Basel II operational risk - Capital is not the only goal

One of the main additions to the Basel II Accord in the latest version, which is due to come into force in 2007, is the area of operational risk. This is a risk type that has always been a part of finance but has never before been subject to a specific regulatory capital charge. Due to this new approach and issues surrounding the correct and relevant calculation of those capital charges, the risk managers and senior management of many financial institutions are becoming increasingly hot under the collar about the subject. The Pillar I capital charge is the 'stick' being used by the regulators, but they actually want financial institutions to understand that the 'carrot' is good for them and they should be striving for it.

So what is the carrot?

The carrot is fewer surprises, better understanding of risk, improved operational effectiveness and lower losses. Senior management in a financial institution (in fact, any company) should be aware of the operational risks being taken in the business and understand the possible impact of a major risk crystallising and the likelihood of such an event. They should be constantly aware of any changes to the risk position and should be receiving a stream of assurances from lower management levels that risks are being measured, monitored and managed correctly.

In an organisation with this flow of information, board members will have fewer sleepless nights worrying about what might happen and, when something does happen, they will be ready for it and better able to react effectively. This is the main aim of the operational risk section of the new Basel Accord (as well as many other new corporate governance regulations, for example, Sarbanes-Oxley) and what local regulators will look for when they complete internal reviews of operational risk practices and systems.

Another aim of the regulators, which underpins the new accord, is to bring state-of-the-art risk management practices to the masses within financial institutions. Under both the credit risk and operational risk sections of the accord, great emphasis has been placed on forcing the banks to take the knowledge that resides in central risk functions and passing it out to the relevant people in the business lines to make them more risk aware and risk responsible. This is especially important in the context of operational risk, as most of the understanding for individual risks is held by the local business managers and they are also in the best position to manage risk effectively.

Surely I can just rely on the capital calculation?

Indeed you can, but that has two very major drawbacks for your company as a whole:

The models do not always measure the risk

The Basel II capital calculation models are necessarily broadly based and will not take account of your own institution's situation. Operational risk is distinctive to each situation and, therefore, does not lend itself to generic models and measurement in the same way as market or credit risk. While the idea of a capital charge is a good one and will force up the general level of risk management practice, in itself it will only provide a very basic measurement of the underlying risk, especially in the cases of the basic and standardised approaches.

Both of these approaches are extremely general and easy to calculate and provide a broad measure of inherent risk. However, neither take any account of the actual risk management practices within an institution and are of little inherent benefit to management in their attempts to measure, monitor and manage operational risk.

Through the advanced measurement approaches, the Basel Committee has offered institutions that are more sophisticated a way of using a more risk-sensitive methodology. The committee has left this section of the accord very open but has mentioned a loss distribution approach (LDA) and a scorecard approach. They have stipulated that four elements are expected in any model: internal loss data; external loss data; scenarios; and risk self assessments.

There are grave concerns in many quarters with the LDA due to the fact that it relies on past histories of internal and external losses. In operational risk, past history may provide some amount of knowledge concerning future losses but, often, increasing risk numbers after a large event - as an LDA would suggest - is counter-intuitive. For example, in the months after the recent debacle at Allied Irish Bank's Allfirst treasury division it is reasonable to assume that the control environment was tightened and the levels of operational risk being taken were very much reduced throughout the entire treasury operation of the bank. An LDA-based model in the year after this large event would show a large increase in capital for treasury, while, in fact, the bank had shut the Allfirst treasury and spent money and resources on reviewing all of the operational risks associated with treasury and ensuring that these risks were minimised. If anything, that capital charge should be lower after the event.

The issue with external loss events is that the data is extremely sketchy and is proving very difficult to integrate with internal data. Using the same example, while we all know from published documents what occurred, how do you relate that to your internal situation? Do you allocate it to treasury in general, to trading options, to confirmation matching or to back-office processing? It would probably be best to split the amount over a number of categories, but then how do you decide upon the split? And, in this case, we have very good information, in most we have no more than loss amounts and a general category model provided by Basel.

The scorecard approach is more forward-looking and, therefore, should provide a better management tool. However, this methodology is far from defined and each institution will have to define the measures and their benchmarks. In essence, the approach asks individual business unit owners to score the impact and likelihood of risks in their area. This data can be back-tested using actual losses, sanity checked using sensible and relevant key risk indicators and audited by internal and external auditors. The results of these scorecards can then be collated up the organisation to provide an estimate of risk and, therefore, capital requirement at any level.

This method seems to make more sense as it will respond to changes in the risk and control environment, while taking notice of past loss history. While general guidelines are being developed for this approach, it is very much up to individual institutions to define the models and the mechanisms in detail.

Management by model won't work

While, as mentioned, the idea of a capital charge is a good one to ensure that all financial institutions consider operational risk and its importance, the very idea that you can set aside a portion of capital for operational risk and then just manage that number is seriously flawed.

While expected losses are usually understood and accounted for in normal budgeting and accounting practices (the so-called 'cost of doing business') the definition of unexpected losses is much more difficult. When it comes to defining the amount of capital required to ensure the longevity of the business, this very quickly becomes a circular argument: "What is the worst possible event you can think of for your business? Well, something that bankrupts us. OK, you need enough capital for that. But that is an infinite amount of capital because I will always be able to think of a bigger event."

The current accord requires an amount that will cover a 99.9% confidence over a period of a year. This results in an amount of capital that will withstand all but the worst event possible in the next 1,000 years. Even the most long-term business managers would not think of managing their businesses on the basis of what might happen in 1,000 years.

So are the regulators forcing me down the wrong road?

Absolutely not. Reading the details of the accord will reveal that much more emphasis is being placed upon the other two pillars for operational risk. Local regulators and external auditors are being told to review control environments, risk frameworks and reporting structures as well as the capital calculation models. The requirements for moving up the scale of capital calculation approaches are all based on qualitative management factors and most regulators will be relying much more on these factors than on the pure mathematics.

Quite a few financial institutions have already had state-of-the-art operational risk management practices and systems in place for a number of years and they are showing a much higher level of risk awareness throughout the organisation and far fewer surprises. The senior executives at these companies can provide regulators and shareholders with proof that they understand the risks in their businesses and are in control of the risk management process.

When Basel II comes to fruition, regulators will - regardless of formal Pillar I capital calculations - be in a position to reward these companies with lower capital charges and excellent reviews because they have understood and implemented the new accord not only by rote but also in spirit.

- Richard Pike is the product director of SWORD, a system for operational risk, internal audit and corporate governance. SWORD is a Microsoft-based solution that has users in 25 countries.

About Ci3

Ci3 partners with financial institutions to provide them with risk control, compliance and certainty over related management processes and information. Ci3 offers clients insight and intelligence - based on vast experience and an unparalled knowledge of its field. With over 10 years' experience working with Irish and international clients, Ci3 has proven itself to be an efficient and effective partner, ensuring that its clients are always in control. For further information, visit www.swordrisk.com or contact Richard.pike@ci-3.com

65-66 Lower Mount Street

Dublin 2

Ireland

T: +353 1 6624 233

F: +353 1 6624 200

www.ci-3.com

Sponsored content