simply express operational risk
as a proportion of gross income or similar overall operational activity measures;
Standardized approach, that uses such indicators by business line;
Internal measurement approach, that relies on quantifications of event
probabilities and associated losses.
More recently, other advanced measurement techniques have been proposed, including a
loss distribution approach and a scorecard approach. Because operational risk is not the
focus area of this paper, these approaches are not discussed here in detail.
Credit Risk Management beyond Basel II
While the internal ratings-based approaches in the Basel II framework will move banks
towards a more extensive and sophisticated risk measurement practice, the train doesnt
stop here.
For example, in the area of portfolio risk management, the regulation explicitly stops short
of making a number of techniques that have been developed in recent years into require-
ments. These include, in particular, the calculation of Credit Value at Risk or Economic
Capital. These techniques would extend the Basel II calculations by producing not only the
expected (average) loss figures, but also loss distributions around that number. Value at
Risk figures that quantify the maximum expected loss over a certain time period at a certain
confidence level can then be read from such distributions.
The difference between the expected and the unexpected loss is sometimes referred
to as the economic capital and is the amount that needs to be additionally set aside to
cover unexpected losses.
The distributions are generated by using Monte-Carlo-like simulation techniques that shock
(apply changes to) the underlying risk factors of a risk model. These could, for example,
be those risk components PD, LGD, M that are also used for Basel II Risk Weighted
Assets calculation.
Other uses of portfolio risk measures that are not required by Basel II, but are necessary
components of risk management best practices, include limit setting, loan pricing and
risk-adjusted performance management (RAPM), in particular in the form of risk-adjusted
return on capital calculations (RAROC).
Comply and Exceed
7
Another area that is left overlooked by regulation is the interdependence between market
and credit risk. While Basel II requires some market risk techniques to be used in the
valuation of collateral and guarantees, on the whole it treats market and credit risk
separately. This approach doesnt account for correlations between these risk types.
Finally, it is one of the major implicit requirements of Basel II that such entities as
borrowers exist and are described in explicit detail. Moving IT systems from a product
oriented view to such an integrated customer view has been difficult to achieve for many
banks in the past. Achieving it, however, will lay down the basis for a large variety of
Customer Relationship Management analyses that could help better align risk and
marketing departments.
In essence, Basel II is not just about complying with regulations. Instead, it should be seen
as a catalyst that enables banks to move forward from their historical legacy into a more
coherent and consistent way of analyzing their business, ultimately resulting in cost savings
and increased profits.
Implementing Internal Ratings- Based Approaches
Business processes
Even if Basel II doesnt require banks to go all the way towards full state-of-the-art credit risk
management in their first attempt, the transforming effects it has on a banks business are
already enormous, both in terms of processes and systems.
A major new organizational entity that is required of banks by regulation is the credit review
unit. It must be independent from all those bank units that profit from giving out credit,
and must report directly to the board. Its responsibilities include the proper functioning
of the internal rating system, as well as the calculation of the risk- weighted assets and the
generation of disclosure and management reports. As such, it has to assure the availability
of the required data for building, validating and maintaining rating models. It performs stress
testing and migration analyses. It monitors the rating systems performance and tracks the
way credit decisions are made in the front office, especially with regard to exceptions. It can
even become involved in the rating process for certain rating cases that stand out in terms
of either size or complexity. Finally, it is the credit review unit that will work closely with the
regulators.
If the bank performs advanced portfolio risk management that goes beyond the mere
calculation of risk-weighted assets for regulatory purposes, but engages in activities
such as limit-setting analysis, portfolio optimization, concentration and correlation analysis,
it may be worthwhile to create a dedicated unit for this, as a part or separate from the
credit review unit.
8
Comply and Exceed
Both units will report their findings to a board level committee that sets strategic directions,
sets limits, allocates capital and approves all major aspects of the rating, as well as
exceptions from the documented methods.
Other business units that are affected by Basel II include collection units, as well as those
branch support units and branch offices that assign ratings and approve credits.
Staffing the credit review and portfolio analysis units can also be challenging, because
Basel II sets high demands on the quality of staff. In particular, statistical and analytical
skills will be required and may be hard to acquire.
