01 Dec 2008, Ellen Davis, Operational Risk & Regulation
Every year in the UK, millions pause on November 11 to remember the end of World War I. The war itself was a grim episode in the horrible drama that constituted the first half of the twentieth century, and this period of reflection never goes by without discussion about how the 'War to End All Wars' could have been won differently, or how the peace talks could have been conducted differently, so that the Great Depression and World War II didn't have to inexorably follow.
I am not going to delve here into the various historical arguments, suffice it to say they all have one common thread: the statesmen of the time, whether focused on foreign policy or economic development, applied solutions to fit circumstances that had already long passed. They were not facing the challenges ahead. Even before the war ended, they were already refighting it.
And, I am afraid, much of the thinking on the changes that need to be made to the global financial regulatory framework risk repeating that same error. Regulators, legislators and others who are going to be working on the coming raft of proposed changes to the financial services sector need to make sure they don't have their eyes fixed on their rearview mirror while trying to drive into the future.
Part of the problem is that the financial services industry is being reshaped entirely by recent events. For starters, the sector will be much smaller and less leveraged. Mar Gudmundsson, deputy head of the monetary and economic department at the Bank for International Settlements, pointed out in a recent speech that the share of financial services, as a part of GDP, has skyrocketed in the US and UK over the past two decades. Financial services' overall share of corporate profits rose even more dramatically - in the US it stood at 10% in the early 1980s but peaked at 40% of total corporate profits last year. Just how much financial services will shrink back from these levels remains to be seen, but this paradigm shift will result in a revitalised relationship between cost control and value, and increased emphasis on understanding risk appetite, among other changes. I predict that, whereas in the past some costs and inefficiencies were simply swept under the 'profit carpet', firms will now be watching their pennies, and looking to operational risk executives to tighten systems and controls. But it could also mean firms cut back even more on many types of middle- and back-office investment in an attempt to keep margins lush.
The second major shift is that more capital - both regulatory and economic - will be needed to operate as a bank. Regulators are going to be demanding larger capital and liquidity buffers, while higher risk premiums will require a higher cost of capital and credit than before the crisis, said Gudmundsson. The balance of power between regulators, the markets and firms is changing as a result - no longer will regulators accept model outputs as an argument for lower capital levels, or lower capital as a reward for investing in risk management systems, as they were doing under Basel II. Even more tellingly, it is unlikely the market will accept those old arguments either.
So gone is the 'carrot' for firms to invest in risk management systems; all that is left is the 'stick'. The question then becomes, is fear and loathing enough motivation for large banks to pump money into their risk management frameworks? And once they have the frameworks in place, is it enough to motivate them to listen to the information the frameworks produce?
The cost and scarcity of capital also means firms will be forced to get the maximum utility out of the capital they are being forced to keep. Given that the current management generation came to maturity in much easier times, it is entirely possible this new, tighter environment could distort management decision-making about products, services and investment just as much as the boom times with a low cost of capital did.
Another issue is the homogeneity of the regulatory response. On one hand, co-ordination among the world's regulators is to be encouraged for a variety of reasons, and the arguments are familiar to most OR&C readers. But the recent G-20 initiative could also result in an increase in regulatory risk - that is, if all the banks of the world's top economies are regulated in exactly the same way, will this risk herding the way they take regulatory-based decisions? Some could argue the subprime crisis is already an early example of this - the instruments originated as a way of getting risk, which required regulatory capital to be held against it, off banks' balance sheets after the implementation of Basel I. The seeds of the next crisis could be sown in a similar way if regulators don't find ways to 'bake in' heterogeneous risk decision-making by firms.
There are other risks as well, which are arising directly out of recent events. Thanks to the mass layoffs and mega-mergers that have been forced on financial institutions by the crisis, hundreds of thousands of jobs will be flushed from the system before this period of instability has ended. This drain of experience and talent from the industry will create substantial instability, both operationally and culturally. Within these departures and reorganisations will be sown the seeds of the next round of loss events - we all know what happens when people are forced to juggle two or three roles. Things get forgotten or lost. Rogue traders, mis-sellers and other miscreants breed. Most firms have not engaged in business process mapping exercises to provide staff a roadmap of what they do, and how they do it. There is no instruction manual. So the survivors are left to fend for themselves. Regulators who are serious about preventing the next crisis need to force firms to engage in business process mapping, at the very least for their core businesses. Regulators shouldn't prescribe processes - rather they should serve as a conduit for the flow of information among firms about best practices on crucial issues.
Another area of focus should be financial crime. There is little doubt that fraud will rise significantly as a result of the current crisis. So, there has never been a better time for governments to invest in creating crack financial fraud squads, or improving the working relationship between law enforcement, regulators and financial services firms. Governments could be raising their game when it comes to fighting financial crime - providing more resources for detection and prevention. They should be urging their regulators to force firms to implement systems and controls that have a real impact on reducing fraud, and encouraging firms to work together more closely to exchange information that could help the industry combat fraud. Industry associations should expand their roles on this front. Firms will lose billions to fraud in the coming two years, and these losses are preventable.
