Introduction
Basel II has changed the face of Operational Risk management in the Financial Services industry leading Institutions around the world to review and challenge the way in which such risks issues are addressed in the financial world. Furthermore the final Basel II paper[1] has provided a definition of Operational Risk on which the Financial Services industry can broadly agree and which serves to demonstrate the very wide range of risks that are covered by the Operational Risk blanket.
The definition reads as follows:
"Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk".
As can be seen the definition embraces risks ranging from the failure of an ATM network to a fraud committed by a cashier or trader. It covers the risk of a case of sexual discrimination or an identity theft in the internet bank as well as flawed documentation or failure to perform a reconciliation process correctly.
Simple examination of the range of risks covered will show how important it is for Banks to control and mitigate operational risk exposures given the huge financial and reputational impact that major operational events can have.
The history of Operational Risk ManagementClearly the management of Operational Risk is not new. Banks and other financial institutions have always sought to minimise operational losses by controlling or transferring unacceptable risks. When Jesse James first burst into a Bank with guns blazing to rob the safe, financial institutions endeavoured to minimise this risk by employing armed guards and by investing in bigger and better safes and strongboxes.
It was, however, the case that Institutions tended to manage such risks on a piecemeal basis and reactively. When a loss occurred, resource was devoted to resolving the problem that had arisen with the aim of preventing recurrence. However no attempt was made to systematically identify and assess the impact of potential loss events where exposures exist as a result of flawed processes or systems, but as yet no loss has been suffered.
Basel II seeks to address this issue by having Banks compile a comprehensive picture of their operational risk exposures against a list of risk types that aims to cover the full range of Bank Operational Risk.
The requirements of Basel IIBasel II is designed to replace the Basel I Capital Adequacy rules which originally produced guidelines for internationally active banks as to the minimum amount of Regulatory Capital needed to support their loan books (set at 8% of amount lent). These guidelines came to be accepted by over 100 countries that chose to formally adopt these rules as part of their local banking regulation, thereby guaranteeing a basic level of solidity to the international banking system, and a level playing field for fixing minimum regulatory capital.
The theory behind Basel II is that it offers a risk-sensitive approach to capital adequacy assessment to replace the one size fits all approach to the subject contained in Basel I. To achieve this aim the guidelines create three pillars to support the edifice of capital adequacy. It also widens the range of risks for which minimum regulatory capital must be held.
To credit and market risk, it adds operational risk.
Pillar One contains the formulae that Institutions must use to calculate the minimum regulatory capital requirement. It also contains qualitative standards that each business must meet in order to qualify for more advanced calculation methodologies.
Pillar Two outlines the Regulatory review process, whereby the Supervisor will consider the quality of the underlying risk management framework, and adjust the minimum regulatory capital figure to take account of any deficiencies in this structure. In theory, therefore, a Regulator may decide that it is appropriate to increase the minimum capital adequacy requirement for a specific Institution if it believes that the risk management procedures in place are to some extent unsatisfactory.
Finally Pillar Three explains the disclosure requirements that Institutions will be obliged to follow in connection with their risk management techniques. The theory is that potential investors in financial institutions will be able to study the details of an Institution's Risk Management structures and decide whether risks are being adequately managed and therefore whether this is an entity in which it is appropriate to invest. In essence well-managed firms will supposedly find it easier to attract investment than their poorly managed competitors.
Approaches to Operational RiskFor Operational Risk, Pillar One specifies three possible methodologies for calculating minimum regulatory capital requirements. The entry level methodology is the Basic Indicator Approach where Institutions will have to hold an amount in capital equivalent to 15% of average gross income in the previous three year period.
Slightly more complicated is the Standardised Approach which divides the business of the Institution into eight business lines and assigns to each a "beta factor" designed to reflect the inherent "riskiness" of the business line. The beta factor is then multiplied by the average gross income for the business line concerned over the previous three year period.
Finally there are the Advanced Measurement Approaches under which Institutions are invited to develop their own methodology for calculating minimum operational risk regulatory capital requirements. Any such methodology must be submitted to the local Regulator for specific approval.
In order to progress to the more complex approaches to capital calculation, Institutions must comply with defined qualitative management standards for Operational Risk management that become increasingly stringent as progress to the more advanced levels is achieved.
