An advanced model for op risk capital calculation

The Basle II regulators need to develop a comprehensive approach to op risk modelling, says Tony Blunden in his final article on the new capital accord

Global banking regulators should consider an advanced method of using three sets of risk data -- self assessment, internal key indicators and external losses -- to develop a comprehensive operational risk model approach.

I have argued (see Operational Risk, March 2001, page 19) that the single model for using internal data for op risk capital calculations proposed in Basle II, the new capital adequacy accord for regulating large international banks from 2004, does not recognise the process already used by many institutions for reviewing and managing risk at board level.

These existing usages reflect either mandatory or guideline corporate governance requirements imposed by other regulatory bodies such as stock exchanges.

Additionally, the banking regulators propose little use of the external data that can be useful in determining the extreme loss events that can arise from operational hazards such as fraud, computer systems failures, trade settlement foul-ups and human error.

The bank regulators, namely the Basle Committee of banking supervisors from the Group of 10 leading economies, propose for the first time making international banks set aside capital against losses from operational risks.

The regulators offer a choice of three increasingly sophisticated methods of calculating an op risk capital charge (see related article, this issue), of which the internal measurement approach is the most complex. The more complex the method used by a bank, the lower the capital charge.

Basle II’s proposals for calculating capital charges for credit risk, however, offer a choice of two internal measurement approaches, a simple and an advanced model.

Last month I put the case for a simple model for calculating operational capital charges that could easily be available by 2004 (see Operational Risk, March 2001, pages 19--20)

Banks should be allowed to use internal models for op risk capital calculations, with both simple and advanced models depending on a bank’s capabilities and needs.

Here I argue that an advanced internal model should use internal key indicator and loss data, external loss data and the risk-control self-assessment data, the last of which is already available to most institutions. The advanced internal model builds on the simple internal model outlined previously. The modelling techniques for both are based on Bayesian belief network theory (see box below).

The output of the risk control self-assessment can contain management’s view of the risks faced by an institution, and the controls on those risks. The uniqueness of the output is a strength of the risk control approach, as it focuses on the institution’s particular risks and its control responses to those risks.

The risks to an institution can be broken down into likelihood (as a percentage or probability) and impact (as a monetary value). The control responses are the controls that either partially or fully manage and mitigate each risk.

In reality, some controls are designed to mitigate a number of risks, perhaps to varying degrees of success, and this should be reflected in the advanced model. Additionally, a single manager may be responsible for a number of risks or controls.

Hence the competency of the manager or, at the very least, the multiple responsibility should also be reflected. The trends of risks for an institution and its industry are also data that should be used in an advanced model.

The output of an advanced model should not be a snapshot of the institution’s response to its risks, but rather an extension forward in time of the possible impacts on the institution of those risks (and the mitigations achieved by the controls).

With the risks and controls suitably analysed, it is possible to run a simulation of how a failure of a control may affect the relevant risks and what capital would be required for a variety of occurrences of those risks.

For a model to be comprehensive, it must progress from using only the self-assessment data to incorporate actual internal risk, control and loss data and external loss data. The internal data will often be available to the institution, but tends to be used separately by managers to manage their own departmental risk.

For instance, the human resources manager rather than the risk manager will almost certainly have data on staff turnover, staff training and staff absences. Similarly the operations manager will be likely to have data on losses due to fails and inaccurate deal input.

One of the benefits of a more comprehensive approach to op risk capital calculation is the dissemination of risk information around an institution and, in particular, to the risk management area. Once available, this data can be used to supplement and challenge management’s impressions of the risks or controls at the nodes in the simple internal model.

By progressively replacing management’s impressions with actual values as they become available, the model is driven by the key indicators and losses of an organisation rather than by management’s perception of the organisation’s risks and controls.

There are a number of risks that occur only infrequently and therefore, by their nature, are difficult to validate and verify independently. In order to counter the problems of data collection, the extreme values of certain risks could be derived from external loss databases. Such collections of data are useful in allowing an institution to place a value on a risk that has not happened to it and may be extremely unlikely to happen.

The relevance of external data needs to be questioned closely so that the risk, and the loss amount derived from the external database, is appropriate to the institution. For example, a loss incurred by commercial banking may not be relevant to retail banking, and the loss may therefore need to be multiplied by a relevance factor. A loss may also require scaling for the size of institution wishing to use the data against the size of the institution that incurred the loss.

Another important check to make with regard to external data is to ensure that the institution’s definition of a particular risk is the same as the database provider’s definition.

Subject to these qualifications, data from an external database should prove more useful in determining accurate values for low-likelihood risks than management’s perception of the possible loss.

All three sets of data -- self-assessment, internal key indicators and losses and external losses -- are being used by many institutions today, although very few as comprehensively as outlined here. By 2004 -- and earlier for some of the larger institutions -- the use of the risk methodology described in this article will be much more widely spread.

If the Basle Committee wishes to give a lead to the industry, it should seriously reconsider developing an advanced method of using all three sets of risk data for a comprehensive operational risk model approach.