82

The McKinsey Quarterly 2004 Number 1

Martin ONeill

The business case for Basel II

The business
for Basel I I

case

The accord mostly prescribes good banking practice. Banks should get
off the fence and use the new rules to promote change.

Kevin S. Buehler, Vijay DSilva,

and Gunnar Pritsch

After five years of hard work, international banking regulators are

close to completing the framework for a new accord on minimum capital

requirements. If the regulators can work out the remaining details and
conflicts before mid- 2004, banks will be scheduled to implement the
Basel II rules by the end of 2006.
These new standards, aiming for a closer match between the capital that
banks hold and the risks they take, should in theory lead to more stable,
efficiently run institutions. Bankers concur that the original pactthe 1988
Basel accordis badly out-of-date. But agreement on specifics has been
difficult to reach, and the implementation deadline has already been pushed
back once. There may be further delays.1
How should US banks respond to the impending new rules? US regulators
require only the largest banks (by assets) and those with significant assets
abroad to follow them. Just a few such banks have begun comprehensive
programs to ensure compliance, including the upgrading of their risk-rating
systems.2 By contrast, somemainly Europeanbanks have used early
1

One hurdle was overcome in October 2003, when the international team of bank regulators preparing the
accord revised its provisions on credit risk in response to criticism from US bankers. But in November 2003, 11
US lawmakers sent the four US banking regulatory agencies a letter arguing that Congress must review Basel II
before any final agreement is signed.
2
Banks with assets greater than $250 billion, international assets greater than $10 billion, or both will be required
to participate. The total number is estimated at ten, but the final count hasnt been determined.

83

The McKinsey Quarterly 2004 Number 1

84

drafts of Basel II to prepare for what they see, despite the uncertainties, as
inevitable changes in capital standards. Banks in emerging markets are
lagging behind. Those in China and India have opted out entirely, claiming
that the accord is too complex.
The wait-and-see approach of some US banksboth those required to
participate and those that can opt inis too conservative. Basel II mostly
prescribes good banking and business practice; waiting postpones the
benefits and creates the possibility of missing the deadline for compliance.
Anyway, many provisions still under discussion have little impact on
what institutions should do now. Banks must develop more sophisticated
ways to estimate default probabilities and losses, for example, but dont
immediately need to know Basel II s specific risk-weight formulas.
Large US banks required to participate should move quickly on the basis
of what is currently known. So should banks that decided to opt in but
deferred action. We urge the many
other US institutions sitting on the
Waiting delays the benefits and
fence to consider the business case
creates the possibility of missing
for opting in. A bank could improve
the deadline for compliance
its risk management in a way
that would have a bottom-line
impact even without Basel II . Still, there are important reasons to go
all the way: banks certified as Basel II compliant could benefit from lower
capital charges and the enhanced reputation that would come from the
regulators seal of approval.3
Toward best practice
In revising the original 1988 Basel accord, regulators are taking account
of improvements in IT, new banking products, and the risk-management
revolution that has led, for example, to the boom in securitized assets. The
draft proposals have further evolved in response to criticism from bankers,
national regulators, and politicians. Many US banks have delayed taking
action because of uncertainty about the implementation timetable and
disagreements among US regulators about the accords provisions. Even
US banks that want to opt in are confused about when to begin what is sure
to be an intensive effort, how to pace it, and what to make a priority.
But in Europe, many banks werent put off by the haziness and faced less
domestic regulatory ambiguity.

Certification by regulators will require banks to meet a long list of standards in the accord. Regulators,
we think, will look unfavorably on bigger banks that could participate but choose not to, unless they have
some strong business reason.