The most helpful guide to the basic qualitative requirements of an Operational Risk management framework is contained in the Sound Practices paper published by the Bank for International Settlements.This guidance document is intended as a basic template with which all internationally active banks are encouraged to comply. As a general guide the document can serve as a basis for any Institution that wishes to put in place an Operational Risk Management Framework. The paper makes clear the fact that the Board of Directors should be familiar with the major aspects of the bank's operational risk exposures and should approve and review the framework introduced to manage these exposures.
This will mean giving approval to the general principles of how operational risk should be identified, assessed, monitored, controlled and/or mitigated. They should also ensure that the framework is subject to independent audit to avoid manipulation of the system.
Senior management are then charged with implementing the framework approved by the Board, developing the policies, processes and procedures that are needed to make the framework effective in the Bank. The key message is that this is a matter for the Board and Senior management for without this top level buy-in, commitment from the general body of staff who are the front line troops on the Operational Risk battlefield cannot be expected.
The paper then turns its attention to the main elements of an Operational Risk management framework and sets out the activities needed to put in place a comprehensive framework. The first fundamental step in the process is to identify the Operational Risk inherent in all material products, activities, processes and systems and to assess the potential impact of such risks were they to occur. Clearly, unless we understand the range of risks to which we are exposed, it is very hard to prioritise and manage those risks.
Once the identification and assessment process has been completed Financial Institutions must create a process to monitor the evolution of exposure to risks and to losses which need to be reported to the Board.
In essence this means that institutions will have to create a database of operational losses that will facilitate the proactive management of the underlying risks.
The monitoring of losses will take the Institution logically onto the action required to control and or mitigate operational risks. Institutions must decide what they want to do about the risks they face. If they believe that risks exceed acceptable levels, then firms must choose whether they introduce additional controls to reduce the likelihood of loss, transfer the risk (probably through an insurance contract) or avoid the risk altogether by exiting the market. Of course the firm may decide that the risk is simply the cost of being in a specific business area or is sufficiently small for them to simply accept the risk without further action. Before this decision can be taken, however, Institutions must have fully explored their potential exposure to these risks if they are to make sensible decisions on the management of the risks.
A final element in the Operational Risk management framework is to ensure that the business will be able to continue to operate in the event that they are effected by a catastrophe by ensuring that they have robust, tested contingency and continuity plans in place.
More stringent qualitative and quantitative requirements apply to those banks that choose to use one of the more advanced approaches to calculating operational risk regulatory capital requirements.
The challenges of Operational Risk ManagementIt is clear that the Basel Committee on Banking Supervision did not invent the concept of Operational Risk management when they published initial Basel II papers. Many other industries have developed comprehensive risk management structures to protect the lives or health of their customers in the event of operational failure (pharmaceuticals, safety critical industries). Equally within Financial Institutions systems designed to protect against fraud and other operational risks have existed from the earliest times. The focus was firmly on the qualitative management of operational risk and the prevention of losses. Basel II now obliges banks that are aspiring to adopt an Advanced Measurement Approach to indulge in a quantitative analysis of their operational risk exposure and to hold capital to protect against a high percentage of possible losses. In this way it is hoped that the banking system will be protected from failure due to operational losses.
The new approach requires Banks to meet certain key challenges if they are to comply with the Basel II requirements.
Among these challenges are:
Workload
The first issue that arises from these new requirements is one of workload. Institutions now find themselves obliged to identify all material risks in their processes, products and systems, and to do this, they will need to build structures that involve the staff in business units contributing to this analysis. How, for example, can the Risk management unit in a major retail bank know of a risk present in a procedure in a branch office unless the branch staff report the existence of the issue? Such procedures take time, and will involve a large number of people throughout the organisation. It is hard to escape the fact that any exercise designed to carry out the basic identification and assessment of risk will either require an extensive self assessment programme (with associated training and guidance) or a series of interactive workshops with business units.
If such activities are performed properly, the results in terms of improved processes, greater knowledge of risk and fewer losses will be significant, but the development of the process and its execution will require time and resource and the subsequent issue of managing and working with the data gathered. If the activity is carried out with insufficient planning, guidance or resource, the quality of information gathered may be very poor and effectively unfit for purpose.
Key Risk IndicatorsInstitutions will also need to develop systems for gathering data about the losses and errors that may occur and where the incentive to report the mistake may not be immediately clear to the business unit that has committed the error. Furthermore, the aim for the industry as a whole must be to reach a position whereby they are able to identify risky positions before, or at least as, they develop not to discover the risk only when it gives rise to a specific loss. Many institutions are now developing Key Risk Indicators to tell them when they may be operating at a higher level of risk. Such indicators might for example include a situation where transaction volume has increased substantially, but the available staff to handle the business is reduced by sickness or where the downtime of the relevant systems has increased. When such a situation occurs, it might be desirable to report the fact to senior management so that appropriate action can be taken to support the business unit and reduce the probability of error.
