PRIMER: operational risk – prudential regulation perspective
Regulation and risk management expert Bozena Gulija examines how interest and resources have increased when it comes to this category of risk
Global regulatory milestones
Although banks have always been exposed to operational risk and have managed it more or less successfully, in the last few decades, due to a combination of economic and regulatory motivations, operational risk has attracted attention and resources more commensurate with its importance.
Several high-profile events in the 1990s, including the collapse of Barings Bank, gave initial prominence to operational risk. Additionally prompted by the increased complexity of banking products, processes, technologies and environment, supervisors and bank managers became more interested in this risk category.
The Basel Committee on Banking Supervision (BCBS) identified a growing need for regulatory contribution and incentives, and in 1998 published the first set of practices, which were superseded by the sound practices/principles issued in 2003 and then updated in 2011.
The key milestone that reflects the Basel Committee's crucial role in setting trends for operational risk management is the publication of the Basel II capital framework in 2004, which included operational risk in Pillar 1, together with credit and market risks. This introduction of minimum capital requirements contributed considerably to the evolution of tools, processes and systems for managing operational risk.
Since then, new internal and external developments and threats, including some severe operational risk events (eg the Libor scandal, cybersecurity problems or recent money laundering incidents), reinforced the importance of adequate management and supervision of operational risk. On the regulatory front, however, Basel III, finalised in December 2017, could adversely affect the future development of advanced operational risk management practices.
Defining operational risk
The BCBS definition, given in Basel II, has become a universally accepted standard. Operational risk is defined as the risk of loss resulting from four possible causes:
processes (eg inadequacies in collateral management);
people (eg employee incompetency);
systems (eg accounting system errors); or
external events (eg earthquakes).
Additionally, it is specified that operational risk includes legal risk but excludes reputational and strategic risks.
The Basel Committee also contributed substantially to the development of operational risk taxonomy by providing the basis for classification:
by event type (internal fraud; external fraud; employment practices and workplace safety; clients, products and business practices; damage to physical assets; business disruption and system failures; execution, delivery and process management); and
by business line (corporate finance; trading and sales; retail banking; commercial banking; payment and settlement; agency services; asset management; retail brokerage).
The operational risk universe incorporates certain sub-categories that are further separately defined, regulated and/or managed, such as legal, compliance, money laundering, conduct, fraud, IT and security risk. On the other hand, reputational and strategic risks are considered distinct categories, but are often included in operational risk management. Additionally, there is a question of boundaries with regard to credit and market risk, as operational risk can affect any product or activity related to a bank's credit portfolio or trading book.
Besides its broad scope, operational risk also differs from other major risks because its loss distribution typically shows a greater number of small losses (high-frequency, low-severity) and a few extremely large losses (low-frequency, high-severity), which subsequently poses challenges for its quantification, management and supervision.
Managing operational risk
Despite the relative novelty of operational risk management and diverse practices, there are some typical organisational structures, processes, tools and methodologies that are used by banks. Important sources of risk management standards are the Basel Committee's documents, primarily the Basel II/III capital framework and operational risk management principles.
Operational risk management generally involves an iterative process of identifying operational risks, assessing (measuring) exposures to the identified risks, control/mitigation activities, and monitoring and reporting. Common tools and methods used in this process are risk and control self-assessment (RCSA), business process mapping, internal loss data collection and analysis, external loss data analysis, scenario analysis, and key risk indicators (KRIs).
The actual established frameworks and day-to-day practices vary significantly among banks, and this is also reflected in their (in)ability to measure operational risk and calculate economic and regulatory capital.
Capital charges – current methods
When minimum capital requirements for operational risk were introduced for the first time in Basel II, three main methods were made available for their calculation. These methods should remain in force until the implementation of corresponding Basel III provisions, scheduled for 2022.
Currently available approaches, in increasing order of complexity, are:
the basic indicator approach (BIA);
the standardised approach (TSA); and
the advanced measurement approaches (AMA).