The business case for Basel II

Banks that are already overhauling their risk-management systems wonder

how Basel II will fit in with their initiatives. A few have concluded that it
is just a regulatory nuisancea lot of money and fuss over nothing.
The best way to sort out these concerns is to examine where and how the
Basel II regulations bring banks to best practice and to look at the business
case for the required investments. Even a partial understanding of the
shape of the regulations should incline banks to positive action. Applying
the Basel II requirements will take banks to, or close to, best practice in
risk management, particularly in risk measurement and processes. Here we
present our view of how closely the Basel II provisions approach best
practice in credit, operational, and market riskand what the banking
industry should do in response.
Credit risk
Credit risk is exposure to the chance that a borrower or counterparty might
not honor its contractual obligations. Of the three types of risk discussed
here, Basel II is most specific and almost always at best practice in this one.
The new rules call for a rating system that explicitly takes account of the
probability of default and the loss given default, for example. Most bankers
agree that this is the best-practice approach because it helps banks to assess
the risk from clients or transactions more accurately. Today there are no
requirements in this area.
In some cases, though, Basel II offers only general requirements; for example,
it lets banks decide how to use information about customer behavior,
such as deposit balance histories and loan repayments, for the purpose of
credit ratings. Using such information represents
best practice because it helps banks to distinguish
good from bad borrowers. Regulators chose to
allow banks to develop their own approach if they
can back it up.
In other areas, regulators stopped short of best
practice because it is hard to validate inputs and
outputs supplied by banks. Thus, for example, banks
arent required (or able) to use internal portfolio
models, which explicitly account for correlation and
diversification effects in credit portfolios. Following
the spirit of Basel II , banks would have to show that correlation coefficients
were statistically significant, and regulators would have to be able to
validate these claims. Thats tough sledding because such correlations are
even harder to establish than probability-of-default or loss-given-default
parameters, so regulators instead settled on an average benchmark portfolio

85

86

The McKinsey Quarterly 2004 Number 1

to calibrate formulas. Here, banks should go beyond Basel II . Large

commercial lenders, for instance, might want to invest in internal portfolio
models to improve the management of their credit portfolios.
To comply with Basel II , most US banks will need to upgrade their rating
systems and credit processes, including the prediction and collection
of defaults. For those institutions that have to meet the implementation
deadline of December 31, 2006, time is short. While many scoring systems
for consumer credit portfolios meet the requirements, problems with
generating and archiving default data have created compliance gaps for
smaller loan portfolios.
Larger banks in the nonmandatory category will likely opt in over time,
using Basel II as a catalyst for promoting better risk-management practices,
but they may not achieve full compliance by the proposed deadline.
These banks should assess, segment by segment, how far they are from
compliance and which segment would benefit if implemented first.
Operational risk
Operational risk is exposure to losses from inadequate internal processes
and systems and from external threats such as rogue traders. The Basel II
draft regulations are specific about what must be measured but vague about
how to do so. These proposals focus mainly on measuring risk and capital
adequacy. It makes sense, for example, to collect internal and external data
on losses so that the data can be used to model loss distributions, as the
draft requires, because this is among the few ways to quantify operational
risk. But banks are free to decide how the historical
data series should be transformed into a statistical
assessment of required capital.
Little mention is made of risk mitigationfor instance,
contingency plans for disasters like major systems
failures or reviews of business practices to warn
banks about potential risks to their reputation, such
as the investment banks 1990s practice of linking
research and banking. Risk mitigation can reduce
losses triggered not only by external disasters but also
by internal practices. A well-designed data recovery
plan, for example, can reduce the financial impact of a trading platform
that breaks downa low-frequency, high-impact risk. High-frequency, lowimpact risks, such as credit card fraud, can be addressed by reengineering
operations-intensive processes. The draft regulations opacity gives banks
the flexibility to tailor the best approach for themselves.

The business case for Basel II

Some banks have begun developing processes required by Basel II , but few
if any institutions have made the operational-risk framework a practical
tool to drive bottom-line results by enhancing operational effectiveness.
While the key elements of a best-practice framework have emerged,
practices and design choices vary greatly in, for example, the formats and
levels of detail for a banks self-assessment. Despite the regulators silence
on risk mitigation, banks should move ahead here.
Market risk
Market risk is exposure to adverse market price movements, such as
exchange rates, the value of securities, and interest rates or spreads. Market
risk has two components: trading risk and structural-interest-rate (or
asset-liability) risk. No changes have been made in the rules on trading risk
since a 1996 Basel I amendment that pushed banks toward best practice
by letting them use internal models to determine the capital requirements
for market risk in trading portfolios. Structural-interest-rate risk
the risk to earnings and equity values from mismatches in the interest rate
sensitivity of assets and liabilitiesis addressed relatively vaguely.
In the bank treasury function of asset-liability management, Basel II repeats
the principles put forward in the first capital accord and other existing
regulatory guidelines. These principles are framed at too high a level to
translate into specific best practices.4
The absence of specific market risk provisions is disappointing, for the
specificity of new credit and operational-risk regulations is what has forced
and will go on forcing banks to upgrade their approaches. The market risk
rules in asset-liability management will amount to something like have
policies or measure vulnerability to stress scenarios, and most banks
can argue that they do so already. The Basel regulators may have paid
less attention to market risk either because most banks typically require
significantly less capital for structural-interest-rate risk than for credit
risk (perhaps 60 to 70 percent of an average banks capital) or because of
other existing regulations. Nonetheless, many retail banks have assumed
substantial asset-liability risk in the recent interest environment. In principle,
standards for measuring economic-value and earnings risk caused by
structural-interest-rate risk should be as stringent as those for credit risk.
While Basel II may not change the requirements for structural or trading
risk, the general safety and soundness principles it restates imply that
standards will go on evolving. For institutions that now have no regulatory
4