The requirement for performing change control and thoroughly documenting business, as
well as systems processes, is another major challenge and potential source of difficulty for
the credit review unit.
Overall, a streamlining and merging of various fragmented functions in the lending business
are in order. The compelling event of Basel II should be seen as an opportunity rather than a
threat by decision makers, as it will generate high-level sponsorship and resources that may
otherwise be difficult to get.
Software and systems
One of the most important organizational units for Basel II implementation is the IT depart-
ment. A number of mission-critical new or extended system components need to be built and
integrated into the existing IT infrastructure within a restricted time frame. A close cooperation
with users from a large variety of business units is the single most important success factor.
Data Warehouse
The most fundamental IT system that needs to be put in place or brought into shape is the
data warehouse. A data warehouse is a collection of cleansed and integrated data that is
organized and optimized to facilitate the needs of the rating, portfolio analysis and reporting
systems. It typically involves the extraction of data from various sources, transformation
of data to standardize formats, and loading of data into the warehouse. Typical challenges
in this process include assuring data quality and consistency and creating unique identifiers
for transactions, counterparties and facilities. Eventually, the data warehouse needs to
guarantee one version of the truth across the bank.
Comply and Exceed
9
10
Comply and Exceed
Data in the warehouse needs to be stored in a customer-centric manner that enables the
efficient retrieval of current customer attributes in full detail. Even more importantly,
historical data must be available for long periods of time (five to seven years) in order
to track past rating assignments, provide sample data for the creation of rating models,
validate rating models and monitor trends and changes. Customer histories must, in
particular, include such data on credit performance as delinquencies and losses, and
typically include counterparty attributes such as account behaviour data and financial
(balance sheet) information, among others. In order to support reporting and portfolio
analysis, detailed histories must also be kept on internal ratings, external ratings and
segments, as well as associated risk components such as PD and LGD. Finally, information
from rating operations such as overrides must be retained, as well as aggregated risk
measures such as Risk Weighted Assets or Value at Risk. It is an important requirement
of Basel II that all data is stored in enough detail to a ccommodate future changes in
internal rating and reporting systems.
From a technical point of view, the data warehouse needs to provide a variety of specialized
storage structures and load processes, all of which need to be thoroughly documented.
Support structures for reporting applications include multi-dimensional data bases (MDDB)
for the online aggregation and de-composition of risk measures. Portfolio analysis applica-
tions are dependent on the existence of clean and complete exposure tables and require
frequent feeds of current market data into a number of reference tables. Finally, the rating
system requires fully de-normalized tables as input both to the model creation process and
to the rating assignment process. Historical default indicator flags need to be calculated
based on a well-documented reference definition of default, and processes that apply
the statistical rating model to rate existing or new customers need to be scheduled.
The warehouse also provides the interface between the central batch rating system and
front-end online rating and originating systems.
Rating System
The outputs of the internal rating system for corporate borrowers are two rules: one rule that
slots borrowers into rating grades based on their attributes and another rule that associates
a probability of default with each rating grade. Both rules, together, are sometimes referred
to as a rating model. The PD of a corporate exposure is calculated as the PD that is
associated with the rating grade that the exposure is assigned to. In case of the advanced
approach, similar rules must also be created for facility grades and associated loss given
default values.
Basel II allows banks to use various methods to develop a rating model. The rules can be
based on an estimate, a mapping to external data, or on statistical models that predict
individual default probabilities (that are later grouped into rating grades).
However the rating model is determined, it must be validated by applying it to a minimum
of five years of historical data. The PD associated with the rating grade is the long-term
average as calculated from this data. In fact, most banks will eventually aim for eight to
ten years of historical data in order to capture at least one full economic cycle.
The rating model must be shown to differentiate risk well; for example, risk should sharply
increase from rating grade to rating grade. A total of nine rating grades must be produced,
two of which should designate delinquent exposures.
The most thorough and risk sensitive approach to creating a rating model uses statistical
estimation techniques. The creation of statistical models requires a representative develop-
ment sample that describes each borrower in all available detail and contains a sufficient
number of default cases as well as non-default cases. This sample data is then analyzed
interactively using appropriate analysis techniques, and the result is a rule is generated that
assigns a probability of default to each individual borrower. These individual predictions are
then further analyzed and grouped into rating grades, considering regulatory restraints such
as the exposure per rating grade should not exceed 30 percent of overall exposure. Most
banks will actually be more restrictive and require a maximum of 15 percent.
