Bank of America, one of the world’s leading financial institutions, provides its services through 6,100 retail banking offices and nearly 18,500 ATMs. For a large and complex organization like Bank of America, compliance with the numerous U.S. and international financial regulations is of vital importance. One of the most significant of those regulations is the Basel II Accord, which establishes rigorous requirements designed to ensure that banks hold capital reserves appropriate to the risk to which they are exposed. To comply with the operational risk aspects of Basel II, the bank created a portal solution based on Microsoft® Office SharePoint® Server 2007. Developed and deployed in just four months, the solution has been rapidly adopted by managers and staff, who are using it to comply with Basel II and to better measure and address operational risk throughout the enterprise.
In terms of both deposits and market capitalization, Bank of America is the largest commercial bank in the United States and among the largest financial institutions in the world. The bank provides its services through 6,100 retail banking offices, nearly 18,500 ATMs, mobile banking services, and call centers. Bank of America focuses on providing a comprehensive, coast-to-coast banking platform for retail customers and on building up global capital markets for corporate clients. It was most recently named the number one Small Business Association lender in the United States.
For any large financial institution, compliance with national and international regulations is an ongoing imperative, involving an especially daunting process in an institution as large and complex as Bank of America. The most significant of recent global regulations is the Basel II Accord, required for implementation by U.S. banks by 2011. Basel II, as it is known, addresses the levels of capital that banks are required to put aside to guard against specific financial and operational risks. In so doing, the accord mandates an entirely new approach to measuring, monitoring, reviewing, and reporting operational risk.
As Cynthia Pair, Senior Vice President of Compliance, Bank of America, explains, the first step in Basel II compliance is collecting the data associated with operational risk from employees throughout the bank’s various business units. Next, the bank must compile the data so as to accurately measure operational risk at an enterprise level.
“We recognized that to comply with Basel II, we would need a comprehensive data-mining ability to gather clues about evolving trends and emerging risks,” Pair says. “We needed a risk and control self-assessment solution that would be highly scalable and easily adoptable by more than 1,000 users throughout the enterprise.”
At first, the bank considered off-the-shelf solutions but found none that was sufficiently scalable or adaptable to the bank’s existing practices. “So as the key part of our Operational Risk Project, we decided to build our own, using tools and an environment with which developers and users alike would be familiar,” says Jeff Napper, Senior Vice President of Enterprise Operational Risk Management, Bank of America. “This meant pursuing a project based on the 2007 Microsoft® Office system, because of employees’ familiarity with the programs and because of the high degree of integration among them.”
Over a period of just four months, Napper’s small team designed, developed, and deployed a portal solution based on Microsoft Office SharePoint® Server 2007 with a data-input mechanism based on the Office InfoPath® information-gathering program, part of Microsoft Office Enterprise 2007. To help ensure that only fully authorized users could access the extremely sensitive data involved in risk assessment and management, developers created highly customized views and controls based on the native security features in SharePoint Server 2007 that extend from the Active Directory® service in the Windows Server® 2008 operating system.
||With our portal of aggregating risk data, the bank has a robust and transparent way of understanding, documenting, and positioning itself to mitigate operational risk.
Senior Vice President, Enterprise Operational Risk Management, Bank of America
The solution relies on the Business Data Catalog in Office SharePoint Server 2007, which enables IT staffers to provide extracted data in a clean and reusable format from a single point of contact. Also within the solution are SharePoint Server content types to make data available for reuse in multiple applications, whether in other parts of the portal or in separate applications outside the portal.
Microsoft SQL Server® 2005 data management software serves as the ultimate data repository for the risk-related data. The solution relies on SQL Server 2005 Reporting Services and Excel® Services in Microsoft Office SharePoint Server 2007 to allow data to be fully shared among users and applications.
Today, with the help of 6,000 role-based security profiles, some 1,500 Bank of America employees across 200 organizational units use the portal solution to access data on 1,800 key operational risks. About 800 of those risks are reported as part of the bank’s enterprise risk and control assessment as required by the Basel II Accord.
Since the solution was first deployed, the bank has enjoyed significant benefits from its new risk and control self-assessment solution based on Microsoft Office SharePoint Server 2007 and other Microsoft technologies. These benefits include efficient development and deployment, a powerful way of assessing trends, and an easier approach to risk mitigation.
Rapid Development, Deployment, Adoption
For members of the development team, the four-month time frame for design, development, and deployment of the solution was far faster than that of comparable efforts in the past, some of which relied upon integrating disparate solutions from a variety of technology and database vendors.
“In terms of development efficiency, this is a stark contrast, for example, to working through the integration challenges of traditional UNIX- and Linux-based technologies,” comments Jacob Firestone, an independent consultant on the Operational Risk Project. “Thanks to the real-time SharePoint Server 2007 environment and its native integration with the rest of the 2007 Office system, we were able to do real-time development and implementation, without the bothers of coding, compiling, testing, and then deployment, version control, change management, and so on. We developed capabilities that would have taken a month to develop using more traditional technologies, but we did it in just a single day with SharePoint Server 2007.”
Moreover, because of user familiarity with the Microsoft tools and user interface, adoption of the portal solution was rapid and relatively painless. “This helped us get started that much sooner on implementing compliance with the Basel II Accord,” says Bradley Yee, Senior Vice President of Enterprise Operational Risk Management, Bank of America.
Faster Trend Assessment
According to Napper, with the portal solution, Bank of America staffers have better information for developing assessments, and they can get to that information faster and more easily. “Users not only save time and effort, but also are more likely to want to use the solution, to enter more data about potential risks, and to perform more thorough risk-management assessments,” he adds.
At a higher level, the solution enables the bank to aggregate risk information from the various business units and present a collective assessment to senior management, an endeavor that in the past was difficult and time-consuming to pursue. “Data aggregation enables us to understand the significance of risks that on their own might not have seemed severe, but together could pose a significant concern,” Pair says. “It also enables us to discern trends that could transcend a given business unit and affect the larger enterprise.”
Another advantage of the portal solution is its centralized control of the information-gathering process, a capability enabled by the integration among Office Enterprise 2007, particularly InfoPath 2007; Office SharePoint Server 2007; and SQL Server 2005. As Napper explains, users enter risk-related information through a centrally managed InfoPath-based form that focuses on key risks and the evaluation of existing controls. This information goes into a SQL Server 2005–based database that supports data mining, assessment, and reporting to executive management and the board of directors.
Easier Risk Mitigation at All Levels
According to Yee, the underlying value of the solution is having the data in a format that can be easily mined and assessed to show both separate and aggregate views. “These multiple views of risk patterns help users to understand the risks inside each business unit and how they play out as a whole,” he explains. “Having both separate and aggregate views helps us use the data to mitigate risk, both within a given business unit and across the enterprise.”
Through Office InfoPath 2007, the portal solution also ensures that the information gathered is consistent throughout the company and categorized to reveal selected types of risk. According to Napper, that kind of selectivity would be impossible to achieve in a less automated environment. “With our portal of aggregating risk data, the bank has a robust and transparent way of understanding, documenting, and positioning itself to mitigate operational risk,” he says.
And Bank of America expects to continue to benefit from the framework it has put in place. Napper adds, “Because we based the solution on a development and deployment environment as efficient as Microsoft Office Enterprise 2007 and SharePoint Server 2007, the bank is well positioned to effectively manage operational and compliance risk, now and well into the future.”
Microsoft Office System
The Microsoft Office system is the business world’s chosen environment for information work, providing the programs, servers, and services that help you succeed by transforming information into impact.
For more information about the Microsoft Office system, go to:
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
For more information about Bank of America products and services, visit the Web site at: