Regulation and risk management expert Bozena
Gulija examines how interest and resources have increased when
it comes to this category of risk
Global regulatory milestones
Although banks have always been exposed to operational risk
and have managed it more or less successfully, in the last few
decades, due to a combination of economic and regulatory
motivations, operational risk has attracted attention and
resources more commensurate with its importance.
Several high-profile events in the 1990s, including the
collapse of Barings Bank, gave initial prominence to
operational risk. Additionally prompted by the increased
complexity of banking products, processes, technologies and
environment, supervisors and bank managers became more
interested in this risk category.
The Basel Committee on Banking Supervision (BCBS) identified
a growing need for regulatory contribution and incentives, and
in 1998 published the first set of practices, which were
superseded by the sound practices/principles issued in 2003 and
then updated in 2011.
The key milestone that reflects the Basel Committee's
crucial role in setting trends for operational risk management
is the publication of the Basel II capital framework in 2004,
which included operational risk in Pillar 1, together with
credit and market risks. This introduction of minimum capital
requirements contributed considerably to the evolution of
tools, processes and systems for managing operational risk.
Since then, new internal and external developments and
threats, including some severe operational risk events (eg the
Libor scandal, cybersecurity problems or recent money
laundering incidents), reinforced the importance of adequate
management and supervision of operational risk. On the
regulatory front, however, Basel III, finalised in December
2017, could adversely affect the future development of advanced
operational risk management practices.
Defining operational risk
The BCBS definition, given in Basel II, has become a
universally accepted standard. Operational risk is defined as
the risk of loss resulting from four possible causes:
- processes (eg inadequacies in collateral
- people (eg employee incompetency);
- systems (eg accounting system errors);
- external events (eg earthquakes).
Additionally, it is specified that operational risk includes
legal risk but excludes reputational and strategic risks.
The Basel Committee also contributed substantially to the
development of operational risk taxonomy by providing the basis
- by event type (internal fraud; external
fraud; employment practices and workplace safety; clients,
products and business practices; damage to physical assets;
business disruption and system failures; execution, delivery
and process management); and
- by business line (corporate finance;
trading and sales; retail banking; commercial banking;
payment and settlement; agency services; asset management;
The operational risk universe incorporates certain
sub-categories that are further separately defined, regulated
and/or managed, such as legal, compliance, money laundering,
conduct, fraud, IT and security risk. On the other hand,
reputational and strategic risks are considered distinct
categories, but are often included in operational risk
management. Additionally, there is a question of boundaries
with regard to credit and market risk, as operational risk can
affect any product or activity related to a bank's credit
portfolio or trading book.
Besides its broad scope, operational risk also differs from
other major risks because its loss distribution typically shows
a greater number of small losses (high-frequency, low-severity)
and a few extremely large losses (low-frequency,
high-severity), which subsequently poses challenges for its
quantification, management and supervision.
Managing operational risk
Despite the relative novelty of operational risk management
and diverse practices, there are some typical organisational
structures, processes, tools and methodologies that are used by
banks. Important sources of risk management standards are the
Basel Committee's documents, primarily the Basel II/III capital
framework and operational risk management principles.
Operational risk management generally involves an iterative
process of identifying operational risks, assessing (measuring)
exposures to the identified risks, control/mitigation
activities, and monitoring and reporting. Common tools and
methods used in this process are risk and control
self-assessment (RCSA), business process mapping, internal loss
data collection and analysis, external loss data analysis,
scenario analysis, and key risk indicators (KRIs).
The actual established frameworks and day-to-day practices
vary significantly among banks, and this is also reflected in
their (in)ability to measure operational risk and calculate
economic and regulatory capital.
Capital charges – current methods
When minimum capital requirements for operational risk were
introduced for the first time in Basel II, three main methods
were made available for their calculation. These methods should
remain in force until the implementation of corresponding Basel
III provisions, scheduled for 2022.
Currently available approaches, in increasing order of
- the basic indicator approach (BIA);
- the standardised approach (TSA); and
- the advanced measurement approaches
Increasing sophistication should be accompanied by
increasing risk sensitivity and (potentially) decreasing
capital requirements. Although this path is also marked with
more demanding qualitative and quantitative criteria, the
necessary additional investments are assumed to be offset by
the benefits of better management of operational risk and the
expected lower capital charge.
