Sarbanes-Oxley requirements could complement Basel compliance

During a recent operational risk roundtable held by Celent Communications in New York, some participants raised the issue of overlap between section 404 of Sarbanes-Oxley and proposed reporting requirements under Basel II, which seemed to echo overlap concerns banks expressed regarding Sarbanes-Oxley and the Federal Deposit Insurance Corporation’s (FDIC) Federal Deposit Insurance Corporation Improvement Act (FDICIA) of 1991, which also address internal control requirements, reported by Operational Risk in March 2003.

However, overlap between Sarbanes-Oxley and Basel II will more likely improve banks’ operational risk management processes and procedures. So argues Barry Macklin, senior vice- president of JP Morgan Chase Treasury and Securities Services, who views Sarbanes-Oxley and Basel II as two efforts to mitigate essentially the same risk.

"I think they’re complimentary", Macklin says. "The Basel Accord talks about developing assessment techniques, incentives for banks to improve upon their processes, and better management of operational risk, specifically with the advanced measurement approach (AMA). Banks are encouraged to develop frameworks, systems with the spirit of the AMA, which we’re working towards.

"When I think about those concepts and then go and look at Sarbanes-Oxley, particularly section 404, which is management’s assessment of internal controls, to me it discusses the same types of concepts," Macklin continues, noting that section 404 implementation requires setting up and maintaining adequate financial reporting controls and procedures. "I think when you look at both of those, if you’re looking at Basel and developing, for instance, a governance structure and an ability to monitor operational events, that’s the same thing that Sarbanes-Oxley is looking for you to certify."

But while Sarbanes-Oxley and Basel II may complement each other, that doesn’t mean procedures set up to comply with the former will apply seamlessly to the latter once the Accord’s final version is drawn up later this year. Macklin acknowledges the inevitability that modifications will be necessary. Still, though, compliance with both will achieve the same goal of effective operational risk management. "Both [Sarbanes-Oxley and Basel II] go to the core of having an effective and efficient op risk management system," Macklin says. "If you have the process in place, there may be some nuances between the two, but I think it’s the process we have to talk about -- that is key to the whole challenge of complying, whether it’s to FDICIA or Basel or Sarbanes-Oxley. You should be able to use the same tools. You need to understand your underlying processes and the key risks associated with those processes."

The bulk of the guidance on disclosure in Basel II is provided in the so-called Pillar III, which focuses on market discipline. This section was scaled back substantially in the third consultative paper (CP3) issued by the Basel Committee on Banking Supervision in late April. OpRisk

Stewart Eisenhart

The text of CP3 can be found at: www.bis.org/bcbs/bcbscp3.htm .
Information on Sarbanes-Oxley implementation by the SEC is available at www.sec.gov/spotlight/sarbanes-oxley.htm .