Much ink has been spilled about the problems of a global financial system with 'Balkanised' regulation. While firms are global, and regulators are being asked to work together more closely, the capital framework they have to contend with is strictly national. Firms would like to hold capital at the holding company level, and then allocate it from the top down, particularly for operational risk, but this is not practical at the moment. And there are other problems as well, including capital repatriation. The example of Lehman Brothers' London office, where billions were routinely wired back to New York each night only to become trapped there when the firm collapsed just proves how badly reform is needed. Perhaps financial services firms should 'bank' a significant portion of their capital with the International Monetary Fund, or some other mechanism could be put in place to ensure overseas operations have access to the capital that is theirs when it is needed. Only when this issue of where the bank regulatory capital lives is solved can a host of other regulatory issues be fixed. I would argue that trying to improve regulatory co-operation without addressing the issue of where the capital sits could lead to unwanted regulatory kinks in the system over the medium to long term as regulators attempt to work around the problem. On the other hand, if there is a second wave of bank crisis events as a result of corporate failures globally, the financial system would be much better prepared.
On another supervisory front, it's pretty clear that the world's regulators - particularly at the examiner level - are behind the curve. At a lunch discussion I attended recently, bankers at the table were withering in their criticism of regulatory understanding of complex financial products, risk management issues, and many of the business choices firm executives face. Regulators themselves confess that often they are underfunded, and are frustrated by the fact their best people are constantly being poached by industry. Regulators need to face their human resources challenges head-on, and they need the support of governments to do this - effectively a bail-out of the regulators. If the lack of expertise at regulatory authorities is not addressed urgently, the failures of recent times will simply be compounded and cause the next wave of banking systemic instability.
Of course I could hardly write an essay such as this without addressing the subject of operational risk directly, and in particular how it is handled under Basel II. When times were good, regulators complained that firms didn't take operational risk seriously enough - and now that times are bad, I'm afraid I don't think regulators are leading by example on this issue (see letter from the editor, page 4). The discipline of operational risk needs to immediately be raised in stature and importance by the world's regulatory bodies. A quick look at many of the core problems that have come out of the crisis - mortgage fraud, derivatives back-office functionality, consumer protection failures, model failures, compensation scandals, and systems and control failures, to name a few - highlights the need for a more robust approach to the management side of operational risk.
But there is another substantial problem with operational risk - the advanced measurement approach. The Basel Committee's approach to operational risk in Pillar I was shaped by a conceptualisation of the role that models should play in risk management that has now proven wrongheaded. The AMA, after all, puts at its centre the calculation of a single regulatory capital figure for operational risk, as the raison d'etre for all the work that goes into completing the AMA process. Unfortunately - in a slightly eerie premonition of what has become so plainly evident on the credit and market risk sides of things - banks that completed the AMA and came up with a capital number weren't entirely sure this number reflected their risk profile, or else they wondered what about their risk profile it actually communicated.
Model-centred risk management has now pretty much proven to be bust. Models, as someone said to me the other day, are approximations of the world around us. They are simplifications of what we see, to allow us to conceptualise complex problems. The number they produce is not 'the answer', but rather it should be the question that prods further discussion.
So the problem with the AMA is that it attempts to combine too much complexity into a framework that oversimplifies the inputs into something that is essentially meaningless.
I am not advocating throwing the baby out with the bathwater - I think the reality is that the industry is crying out for a way to measure, conceptualise, manage, predict and mitigate operational risk. I have always believed operational risk belongs in Pillar I - if it were 'dumbed down' and shoved into Pillar II it would simply be ignored.
Instead, I wonder if the modelling could be done on a different scale? For example, suppose individual business lines were modelled with an AMA-style framework and then the risk capital just added up? Or there is some other way to break down the model into smaller components, which make the risks they reflect easier to understand and action?
A consultant I had coffee with the other day also pointed out to me that causes are essentially ignored under the AMA framework, because the model instead focuses on the actual event type. There were good reasons for not basing the AMA on causes - the multiple interpretations of what actually causes an event was one of them. But I do wonder if there isn't some way to reinsert causal analysis into operational risk modelling to some extent, just to open up the debate and discussion.
Overall, I think the recent events in the financial services industry have offered up a lot of food for thought, but I am wary of the agenda that has been set by the global regulatory community. While many of the changes they are advocating certainly need to be made, I am concerned focusing solely on those issues - and let's be fair, the horse has well and truly bolted already on some of these areas - the supervisors are failing to identify the core threats that will surface over the next 24 months. Nor are they creating proactive risk management techniques to identify new potential threats at a time of systemic fragility. To prevent this financial crisis from spinning on, we must simply do better than this.