Increasing sophistication should be accompanied by increasing risk sensitivity and (potentially) decreasing capital requirements. Although this path is also marked with more demanding qualitative and quantitative criteria, the necessary additional investments are assumed to be offset by the benefits of better management of operational risk and the expected lower capital charge.
Lack of support and incentives for investment in internal modelling might jeopardise the understanding and management of operational risk
The BIA and TSA are based on the gross income that serves as a proxy for the scale of operational risk (at a bank or a business line level). Gross income (or relevant indicator in the EU regulation) is the sum of net interest income and net non-interest income. Therefore, higher gross income is expressed in higher capital charge, and losses (eg from interests or fees) can significantly lower a bank's capital requirement for operational risk. In practice, there have been cases where the operational risk exposure increased (and internal losses materialised), but that was not reflected in the BIA/TSA capital charges.
According to the BIA, the whole bank's gross income is simply multiplied by the prescribed alpha factor of 15% in order to calculate the amount of operational risk capital charge. (If we want to convert the amount of capital charge into the corresponding operational risk exposure measure comparable to credit risk RWA, the capital charge should be multiplied by 1/8%, ie 12.5.)
According to the TSA, banks map their gross income into eight business lines and multiply each by the prescribed beta factors, which range from 12% to 18% depending on the perceived riskiness of each business line (eg 12% for retail banking, or 18% for trading and sales).
The AMA is on the other end of the sophistication spectrum and it allows banks to calculate their regulatory Pillar 1 minimum capital requirements using their own measurement systems and models. There are four obligatory elements prescribed for the AMA (internal loss data; external loss data; scenario analysis; and business, environment and internal control factors), but in comparison with credit and market risks, modelling of operational risk is much less regulated and standardised. Although the AMA requires prior validation and approval from the supervisors, practical implementation has not led to expected levels of comparability among banks and jurisdictions.
Capital charges – future method
Basel III tries to address limitations inherent in using gross income for the BIA and TSA calculations, as well as the insufficient stability and comparability of the AMA charges. Therefore, in 2022, all three current approaches will be abandoned and replaced by the new standardised approach (SA, SA-OP, standardised measurement approach or SMA), which is not model-based but should be sufficiently risk sensitive.
The SA capital charge is calculated by multiplying the two main components:
the business indicator component (BIC); and
the internal loss multiplier (ILM).
The BIC is derived from the business indicator (BI). The BI includes income from the interest, leases and dividend component (ILDC), the services component (SC) and the financial component (FC). Depending on the calculated BI amount (below €1 billion ($1.16 billion approximately); between €1 and €30 billion; above €30 billion), the BI is multiplied by the corresponding marginal alpha coefficients (12%, 15% and 18%) and the result is the BIC.
The ILM should reflect a bank's historical internal losses, but its introduction and implementation are subject to national discretions. Also, for banks with a BI below the €1 billion threshold, the ILM is always one, which cannot influence capital calculation, and therefore the capital charge equals the BIC (ie the BI times 12%).
Generally, Basel III provides for a more complex calculation of the business indicator compared to the gross income and, where applicable, for some banks the ILM could add to the risk-sensitivity of capital charges. As for the expected changes in the amount of operational risk capital requirements, the latest Basel III monitoring report points to a smaller impact than previously envisaged. The expected average change for the group 1 banks (largest banks, including global systemically important banks) is a 1.5% decrease, while the estimated average change for the group 2 banks would be a 6.4% increase, further depending on the current method from which migration to the SA is assumed.
Future developments in operational risk management could be hindered by the upcoming shift in capital calculation brought by the Basel III reform. Lack of support and incentives for investment in internal modelling might, ultimately, jeopardise the understanding and management of operational risk. Furthermore, it remains to be assessed whether the actual implementation and practical application of the SA will result in lower or higher capital charges, and whether it will adequately reflect banks' operational risk profiles and provide for the desired level of consistency and comparability.
Additional challenges are related to the appropriate management of some established and emerging operational risk sub-categories, for example conduct risk, people risk, technology risk, cybersecurity, privacy, data management and cross-border issues.