Sheen: The FSA's go-to guy for op risk

You could be forgiven for thinking Andrew Sheen has been the head of operational risk policy at the UK Financial Services Authority (FSA) forever, as he is one of the most recognisable faces of the discipline of operational risk (indeed, he is one of Operational Risk & Regulation’s Top 50 faces of operational risk). But he has only been at the regulator for the past five years. Sheen’s relationship with operational risk management began during his time at Moscow Narody Bank, where he headed the fledgling operational risk function. After hearing a speech by Paul Sharma at the British Bankers’ Association (BBA) on the FSA’s problems of losing staff to industry, and how it would be nice if there were a shift the other way, Sheen applied to join the UK supervisor.

“One of the things that attracted me to the position was that I had seen the Basel II Accord and the Capital Requirements Directive (CRD) developing, and from being a member of the BBA’s small firms working group on operational risk and from my work in banking, I had formed certain views about how the FSA was operating,” says Sheen. “I felt there was more scope for transparency so when I joined I had a pre-conceived idea of what I wanted to achieve that included issues such as making it easier for firms to access what was happening.”

Sheen also wanted to help generate the feeling of an operational risk community, where practitioners and regulators were able to freely share information, to debate and aid the evolution of the discipline. He has certainly succeeded in his aim to contribute to the open dialogue and community feel of the profession in the UK, as well as further afield through his work as a member of the Standards Implementation Group on Operational Risk (Sigor) at the Basel Committee of Banking Supervision.

“One of the things I wanted to do when I joined the FSA was to help generate this feeling of an operational risk community,” says Sheen. “I think operational risk as a community needs to be doing everything it can to raise its profile in the industry and within firms.”

Although he is quick to acknowledge how far the discipline of operational risk management has come in the past 10 years, he believes the post-crisis environment gives the community the ideal opportunity to really advance the evolution of the discipline.

There is a window of opportunity to do something about advancing operational risk but if we don’t grab it now, I don’t know when we will be able to again

“Operational risk is at a crossroads at the moment,” says Sheen. “It could go in one direction that would mean operational risk as a discipline becomes more important. This could take lots of forms, such as ensuring better risk management frameworks, or conceivably it could mean more capital for operational risk, which would make firms recognise this risk discipline is more important. Or it could go the other way, which is where firms would just carry on with what they are doing and the importance of operational risk management gradually diminishes. There is a window of opportunity to do something about advancing operational risk but if we don’t grab it now, I don’t know when we will be able to again.”

One of the issues with the way operational risk management is set out in Basel II and the Capital Requirements Directive is that it does not actively incentivise firms to move to more sophisticated approaches. “There is a whole issue around firms developing and enhancing their frameworks, and part of the problem is that for some firms there might not be an incentive to move from the basic indicator approach (BIA) to the standardised approach (TSA), and there might even be a real disincentive to do that.”

The real issue is how to amend the regulations to ensure financial institutions are incentivised in real capital terms to move from BIA to TSA, or from TSA to the advanced measurement approach (AMA). “While the Basel II Accord states firms should enhance and develop their operational risk management frameworks as they evolve, this stipulation did not cross into the CRD,” he says. “One of the things that worries me, and that is a challenge for supervisors, is that as currently drafted, the CRD does not encourage some firms to move onto more sophisticated methods. Of course it depends a lot upon the firm, but if you are on BIA and you are doing a lot of corporate finance, moving to TSA will incur an 18% weighting, so often there is no capital incentive to move. As an op risk manager, suggesting a move from BIA to TSA to your CEO and saying it will cost 20% more operational risk capital wouldn’t have a good response – you wouldn’t have to clear your desk, as they would do it for you.”

The relationships between the BIA alpha number and the TSA betas also provide a disincentive for some firms to upgrade their op risk approach. And other areas in Basell II and the CRD are a source of concern for Sheen, specifically the fact that if a TSA firm loses money in one area of the business, the op risk capital charge for that business line is zero. “There is a section in the methodology that is quite clearly in need of review, which is that if you lose money then your op risk capital is zero,” says Sheen. “And not only does it become zero, but also the loss can offset op risk capital in other business lines.”

The same calculation exists in the basic approach, says Sheen, but it is hidden in the single op risk capital calculation. The offsetting only becomes apparent when you separate out the calculation into business lines under TSA.

“The people who drafted the Accord did a tremendous job, and there was obviously a wish to treat things uniformly but, with the benefit of hindsight, doing something twice doesn’t make it right,” says Sheen. “I think these are some of the areas that will have to be looked at and this is the time to do it. The QIS 6 [sixth quantitative impact study] exercise is geared towards getting the information that would enable us to look at these sorts of issues.”

But any change will take time to come into effect and hesitation now from regulators and legislators might cause op risk to head off down the path into obscurity. “Any changes to the existing regulations could take three or four years before they are implemented,” says Sheen. “We haven’t yet had the opportunity to formulate a view on what should be changed, and even if that process is approved at Basel, domestic regulators like us have our own internal processes to work through. Sadly, therefore, any change is not going impact in the short term.”

In the meantime, however, regulators have scope to encourage firms to ensure their op risk management frameworks are up to scratch under Pillar II. “There is real scope under Pillar II to incentivise firms when you see weaknesses in the way they are managing their operational risk,” says Sheen. “One of the attractions about this approach is that it is quite transparent what has happened to a firm, so if its operational risk capital charge gets an add-on, it gives a good signal there might be scope for that add-on to be reduced.”