This example makes the basic assumption that there is a correlation between errors, increased volumes and reduced resource. The truth of this assumption will, however, need to be tested against experience for we may find that staff are more inclined to make routine errors when concentration levels are low i.e. when they have little work to do. Finding objective indicators of an increased potential risk of loss is not as straightforward as it might appear!
Modelling Operational RiskFor those banks that select the Advanced Measurement Approach, a key challenge becomes the methodology used to calculate the appropriate capital figure. Once Institutions move away from the broad proxy of gross income used in the more simple approaches, they are faced with the problem of developing a methodology for calculating capital.
The task of calculating capital is not a simple one. When modelling Credit and Market Risk, Banks have tended to base their calculations on past loss events. Such a process has also been used by many Institutions who have chosen a loss distribution approach to operational risk capital assessment. A problem with such approaches is that operational loss data tends to be concentrated in certain key areas that can be characterised as high frequency low impact losses. Fortunately for the Institutions extreme losses are rare and will certainly not be present in all of the key areas of risk in one Institution for if that were the case the Institution concerned would certainly be out of business. The problem resides in the obvious fact that capital will be based on the extreme events that the business has not experienced.
To counter this problem, use of loss data from events experienced by other Banks has been suggested. Here we encounter another problem, for Operational Risks are context dependent, arising from a specific combination of failures and events. It goes without saying that different banks use different systems, processes and people and consequently the relevance of one firm's data to another firm is questionable.
Indeed if, as a result of a loss suffered by your own business, you decide to change control structures, then arguably the value of that internal loss as an indicator of future trends has been reduced, despite the fact that the incident happened to you. What is more the amount may have to be adjusted through scaling or the creation of additional scenarios to reflect changes in the underlying business such as volume growth or inflation.
An alternative approach that can be used either in place of or to complement a loss distribution approach is a scenario based approach, where scenarios based on the firm's own risk environment are created to explore the potential for extreme events to occur. The methodology has the advantage of being firmly based on the business itself, and an Operational Risk Manager can create scenarios that will be immediately recognisable to staff members who will better understand what is required of them to prevent the scenario occurring. The approach is, however, dependent on a comprehensive set of scenarios being developed that will explore the potential for high value losses. Qualitative results can, however, be very significant.
InsuranceThe challenges are not only confined to the Financial Institutions. Insurers too have a challenge to face.
The Basel II rules recognise the fact that Insurance can be used as a mitigant for Operational Risk. Financial Institutions can purchase insurance policies to cover errors and omissions, fraud, computer crime, directors' and officers' liability and other programmes designed to minimise operational losses. Banks choosing to use an Advanced Measurement Approach to Operational Risk can recognise the presence of a suitable insurance programme and reduce the capital held or Operational Risk by up to 20%.
However this does require the policy or policies to be acceptable to the Regulator as a substitute for capital and to meet certain basic standards. The Regulator will be looking for certainty of payment, so extensive exclusion clauses will not be welcome. Neither will any clause that allows the underwriter to dispute a claim.
If this is possible, then clearly the insurance policy cannot be seen as an acceptable substitute for capital that will be immediately available to meet a loss. There is a need for a comprehensive policy that will meet the Basel II requirements for an insurance policy.
Finally the Supervisors face a challenge. Pillar II requires them to formulate a judgement on the quality of a firm's risk management structures. The Advanced Measurement Approach needs them to assess and become involved in understanding the basis of a firm's assessment, its quality and robustness. They also need to resolve cross border issues and work in harmony with the home Regulators of overseas banks operating in their territory whie protecting the integrity of their own national system. Conclusion
Within the Financial Services Industry, the face of Operational Risk management has changed. The vision is to design an approach that identifies the key operational risks faced by Financial Institutions and focuses our attention on effectively managing and controlling those risks. The result should be a more efficient, higher quality business with fewer unnecessary operational losses. Such a result will require work and resource, but the result will be worth the effort.
Note: The views expressed in this article are the Author's personal views and do not necessarily represent the views of the HSBC Group.
David Breden
Director
HSBC Operational Risk Consultancy
© POLICY 2006
