OpRisk Awards 2016
In October 2015, Risk.net reported that the Basel Committee on Banking Supervision was poised to scrap the use of operational risk modelling for regulatory capital purposes.
In March this year, that was followed up with proposals for a standardised measurement approach (SMA), which would replace all existing approaches to op risk, including the advanced measurement approach (AMA) – the own-models method currently used by more sophisticated banks.
Advocates of op risk modelling were disappointed, to say the least. Compared with the AMA, which delivered a leaner capital requirement for firms able to use op risk modelling, they argue the SMA would deliver a hefty increase in capital. They also warn the SMA lacks risk sensitivity and will reduce banks' incentive to invest in op risk modelling and techniques such as scenario analysis.
The change could be felt keenly in Australia, where the Australian Prudential Regulation Authority (Apra) has embraced the AMA since its inception. The authority requires that all banks using the internal ratings-based approach to credit risk under Basel II also use the own-models approach to op risk.
But even if the Basel Committee decides to ditch the AMA, one head of op risk capital modelling at an Australian bank believes an emphasis on op risk modelling will persevere. "To the Australian banks' minds, it's more than just the model - it is about the risk management frameworks that support the model," he says.
Risk practitioners say that's largely down to the work of Apra, which has been quietly emphasising that models should do more than just measure, but also help banks make risk-based business decisions. In the language of the Basel Committee, it means those models must pass the ‘use test'.
Scenario analysis is a way of taking that information, really analysing it based on your business, and thinking, ‘What's relevant to us? What are the changes we need to make? What are the things we need to monitor?'
Larry Wagenaar, Apra
"From the beginning, we put as much focus – if not more – on the use requirements as we did on the measurement aspects," says Larry Wagenaar, Apra's head of operational risk supervision in Sydney.
Wagenaar and his colleagues emphasise their focus is on getting frontline businesspeople to engage with op risk management and measurement techniques. One example is the authority's approach to scenario analysis. At the moment, scenario analysis is one of four inputs that banks can use to model their capital under the AMA, alongside internal loss data, external loss data, and business environment and internal control factors. This contrasts with the SMA, where only internal loss data is used.
Because scenario analysis involves combining the use of historical data with the bank's current risk profile, Apra sees it as a way of bridging the gap between risk and business expertise. The collaboration between risk and the business means both end up with a better understanding of their risks and controls – a benefit that cannot be gained from straightforward loss data analysis, says Wagenaar.
"If you're looking purely at external loss data, it doesn't always give you the sort of information that makes it relevant for your business," he says. "Scenario analysis is a way of taking that information, really analysing it based on your business, and thinking, ‘What's relevant to us? What are the changes we need to make? What are the things we need to monitor?'"
Focusing on drivers
He gives the example of mis-selling. A good scenario analysis for mis-selling doesn't just arrive at a figure for how large the loss could be, says Wagenaar, but it also allows risk managers to analyse the factors that might contribute towards it. Those could include lapses in compliance procedures or a lack of product knowledge by the bank's salespeople, for example. Using scenario analysis helps banks think through their controls for monitoring those factors, so any change in exposure can be caught early on.
Wagenaar says Apra has focused on ensuring banks aren't just plucking scenarios out of the air, but are instead focusing on the drivers of the individual risks identified. This means moving away from the traditional approach of senior managers sitting in a room to come up with expected loss numbers, and towards a more rigorous process involving the quantitative aspects of a bank's op risk framework.
"It's ensuring the key factors that drive the exposure are clearly identified and then used in the ongoing monitoring of the risk," he says. "Also, the scenario process should link back to the relevant parts of the traditional risk management framework – for example, in identifying the key controls and identifying meaningful intelligence."
Apra oversees 73 banks across Australia and has a team of 20 staff dedicated to operational risk. A big part of the regulator's strategy involves going out and meeting with businesspeople in banks – either through on-site reviews or appearances at industry events. Wagenaar and his colleagues say their mission is to engage with businesspeople to ensure they understand the risks they are facing and how the op risk frameworks in their organisations can help the business.
This approach is working, they add. In recent years, Australian banks have improved their governance and decision-making processes, made their systems and controls more intuitive and usable for non-specialists, and performed better under the use test. Wagenaar says the regulator is seeing better monitoring of key controls and evidence of op risk scenarios being used for actual business decisions, with some firms responding by "choosing not to move forward with, or restricting, a new business proposal".
If the AMA is dropped by the Basel Committee, as is thought likely, Wagenaar and his colleagues say they will not mourn its passing. Instead, they want to retain "the good parts" of the approach: the quantitative tools that assist op risk management.
We think the post-AMA should be easier – banks will be able to streamline their process. They'll be able to focus more on understanding risk drivers, controls and exposures
Denis Gorey, Apra
"The current AMA framework perhaps has made it hard, in a sense, for banks because there's been a tendency to focus on the metrics in the scenario process that best fit models, rather than concentrating on the outcomes for risk management," says Denis Gorey, head of operational risk analytics at Apra. "But we think the post-AMA actually should be easier – banks will be able to streamline their process. They'll be able to focus more on understanding risk drivers, and controls and exposures, and they can use more meaningful and more understandable metrics through that."
Whatever happens, Wagenaar says there will be no change in Apra's expectations for banks' op risk frameworks. That means the authority will still want to ensure banks have a good understanding of their op risk profile, grounded in quantifiable analysis.
Even if the Basel Committee ditches the use of the AMA for Pillar 1 minimum capital rules, industry practitioners have expressed hope that op risk modelling and scenario analysis will continue to be required as part of Pillar 2 – the discretionary levy charged by national supervisors.
That is one possibility advanced by Apra, although Wagenaar says it is too early to say how it might work. "Going forward, we still see a significant value in measurement helping to better understand the risk, because that leads to better outcomes on the control and the risk management side," he says.
Either way, he argues Australian banks will continue to use op risk management techniques – including scenario analysis – regardless of whether or not they earn a capital benefit. "We're not seeing people stepping away and saying we're not going to do this any more," he says. "We're actually getting the industry engaging with us on how they can better use these tools, and that they do see value out of it."
The week on Risk.net, July 14–20, 2017Receive this by email