Consultative Document Number 102 , Principles for the Management and Supervision of Interest Rate Risk,
September 2003, was the latest such document at the time of writing.

87

88

The McKinsey Quarterly 2004 Number 1

or business issues, this area is of little concern. Banks should follow

best-practice developments and update as needed even if Basel II gives little
advice on what to do or where to focus.
The business case
Our research reveals a significant profit impactabove and beyond the
savings banks might gain from reduced capital charges and funding costs
by adhering to Basel IIfrom moving to best practice. For some banks, the
more risk-sensitive Basel II formulas could substantially reduce regulatory
capital, sometimes by up to 50 percent
in segments such as residential
Better systems for assessing risk
mortgages. If banks could reduce
can help banks to enter new
their capital as a result, they would
segments without fearing disaster
save on funding costs. But savings
from reduced capital arent automatic.
Many banks and rating agencies assess the amount of capital required by
economics rather than regulation, so the capital a bank actually decides
to hold may not change. In addition, other constraints (such as leverage
ratios under current US regulations) may also prevent banks from reducing
regulatory capital significantly.
In our client work, we have identified four important Basel II style riskmanagement efficiencies. Benchmarks from typical improvement efforts
suggest that they could raise pretax earnings by 3 to 6 percent.
1 Reduced charge-offs through better default-prediction and collection
processes can add 1 percent to pretax earnings. Improved credit-rating
systems, for example, make more accurate predictions of who will
default. Better earnings come not only from turning down people whose
credit quality is likely to fall but also from lending to those who might
have been rejected before but now seem to be worthy risks. Also,
sharper insights into collateral value help banks improve their bad-loan
workout processes.
2 Risk-based pricing to improve pricing discipline on loans and risk
selection and to reduce risk from new business opportunities can raise
risk-adjusted pretax earnings by 1 to 2 percent. Good loan pricing must
be risk adjusted: riskier borrowers require higher provisions for expected
losses and more capital for covering bigger unexpected ones. With
better systems to assess and differentiate risk, banks can enter new or
more risky segments without fearing disaster.
3 Cutting operating expenses by streamlining underwriting processes can
raise pretax earnings by 0.5 to 1 percent. One North American retail

The business case for Basel II

bank, for example, generated loans through different channels, including

mortgage brokers, thereby making the process of capturing data complex
and redundant. With a new rating system, data were entered only once,
andmost importantautomated decision making reduced the need for
manual intervention.
4 Cutting expenses by mitigating operational losses can raise pretax
earnings by 1 to 2 percent. The savings come from lower losses because
of problems ranging from teller error to rogue trading, as well as from
lower capital charges. Banks can either reengineer processes to reduce
human error or develop contingency plans for problems like systems
breakdowns. This approach also has less quantifiable benefits, such as
better customer retention and management information.
Substantial savings can also be had from reducing regulatory-capital
requirements, though the benefits may vary greatly by customer segment
and the risk characteristics of particular loan portfolios. Consider
operational risk: for big banks that must adhere to Basel II , moving to a
proposed advanced measurement standard might generate savings from
20 to 25 percent of the capital requirements for operational risk if regulatory
capital exceeds economic capital.
Getting there
These savings require big investments. For large, diversified global banks,
the cost is typically $100 million but can be as high as $250 million,
and the process could well take up to three years. For diversified regional
banks, the cost is about $25 million to $50 million. Many banks would
incur much of this cost even without Basel II , since they must upgrade their
risk-management capabilities to keep pace with changing markets.
Basel II s objectiveinstilling best-practice, sophisticated, analytically
driven risk-management policies based on each banks experiencewill
increase overall IT requirements. For most banks, enhanced IT systems
and data integration will account for more than 75 percent of the
investment Basel II requires.5 The most important cost drivers are the
number and nature of a banks portfolios, loans, and processes (including
the degree to which existing data warehouses are integrated), the starting
point and maturity of tools and processes, and the scope and timing of
implementation. To build a new credit-rating system, for example, a bank
must first develop a prototype and then expand it into a broadly available
5