Some banks will find it difficult to create a sufficiently meaningful development sample
because they dont experience a minimum number of defaults. These banks may consider
buying a ready-made generic rating model from a model vendor. However, each bank will
still need to validate their rating models on internal data. Validation, like model creation,
requires a sufficient amount of default cases, so it is unclear how generic models built on
third-party data solves this issue. A more appropriate approach in this situation is to pool
data with partner banks.
Generic models have a number of additional drawbacks that seriously question their
suitability for PD estimation in a Basel II context. For example, they always consider only a
subset of available customer attributes. Most often this is financial information from balance
sheets or profit and loss statements. While this is certainly important information for judging
the creditworthiness of a corporate customer, there is no justification for ignoring other
important information such as account data, tenure, loyalty, product possession and even
current delinquency status. Generic models often dont consider the significance of changes
in financial information; for example, they only look at the last balance sheet as a snapshot,
but dont account for balance sheet history.
Generic models may require very specific input data to be available. If a bank is unable to
produce a particular piece of information for each and every customer the whole model is
unusable. Especially in the small business sector, financial information tends to be dirty or
even completely unavailable. It is of critical importance that banks are able to build models
that use high quality variables. If a bank feeds a generic model with bad data just in order to
be able to use the model, the results will be disastrous.
Comply and Exceed
11
A further problem with generic models is that they may be built on a set of borrowers that is
not representative of the banks own customers and, for this reason, will deliver inaccurate
results. Rating models must be continuously monitored and need to be updated swiftly when
their predictive power starts to diminish. This may prove impossible if a generic model is
used. Finally, the methodology that is used to build the models must be transparent and well
understood by the bank. Generic models might not meet this transparency requirement.
Generic models could be used as a benchmark with which to compare the predictive
power of an internal model. Paradoxically, generic models could be used when there
is a lot of data available for validation.
In the retail portfolio, segments take the place of rating grades. They need to be created
using a variety of variables at the same time. These must include, at a minimum, product
type, application score, vintage period and current delinquency status, but may include a
variety of other variables. The segments must not only be homogeneous in these variables,
they must also, like rating grades, differentiate risk well. PD and LGD values are determined
by segment, again as a long-term historical average.
The regulation doesnt prescribe specific methods for defining these segments. The difficulty
here is to satisfy conflicting requirements: for example, to create segments that are at the
same time homogenous in a variety of variables, differentiate risk well and make business
sense. A variety of approaches may be taken to do this. They may include business-rule
driven high-level divisions, for example by product type. Then statistical clustering
techniques may be used to create homogenous segments from the remaining variables.
However, clustering is not designed for differentiating risk. Instead, statistical default
prediction models may again come in at this point. These would use the required
segmentation variables as inputs. Product type and PD would then define segments, with
the PD effectively summarizing the information contained in the prescribed segmentation
variables and other input data.
Portfolio Analysis
The calculation of Risk Weighted Assets is, in principle, a clearly defined, straightforward
process, completely determined by regulatory rules. The calculation requires a clean and
consistent exposure table as input. This table must contain a minimum set of variables
describing the exposures including, for example, the portfolio class, the nominal outstanding
exposure amount, internal rating grade and PD of borrower and guarantor, loan seniority,
current collateral and guarantee values and external rating classes of collateral issuers.
Some of these inputs are not that straightforward to determine. Already, the assignment of
exposures to portfolios may cause problems. If one counterparty is registered under different
names, this double entry needs to be removed. Other complexities include the calculation of
the current collateral and guarantee values that must be based on current market prices and
converted into one target currency using current exchange rates. Netting set agreements
must also be accounted for in order to determine the net outstanding exposure amount.
12
Comply and Exceed
Comply and Exceed
13
Further complexity, but also benefits, are added when more advanced portfolio analysis
techniques are employed. On the simplest level, various scenarios must be analyzed.
For example, how overall shifts of risk components such as PD or LGD affect the Risk
Weighted Assets.
