With the Basle II Revised Framework now very much in the forefront of banks' priorities, it is now a prerequisite that banks demonstrate a sound operational risk management and control infrastructure. Keith Warden reports.
This can seem a rather complex task in that a sound methodology will have to be in place to demonstrate compliance and this is not always easy to get a handle on give that it is only recently that operational risk has been an area of key focus. Many banks will undertake the purchase of expensive software before establishing their requirements in the belief that this will give them what they need, when in fact a thorough study of and subsequent compliance with Basle and UK Financial Services Authority guidance will perform the task perfectly and at reasonable cost. GCC banks do not have the complexity of the larger European or US banks and an operational risk project need not be as daunting as first thought, provided a clear plan is in place that focuses on the Basle requirements to ensure that auditors and central banks have a clear reference point upon which to measure individual bank compliance. This article sets out those requirements, in necessarily broad terms given the size, rather than complexity, of the topic.
Basle II
The Basle II Revised Framework issued in June 2004 stipulates that an explicit capital charge should be made to cover other unmeasured risks not included in the market risk or credit risk calculations. A capital charge for operational risk is not an option but a fundamental part of Basle II. The simpler approaches - basic indicator and standardised - are relatively straightforward to implement.
As all banks will be aware of by now, the Framework has as its foundation three pillars.
The three pillars
- Pillar One: covering minimum capital requirements, specific new rules for credit and operational risk.
- Pillar Two: covering supervisory review.
- Pillar Three: covering market discipline.
Pillar one: Calculating operational risk capital
The Basle Committee identified three methods of calculating operational risk capital, in order of increasing sophistication and risk sensitivity, as follows:
- Basic indicator approach: This approach is the elementary, top down approach that can be followed by any bank, irrespective of its size or complexity. Under this approach, the operational risk capital is calculated using a proxy indicator for the entire bank, such as gross income.
- Standardised approach: This method breaks out the risk calculation by business line. Eight business lines have been identified by the committee.
- Advanced measurement approaches (AMA): Bottom up approaches allowing for greater granularity in risk assessment are grouped under AMA. It is unlikely that banks in the GCC will adopt this approach and will go for, at a minimum, the basic approach or (more likely) the standardised approach.
The basic indicator approach is unlikely to be adopted by the majority of banks as regulators will in all likelihood expect banks to be more proactive in the risk assessment process than simply applying a basic indicator to the entire bank's operations. This may suggest to the regulator that the bank has not taken significant steps to implement latest generally accepted risk management techniques.
Accordingly it is highly likely that most banks will adopt the standardised approach, with only the largest and most complex banks going for the advanced measurement approach.
To be able to implement the standardised approach banks must meet all of the following criteria and ensure that they are integral to any operational risk management process.
The following criteria are:
- Its board of directors and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework.
- It has an operational risk management system that is conceptually sound and is implemented with integrity.
- It has sufficient resources in the use of the approach in the major business lines as well as the control and audit areas.
An internationally active bank using the Standardised Approach must meet the following additional criteria:
- The bank must have an operational risk management system with clear responsibilities assigned to an operational risk management function.
- As part of the bank's internal operational risk assessment system, the bank must systematically track relevant operational risk data including material losses by business line.
- There must be regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors. The bank must have procedures for taking appropriate action according to the information within the management reports.
- The banks' operational risk management system must be well documented. The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of non-compliance issues.
- The bank's operational risk management processes and assessment system must be subject to validation and regular independent review. These reviews must include both the activities of the business units and of the operational risk management function.
- The bank's operational risk assessment system (including the internal validation processes) must be subject to regular review by external auditors and/or supervisors.
Pillar two: Supervisory review
Pillar two of the Basle II Accord focuses on the establishment of internal systems to monitor, measure, and control risk and on supervisory assessment risk management for capital adequacy purposes. In this respect, the development of detailed guidelines for banks as well as the supervisors became critical. The Basle Committee published its 'Sound Practices for the Management and Supervision of Operational Risk, and it follows that banks incorporating these principles into the steps in their methodology will be able to comply with Pillar Two of the Basle Capital Accord.
Pillar three: Disclosure
Pillar three relates to market discipline and disclosure. The Basle Committee believes that disclosure requirements can induce banks to build a strong capital base, in order to be viewed favourably by other market participants and improve access to the markets. This in turn will support the objectives of pillars one and two, and promote safety and soundness in the banking system. Requirements on disclosure are still being evolved, but once again, compliance with a sound methodology cross-referenced to Basle principles should enable a fairly painless disclosure process to be developed.
Key issues for banks arising from Basle II
The key issues can be summarised as follows:
- Active involvement of management and audit in the operational risk management process is imperative.