The cost categories are design and program management, the development and prototyping of models,
the development of applications, the hardware they require, systems integration and data migration,
and organization and business transformation.

89

The McKinsey Quarterly 2004 Number 1

90

production tool, usable by the front line, that is integrated with existing
data warehouses.
From the perspective of best-practice risk management, credit risk will
largely drive Basel II s implementation costs. Much of the cost, we estimate,
will go toward addressing credit risk: 55 to 65 percent for credit-related IT
systems integration (including data migration) and
25 to 30 percent for nonsystems credit risk (including
models and prototypes). Operational risk will account
for almost all remaining costs; those for external
reporting and supervision will be negligible.
Banks with well-integrated IT systems can meet the
requirements relatively easily. Others face limitations
from dispersed legacy systems and poor data
architectures. But the temptation to undertake massive
IT-restructuring projects under the Basel umbrella
should be measured against less elegant but pragmatic
and cheaper approaches. One of our clients concluded
that a $20,000 Excel-based solution would capture
data easily and accurately for a segment with only a few loan defaults a year.
A more elaborate project to integrate the data with the main data warehouse
would have cost $5 million. Banks should also consider combining the IT
programs they undertake for Basel II with those needed to comply with the
US SarbanesOxley corporate-governance legislation and with international
accounting standards in Europe. An operational-risk self-assessment
program needed for compliance with Basel II , for example, would tie in
nicely with the management certification of financial controls required
by SarbanesOxley.

The United States has 7,000 banks. The top 50 should comply with most if
not all Basel II requirements. Banks with risky portfolios may face higher
regulatory-capital charges under Basel II , but such banks are in particular
need of best-practice risk management. Insofar as Basel II doesnt reach best
practices, we encourage banks to pursue them if there is a business case.
Some bankers may worry about wasted effort. But we detect a spirit of
flexibility in the Basel regulators comments and especially in the US
regulators Advanced Notice of Public Rulemaking, which will limit the risk
of building capabilities that wont ultimately be needed.6 Banks in the opt-in
6

Recent commentary shows that regulators will interpret the final rules flexibly. For instance, they will probably
accept several credit-rating models, based on widely different philosophies.

The business case for Basel II

category will likely be able to work with regulators to establish a transition

path to compliance and can therefore start upgrading areas that make
the most business sense. Banks may even be able to comply with Basel II for
their major segments but not all of their portfolios if they can show that
this choice reflects solid business realities.7
Banks that have already started risk-management programs view Basel II as
a change agent. They use the new accord to focus bankwide attention on
efforts to achieve risk-management leadership. Basel II is also good news for
banks whose risk-management efforts, begun with the best of intentions,
have languished through inattention. CEO s should recognize that moving so
many parts of a bankmost business units as well as the treasury and
other corporate-center functionsto best practice involves a huge effort.
We know from long experience that it will fail if top management doesnt
take the lead and ensure that benefits from a well-developed business
case are captured.

We expect regulators to be flexible about the deadline in the case of mandatory banks if they can show that
they have implemented a credible transition plan for the most important sectors. In the event of noncompliance,
regulators can assess capital charges. No bank wants to have bad relationships with regulators. Opt-in
banks face no deadline; we believe that regulators will be happy to accept a step-by-step transition in these
banks efforts to promote better practices.

Kevin Buehler, Vijay DSilva, and Gunnar Pritsch are principals

in McKinseys New York office. Copyright 2004 McKinsey & Company.
All rights reserved.

91