Lack of support and incentives for investment in
internal modelling might jeopardise the understanding
and management of operational risk
The BIA and TSA are based on the gross income that serves as
a proxy for the scale of operational risk (at a bank or a
business line level). Gross income (or relevant indicator in
the EU regulation) is the sum of net interest income and net
non-interest income. Therefore, higher gross income is
expressed in higher capital charge, and losses (eg from
interests or fees) can significantly lower a bank's capital
requirement for operational risk. In practice, there have been
cases where the operational risk exposure increased (and
internal losses materialised), but that was not reflected in
the BIA/TSA capital charges.
According to the BIA, the whole bank's gross income is
simply multiplied by the prescribed alpha factor of 15% in
order to calculate the amount of operational risk capital
charge. (If we want to convert the amount of capital charge
into the corresponding operational risk exposure measure
comparable to credit risk RWA, the capital charge should be
multiplied by 1/8%, ie 12.5.)
According to the TSA, banks map their gross income into
eight business lines and multiply each by the prescribed beta
factors, which range from 12% to 18% depending on the perceived
riskiness of each business line (eg 12% for retail banking, or
18% for trading and sales).
The AMA is on the other end of the sophistication spectrum
and it allows banks to calculate their regulatory Pillar 1
minimum capital requirements using their own measurement
systems and models. There are four obligatory elements
prescribed for the AMA (internal loss data; external loss data;
scenario analysis; and business, environment and internal
control factors), but in comparison with credit and market
risks, modelling of operational risk is much less regulated and
standardised. Although the AMA requires prior validation and
approval from the supervisors, practical implementation has not
led to expected levels of comparability among banks and
Capital charges – future method
Basel III tries to address limitations inherent in using
gross income for the BIA and TSA calculations, as well as the
insufficient stability and comparability of the AMA charges.
Therefore, in 2022, all three current approaches will be
abandoned and replaced by the new standardised approach (SA,
SA-OP, standardised measurement approach or SMA), which is not
model-based but should be sufficiently risk sensitive.
The SA capital charge is calculated by multiplying the two
- the business indicator component (BIC);
- the internal loss multiplier (ILM).
The BIC is derived from the business indicator (BI). The BI
includes income from the interest, leases and dividend
component (ILDC), the services component (SC) and the financial
component (FC). Depending on the calculated BI amount (below
€1 billion ($1.16 billion approximately); between €1
and €30 billion; above €30 billion), the BI is
multiplied by the corresponding marginal alpha coefficients
(12%, 15% and 18%) and the result is the BIC.
The ILM should reflect a bank's historical internal losses,
but its introduction and implementation are subject to national
discretions. Also, for banks with a BI below the €1
billion threshold, the ILM is always one, which cannot
influence capital calculation, and therefore the capital charge
equals the BIC (ie the BI times 12%).
Generally, Basel III provides for a more complex calculation
of the business indicator compared to the gross income and,
where applicable, for some banks the ILM could add to the
risk-sensitivity of capital charges. As for the expected
changes in the amount of operational risk capital requirements,
the latest Basel III monitoring report points to a smaller
impact than previously envisaged. The expected average change
for the group 1 banks (largest banks, including global
systemically important banks) is a 1.5% decrease, while the
estimated average change for the group 2 banks would be a 6.4%
increase, further depending on the current method from which
migration to the SA is assumed.
Future developments in operational risk management could be
hindered by the upcoming shift in capital calculation brought
by the Basel III reform. Lack of support and incentives for
investment in internal modelling might, ultimately, jeopardise
the understanding and management of operational risk.
Furthermore, it remains to be assessed whether the actual
implementation and practical application of the SA will result
in lower or higher capital charges, and whether it will
adequately reflect banks' operational risk profiles and provide
for the desired level of consistency and comparability.
Additional challenges are related to the appropriate
management of some established and emerging operational risk
sub-categories, for example conduct risk, people risk,
technology risk, cybersecurity, privacy, data management and