- The board and management must plan and manage resources to tackle compliance with Basle II requirements for operational risk.
- Banks must ensure that proper risk measurement systems and strong internal controls are in place.
- Banks must document compliance with operational standards, documentation and audit trail requirements, sufficient to satisfy regulators. Adopting the approach in this handbook will achieve this.
- Banks must treat Basle II and the whole area of operational risk as a major project.
Putting it all together
Having explained the various elements that make up operational risk management, the important task now is to put these elements into a methodology and project plan. This will enable banks to methodically implement an operational risk management framework, ensuring that all the elements are included. It is my belief that the operations of the vast majority of GCC banks are sufficiently straightforward such that an operational risk management project should not be a task that requires rocket science and that a sound methodology and well documented project that cross references back to Basle requirements will do much to ensure that auditors and central banks will ultimately give their seal of approval.
The following are the key steps that need to be covered and this is also clearly shown in the attached diagram.
Organisation structure
The first step in the project is to review and amend the operational risk management organisation structure to ensure that it follows the Basle Committee guidance and best practice in the banking sector. The role of internal audit will also be included.
Operational risk definition
To be able to manage and control operational risk, there needs to be agreement on what operational risk covers. The project should therefore establish the bank's definition of operational risk to see whether it covers all of the risks falling within Basle II and Basle Committee risk management guidelines.
Bank operational risk policy
The operational policy should outline a bank's strategy for operational risk management and the processes that it intends to adopt to achieve these objectives. The documented risk policy should include the operational risks that the bank is prepared to accept and those it is not prepared to accept, including where relevant some consideration of its appetite or tolerance for specific operational risks. It should also include how the bank intends to identify, assess, monitor and control its operational risks, including an overview of the people, processes and systems that are used
Risk identification
In order to understand its operational risk profile, a bank should identify the types of operational risk that it is exposed to as far as reasonably possible. These risks can be classified as follows:
- People. A bank should maintain appropriate systems and controls to address risks arising from the result of breaches of fiduciary duty by employees, internal fraud or human error.
- Processes and systems. A bank should establish and maintain appropriate systems and controls for the management of operational risks that can arise from inadequacies or failures in processes and systems.
- External events and other changes. The exposure of a bank to operational risk may increase during times of significant change to its organisation, infrastructure and business operating environment. This will also include disaster recovery and business continuity planning.
- Reputation and finance risks. A bank should maintain appropriate systems and controls to manage its reputation and finance risk.
- Outsourcing. Outsourcing arrangements must be managed in relation to the impact that outsourcing may have on a bank's exposure to operational risk.
- Insurance. A bank should assess its insurance arrangements to make sure that they adequately address the risk being covered.
The project needs to cover all of the above risks and assess the extent to which they have been identified within the bank. A comprehensive checklist of operational risks should be used to ensure full coverage of all likely operational risks.
Risk assessment
The project then needs to perform a qualitative and quantitative assessment of its operational risks to understand its exposure to them.
Risk monitoring
A bank should then set up a formalised system to report to the relevant level of management its operational exposures, loss experience and authorised deviations from the bank's operational risk policy.
Risk control
A bank should control its operational risks through activities for the avoidance, transfer, prevention or reduction of the likelihood of occurrence or potential impact of an operational exposure.
Key risk indicators
Key Risk Indicators (KRIs) are quantitative measures intended to provide insight on the exposure to the effectiveness of operational risk management or controls. These can be tracked on a periodic basis e.g. daily, monthly, and yearly as required.
Indicators are particularly good at risk measurement as they can act as a tool to measure progress towards goals and facilitate day to day decision-making. They may well already be in use in some form or another if a bank has a "Balanced Scorecard" type of performance measurement process in place.
The operational risk project should integrate the use of KRIs into the operational risk management project.
Record keeping
In order to demonstrate compliance with prudential rules and best practice, banks should retain an appropriate record of their operational risk management activities.
Loss event database
The loss event database collects the bank's loss experiences. Events are described and stored for analysis. The project should assess the adequacy of the bank's loss event database and ensure it captures loss data in the appropriate format.
Conclusion
Basically banks need to start now on their project and those that have started (hopefully the majority) need to ensure that their time is not being wasted by following a sound methodology and making sure they fully understand the Basle requirements. Large accounting firms have been advising banks for some time now to treat this as a major project (many banks may take over a year).
Banks can find full details of the methodology and how to set up a fully Basle-compliant operational risk manual on the website www.wardensultancy.com and can also contact the author of this article by email at kwarden2004@yahoo.co.uk .
© Banker Middle East 2005
