Trojan horse rules by John Thirlwell, ORRF

It is undoubtedly the softest of the risks regulators and firms have had to grapple with. And it is very different in its nature from the others. There is no inherent 'size' for the operational risk involved in any transaction. Importantly, it deals largely with those difficult things called people who, to the dismay of economists and managers, are not always rational, efficient, honest or competent. And when it is not dealing with people, it is often dealing with events outside our control, whether fire, flood and pestilence; or changes in the risk environment -- terrorism, climate change, the compensation culture; or competitors, either directly or, indirectly, through their incompetence or misbehaviour.

So, a very imprecise risk, treated in an imprecise way. That didn't impress risk purists, or even many CEOs, but it was realistic. The challenges of operational risk management reflect a need to distinguish between shades of grey, rather than rely on paradigms that might explain more scientific certainties or truths.

These philosophical musings were prompted by an announcement by the FSA that it would not apply SYSC3A to banks because of the EU's Markets in Financial Instruments Directive (MiFID) and the Capital Requirements Directive (CRD). They are both due to be implemented in 2006 and would be subject to consultation in 2005, ie, after SYSC3A, had it come into force as planned at the beginning of next year. The chilling bit is contained in a letter sent by the FSA to CEOs that states: "The MiFID requirements -- which we plan as far as possible simply to 'copy out' -- will take a different form, with harder, more rules-based systems and controls requirements."

There are two points here. The first is to ask: 'When will it ever be the right time to publish text on operational risk?' The CRD has not exactly sprung from nowhere, even if its timing may possibly have been in doubt, and in any case I'm not sure that it should significantly affect the guidance that was to be brought in in January. But more importantly, MiFID, like any directive or regulation relating to financial services will, inevitably, affect op risk. Which begs the question of whether the people who debate and negotiate these texts are aware of the needs and nuances of op risk. Or, just as importantly, whether op risk professionals (whether from industry or the regulators) were involved in looking at MiFID. I strongly suspect the answer to both questions is no.

They won't thank me for it, but just as they are involved in new product and other risk management discussions, it seems to me essential that op risk professionals are involved in these new legislative initiatives to make sure the realities of risk management are reflected in the texts that emerge, and to defend the principles of guidance wherever that is needed. If not, risk management will be at the mercy of regulators and compliance experts for whom a rules-based framework is meat and drink.

Which leads me to the second issue -- those simple words, 'copy out'. When they were first used, many months ago, it was in response to concerns that in the past the FSA had been notoriously 'super-equivalent', and the industry didn't want that to continue with Basel II or the CRD. It sounded like a happy solution. However, to misquote Virgil: "Timeo custodes dona ferentes" -- I fear regulators bearing gifts. Because to copy out a directive is to copy out a law. And laws aren't intended to be guidance, but to be rules, as is indicated by the quote from the FSA's letter. Finally, and perhaps of most concern, is the comment, also in the letter to CEOs, that the FSA believes "guidance should be used sparingly and only where it is both meaningful and clear."

It's perhaps understandable that in a world where the FSA is being dragged through the courts, whether by Legal & General or by individuals, that they would wish for certainty and have effectively said "enough's enough". Understandable, but sad.

Good regulation and supervision is about considering individual firms and considering the issues of management that they face. Responsibilities to the wider world mean much of this has to be rules-based. But op risk, that notoriously wide and amorphous mass, is about business and risk management, where as far as possible, flexibility through guidance rather than prescriptive rules must be maintained. Beware, risk managers -- the Trojan horse is at the gates. OpRisk