Focus on the positive
Since the financial crisis, there have been a few people grumbling that operational risk management has failed as a discipline. That is an easy statement to make, says Sheen, who admits the causes of the crisis included many operational risk failures, but a better observation might be to ask how much worse things could have been without operational risk management.

“Operational risk management might not have saved us from the crisis but some of the risk management and governance arrangements around operational risk that didn’t exist before the Accord must have been beneficial during the crisis,” he says. “Lots of operational risk management tools and techniques must have helped firms understand what they had got wrong and helped to resolve what was happening. So we should certainly ask ourselves what we could have done better, but we shouldn’t be too dismissive of what we have achieved and that must have made some contribution to dealing with the crisis.”

There is certainly no arguing the value of certain op risk processes for banks. “The crisis has reinforced some of the things we do, and possibly take for granted, and that maybe some firms don’t do particularly well – such as RCSAs or looking at new products, processes and systems,” says Sheen. “A good exercise for firms that ended up with subprime debt would be to put those products through their new product approval process now and see what the outcome would be. We could do what we already do but better, more robustly and certainly more challenging.”

A commonly held belief for operational risk management is that from its inception there was too much emphasis on reaching a capital number and not enough on risk management. “Firms need to look at their risk management processes and framework, and ask themselves what they have changed as a result of the crisis,” says Sheen. “How many firms, even those thinking the crisis passed them by, have reassessed what they have done? It would be interesting to challenge firms and ask them what they do differently now compared with the framework they established three years ago. I am not convinced the answer would be that positive. I think a lot of firms are still employing the same tools and techniques, with the same degree of intensity, they originally introduced when they first set their stalls out to prepare for the Basel Accord and the CRD. The challenge for the industry is to raise their game.”

Raising the game is exactly what the FSA and Andrew Sheen are doing through the regulator’s ‘Enhancing Frameworks’ initiative. The project had initially been entitled ‘Raising the Bar for TSA firms’ but this was changed to better reflect the fact the FSA is not changing any of the TSA requirements, it is re-emphasising the existing guidelines for operational risk management under this approach.

“We changed the name of the exercise because ‘raising the bar’ implies we are raising the hurdle and we are not,” says Sheen. “What we are trying to do is give people a better understanding of the tools and methodologies they might be able to use to improve their operational risk frameworks.”

When firms applied to use AMA, they worked with the FSA for two or three years to get to the required standard. TSA firms didn’t do this, even though their systems and controls (SYSC) requirements would be the same if they were an AMA firm. “There isn’t any difference between the SYSC requirements of a firm whether they are TSA or AMA, at least there shouldn’t be,” says Sheen. “The fact that AMA firms had to develop and enhance what they were doing could imply some TSA firms are not at the appropriate level. Indeed we have seen at some TSA firms during ‘Arrow’ visits that there are weaknesses. We think that partly comes from the fact no-one has really articulated what TSA looks like. We know what an AMA framework looks like because we worked closely with the firms; we have a view of what BIA might look like because we have the Basel Committee’s sound practices paper; it is that bit in the middle that is lacking.”

Sheen regards TSA to operational risk management as the fulcrum. The recent global loss data collection exercise carried out by the Basel Committee as part of QIS 6 has shown the AMA capital numbers tend to be just below TSA levels – this might not just be a happy coincidence. Firms tend to use TSA calculations as a benchmark. Given this, Sheen suggests that, as the standards for the AMA have risen in the past few years, the standards for the group of 100 or so TSA firms should rise too. “However, it would be wrong to give the impression that all 100 firms need work,” says Sheen.

“This piece of work is initially designed to help supervisors have a better and level understanding of what TSA looks like, but it is our aim to publish the paper to show firms what we are looking for as well.”
Sheen is a proponent of all three methodologies of operational risk management but he has issues with the reasons behind some firms’ choice of approach, particularly the larger, complex banking groups that opt for one of the simpler approaches. “Some firms initially calculated their op risk capital under BIA and TSA on the back of an envelope to see which would suit them the most as they would need to answer to the board on the potential effect on capital,” he says. “This brings us back to the fact some firms are not being incentivised to move to a more advanced approach. I would like to see a system where it was possible for firms to get real benefits – so they could improve their risk management and get lower capital. It is not clear to me that that is always the way it works at the moment.”

The FSA has a no compulsion policy for its operational risk management requirements. The Enhancing Frameworks programme, however, will make it clear to all TSA firms, large and small, that they need to ensure their op risk management practices are up to standard. For large, complex firms, with appropriate and satisfactory qualitative standards, it should then only be a small step, albeit a complex one, to implement an advanced approach to the quantitative side of the op risk framework, which could be the catalyst needed to push larger banking organisations onto AMA.

Sheen fully expects the qualitative aspects of operational risk management to improve substantially in the coming years. “We can play with the capital bit, and it may be that there is some innovative approach to AMA modelling that will be developed, but what needs to change more is how we manage our risk.”
“Capital is too precious to waste, so the driving force has to focus on protecting it. Op risk management should be perceived as preventing loss of capital; this is the real contribution the discipline has to make.”

On an international level, there is an extraordinary amount of work being done by Sigor, which is encouraging if operational risk management is, as Sheen says, at a crossroads. “We have never been as busy as we are now at Sigor,” he says. “We are reviewing Basel’s sound practices paper; we are considering the BIA/TSA relationship and capital calculations; we have a paper coming out on the use of insurance as a risk transfer mechanism; and we also had the loss data collection exercise that identified about 12 separate issues we are now working on. As a community there is far more being done in that Sigor space, probably since the Accord was drafted.”