On a higher level of complexity, Monte Carlo algorithms can be set up to automatically
generate a large number of scenarios by varying underlying risk components. The result
is a distribution from which at Risk figures can be read. A variety of alternative risk models
can be defined and simulated, depending on the specific purpose (for example Credit Value
at Risk, Profits at Risk, Earnings at Risk, Capital at Risk). Sometimes it is useful to calculate
conditional at-Risk figures that only consider a subset of risk components. Often is useful to
calculate marginal at-Risk figures that express the incremental change when new exposures
are added to the portfolio.
Marginal at-Risk figures already lead into the area of supporting active portfolio
management. Eventually, the credit portfolio manager will want to actively change the risk
structure of his portfolio towards an optimum. Due to the long-term nature of loans this is
more difficult to achieve in the credit portfolio than in portfolios with shorter durations. In
addition to optimizing credit approval, for example by setting limits on certain engagements,
the most common approach is to hedge against credit risks by making use of derivatives.
Finally, it should once again be mentioned that risk measures play an important role in the
capital allocation process through risk-adjusted return on capital (RAROC) calculations.
Reporting
The credit review unit has a number of reporting responsibilities for which it needs to depend
on a well functioning IT system. For example, a wide range of disclosure reports must be
created. While the regulation prescribes certain template reports, the reporting system
should be flexible enough to accommodate changes to these reports and the creation of
additional reports quickly and easily.
As mentioned above, the disclosure reports are in fact multi-dimensional tables that break
down key risk measures along a variety of dimensions. In order to create these reports effi-
ciently, specialized storage structures should be created that hold pre-calculated summaries
so called multi-dimensional databases. Correlation effects cause non-additivity of at-Risk
measures, making standard multi-dimensional storage structures obsolete and creating
the need for a specific at-Risk MDDB structure. A graphical user interface should then enable
the user to interactively navigate through the dimensions. Such online aggregation and
de-composition of risk measures enables the credit review unit to quickly identify suspicious
risk concentrations as well as surfacing historical trends. Additionally, the interface should
enable the user to define a report layout and launch a batch printing job.
Producing complex multidimensional reports and drilling down into detail is important.
However, it is equally necessary to be able to display just a few key credit risk indicators
in a dashboard-like fashion for strategic monitoring purposes. These credit risk indicators
would typically be monitored alongside other key risk and performance indicators.
Internal rating system monitoring reports are required. These include rating grade and
segment migration reports, the monitoring of default and delinquency rates (including a
breakdown by vintage period), and a comparison of actual default rates with predicted
values. Furthermore, the rating-based approval process must be monitored. Override
frequencies and override reasons must be summarized and individual override cases must
be tracked.
SAS

Risk Management for Banking

SAS offers a risk management solution that addresses all of the aspects mentioned in
this paper. SAS believes that by adopting this solution, banks can comply with Basel II
regulations and establish excellence in risk management.
The complete solution addresses market, credit and operational risk, and includes
technology, consulting and training services.
Data warehouse
SAS enables the creation of an open, flexible and extendable data warehouse architecture
by providing native access modules to extract data from all major database systems, a
powerful fourth generation language for transforming and loading data into customer-specific
data models, and storage structures that are specialized for supporting information delivery
and risk management applications.
Graphical User Interface (GUI) driven data warehouse administration software documents
all metadata and visualizes every step of the extraction, transformation and load process,
so that both the bank and its supervisor have immediate and complete insight into how
information is brought together.
Rating system
SAS offers a rating model development environment that is based on the concept of process
flow diagrams. A process flow diagram gives the model developer the ability to experiment
interactively with a large variety of data pre-processing options and modeling algorithms in
order to determine an optimal rating model. Available modeling algorithms include, among
others: scorecards, logistic regression, decision trees and neural networks. A variety of clus-
tering and segmentation algorithms are provided, as well as functionality for the assessment
of predictive power (risk differentiation) and support for the determination of optimal cut-off
ratings for approval purposes.
Process flow diagrams document each step of the model development process. Models can
be re-calibrated by re-executing the process flow on new input data. The diagrams convey
and retain the banks best practices and thereby also facilitate the training of new staff.
