Good in parts
Tony Blunden welcomes the Basel regulators’ latest thoughts on operational risk, but questions their continued emphasis on the past.
The recognition by the Basel Committee on Banking Supervision, the body that in effect regulates international banking, that the banking industry is taking a pluralist approach to advanced operational risk quantification, coupled with minimum standards of qualitative operational risk management for the simpler standardised approach, is to be welcomed.
Other encouraging aspects of the paper that the Basel regulators issued in late September are the reduction in the proposed operational risk capital charge to 12% from 20% of minimum regulatory capital, and the possibility of the eventual elimination of the floor to the charge for banks using an advanced measurement approach for calculating the charge.
However, the continued heavy emphasis in the paper, known affectionately as CP2½, on the collection and analysis of operational loss data, remains puzzling, although understandable at a simplistic level. Businesses are run - and should be run - on a management’s view of the business’ future prospects with only half an eye on historic data. Indeed, the UK financial regulators require all firms to caution investors that past performance is no guide to the future. Why then, is there such an emphasis on past performance in the calculation of regulatory operational risk capital?
The need to arrive at a regulatory formula that can be used in many countries should not take precedence over the application of business logic. While an analysis of loss data is justifiable to get a consistent and robust measure of capital throughout many countries, it introduces a possibly dangerous level of simplification that may be more damaging than protective.
There is some value in recent - say the last two years’ - loss data for such operational hazards as fraud, technology failure and trade settlement errors. However, the use of three, or even five, years of data risks skewing the results heavily towards past performance, and thereby giving a reduced incentive for management to take speedy remedial action to enhance poor controls.
Any model focused solely on loss events will penalise management long after the control gap has been plugged and focus management attention too much on the past, to the possible detriment of the future of the firm.
As a counter to such comments, or maybe in recognition of the inherent limitations of loss event analysis, CP2½, so nicknamed because it comes between the Basel Committee’s second consultative paper (CP2) on the Basel II banking accord and the third (CP3) that is expected in early 2002, recognises the scorecard approach as a possible advanced measurement approach.
The use of risk-sensitive advanced approaches to calculating capital charges is central to the Basel II accord. The accord will determine from 2005 what proportion of their assets large international banks should set aside to guard against banking risks, including credit and market risks as well as, for the first time, operational risk.
Using a scorecard initially based on risk and control assessment data for operational risk management purposes, allows a firm to develop knowledge and skills on operational risk modelling at a much earlier stage of its risk management programme. At a later date, when some confidence in the technique has been gained, data from public domain loss databases can be used, such as IC2’s F1RST database (see Operational Risk, April 2001). Such data enables the firm to supplement the assessment data with real-life data in instances where a firm has little or no experience in particular loss events. The final goal of business judgment data combined with key indicators and both internal and external loss events gives a forward-looking approach to op risk quantification, while basing some of the model in the recent past.
CP2½ rightly recognises the need for scaling data from sources other than the firm itself, and for documenting and reviewing scaling procedures and methodologies.
This need is likely to increase the amount of data in public domain databases, as various key indicators relating to the institution suffering a loss are captured.
These indicators are likely to include data such as revenues, number of staff and balance sheet size that the database providers are well-placed to obtain, given their information-capturing skills. The use of independent verification and assurance for potentially complex areas such as scaling procedures and model parameters, as well as the more standard areas such as framework methodology, is welcome as another implicit acknowledgement of the coming of age of operational risk management.
Among the interesting ideas floated in the working paper, one of the most controversial is likely to be the use of a holding period of one year and a confidence level of 99.9% for the regulatory capital calculation for users of an advanced measurement approach (see annex 1, page 18, paragraph 3(b) of the Basel Committee’s September paper).
As op risk data does not fit a normal distribution, using such a requirement will only give part of a much bigger picture. For op risk, the volatility of data in the tail of the distribution, and its discontinuous nature, must be taken into account to derive a defensible capital figure. When data in a tail decays smoothly, a confidence level of 99.9% can be instructive to both management and regulators. When data is anything but normal in distribution, additional measures are needed to give a better picture of the capital requirement.
Also, a one-year holding period assumes that operational risk is tradable and can be hedged or otherwise completely nullified within one year. This is most unlikely, except in the event of a firm closing down, an occurrence that the correct amount of regulatory capital should be able to prevent to a 99.9% confidence level.
Working Paper on the Regulatory Treatment of Operational Risk by the Basel Committee on Banking Supervision, available on the Bank for International Settlements’ website, www.bis.org.
Tony Blunden is director of operational risk, risk management and regulatory services at business advisors Ernst & Young in London.Operational Risk
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Risk management
Appetite breaches climb for top op risks
Risk Benchmarking: Low tolerance and heightened threat environment combine to test banks’ limits for cyber, resilience, third-party risk
How gatecrashers could spoil the tokenisation party
Blockchain can curb settlement risks, but that could come at the expense of new third-party risks
Op Risk Benchmarking: Banks seek a home for AI risk
Risk.net’s 2026 study sees record participation and collective unease, as banks race to incorporate AI into op risk frameworks
Contract negotiation tops tech sovereignty for banks in Asia
Regulatory pressure is rising, but industry still focused on service agreements with third parties
The SaaSpocalypse shows private markets need risk models
Investors have little idea how bad the losses in private credit are going to be
Crisis? Which crisis? How ECB stress test failed to see Strait
Banks were told to design geopolitical shock scenarios, but some focused mainly on tariffs
The race to model private market risks
BlackRock maps holdings to risk factors; competitors aim to get the best from statistical methods
G-Sib capital surcharge: how indexing and averaging alter incentives
Capital risk strategist anticipates Basel III endgame impact on US big-bank behaviour