Finally, they serve as a reference when models are updated or replaced. Diagram archives
can be created to further support change control.
14
Comply and Exceed
The rating model development environment is fed from input tables in the data warehouse
and ratings in the warehouse are continuously updated by executing rating models in
batch-runs against current borrower tables. Rating models can also be deployed for online
rating in branch offices using XML and Web services.
Portfolio analysis
SAS offers a portfolio analysis environment that contains (preliminary) template functions for
the calculation of risk-weighted assets from an exposure table. The environment performs
collateral valuation through mark-to-market analysis and elegantly handles currency
conversion through automatic triangulation. It enables portfolio level scenario analysis and
stress testing as well as the calculation of economic capital and at-Risk figures. It includes
a large variety of out-of-the-box simulation functionality, including Monte Carlo and historical
simulation as well as delta-normal at-Risk analysis.
The portfolio analysis environment receives its input data from the data warehouse and
feeds a number of performance reports.
Reporting
SAS offers a variety of options for reporting system implementation. Regarding data storage
in the data warehouse multidimensional databases support the efficient online aggregation
and decomposition of risk measures, while parallel data server technology enables the
efficient retrieval of individual counterparty data from large tables.
On the interface side, both desktop based and Java Server Page (JSP) based Web-enabled
reporting technologies are offered. Reports can be published through batch printing, through
e-mail in a variety of formats and through channels of a Web-based information delivery
portal. This portal can be part of the banks own intranet or it can be set up as an external
site for supervisors and market participants. In either case, encryption technology ensures
the secure transmission of data. Finally, strategic performance reports such as balanced
scorecards and management dashboards that display key risk indicators are part of the
SAS offering.
Consulting and training
SAS offers implementation consulting services that are based on decades of experience in
implementing information delivery systems with major banks worldwide. Detailed component
specific project methodologies support the consultant and the bank throughout all phases
of the project. The methodologies favor a phased approach and close co-operation and
knowledge transfer with the banks own staff, so that the bank can independently operate
and extend the system. A large variety of training courses on all aspects of the solution
are offered through a dense network of local offices.
Comply and Exceed
15
Summary
Dealing with risk has always been a challenge for all types of organizations. This is especial-
ly true for banks, because managing risk is what defines their business. In the process of
transforming small, short-term deposits into large, long- term loans, banks face market risk
due to price changes, credit risk due to counterparty default and operational risk due to
failure of people, processes, systems or external events.
In order for banks to be able to do their business, the depositors must trust in the stability of
the banking system. In order to support this trust, regulators limit the amount of risks that
banks can take on by requiring a proportion of the risk to be covered by reserved capital
which is forbidden to be invested.
New global regulation moves towards allowing internal risk measurement as the basis for
minimum capital calculation across all risk types. Before banks can adopt these approaches
and benefit from reduced capital requirements, they first have to prove to their supervisors
that they can fulfill a number of minimum requirements and disclose detailed information
about their risk management processes.
The internal ratings-based approaches to credit risk measurement require the internal
estimation of counterparty default probabilities by internal rating systems. Individual
exposures can then be aggregated to portfolio-level risk measures. Banks can adopt
advanced portfolio analysis techniques in order to calculate economic capital and
exercise improved risk control.
The SAS Risk Management for Banking solution allows banks to not only comply with
Basel II regulations, but excel in their risk management practice across all risk types.
Solution components in the credit risk area include a data warehouse, an internal rating
system, portfolio analysis and reporting technologies, as well as consulting and training
services.
16
Comply and Exceed
Comply and Exceed
17
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc.
in the USA and other countries. indicates USA registration. Other brand and product names are trademarks of their respective
companies. Copyright 2002, SAS Institute Inc. All rights reserved. 1565EU0902
SAS World Headquarters
and SAS Americas
SAS Campus Drive
Cary, NC 27513 USA
Tel: (919) 677 8000
Fax: (919) 677 4444
U.S. &Canada sales:
(800) 727 0025
SAS Europe, Middle East & Africa
P.O. Box 10 53 40
Neuenheimer Landstr. 28-30
D-69043 Heidelberg, Germany
Tel: (49) 6221 416-0
Fax: (49) 6221 474850
www.sas.com