SMA proposal fires up op risk managers

Banks say backward-looking SMA is easily gamed and will lead to high and volatile capital charges

risk-0616-sma
Not rocket science: banks say SMA is not risk-sensitive compared with the previous own-models approach to op risk

  • The Basel Committee wants to replace all existing approaches to operational risk with a new standardised measurement approach, or SMA, which combines a proxy for gross income with a multiplier based on banks' previous op risk losses.
  • Banks complain the SMA is not risk-sensitive compared with the previous own-models approach to op risk. For instance, it gives firms no immediate credit for improving their business environment or risk controls.
  • The importance of historical losses within the SMA raises a number of thorny problems, say practitioners, such as whether past blunders are a reliable guide to future losses. It might also encourage banks to misreport their losses.
  • Although the SMA has yet to be calibrated, the capital charge resulting from it is likely to be high and volatile, banks complain.
  • Many banks are hopeful they will be able to continue using their modelling infrastructure – particularly scenario analysis – as part of the discretionary Pillar 2 requirements laid down by national supervisors.

One former regulator isn't happy about the Basel Committee on Banking Supervision's plans to reform regulatory capital rules for operational risk.

"Are you going to go to Nasa and tell them, ‘The way you do all your rocket launches is really too complicated. The average American doesn't understand it. You need to simplify it so that we can all understand how you're launching those rockets?' That's insanity."

He's not alone. A consultation released in March on the committee's proposals has provoked a similarly explosive reaction from many op risk managers. The proposals would replace all existing approaches to op risk with a new standardised measurement approach (SMA) – leaving banks' internal models effectively grounded.

Practitioners say the SMA is backward-looking. They say it will lead to high and volatile capital charges, and is highly susceptible to gaming by banks. While internal models were designed to be sensitive to risk and to promote good risk management, they believe the new charge will have the opposite effect.

"You could be spending hundreds of millions of euros on a system replacement or a process enhancement to improve your operational risk profile, but it doesn't impact your capital number," complains one head of op risk at a South African bank. "So you've got an added cost, but the capital is just going to stay high, regardless of what you do."

Banks have until June 3 to comment on the proposals, but supervisors appear unlikely to back down. They argue the way banks launch their risk management rockets is too complicated – and that banks' use of internal models makes it too easy to hide the fact that some of those rockets are made of little more than balsa wood and tissue paper.

Alongside credit and market risk, operational risk is just one of several areas where the Basel Committee is looking to constrain banks' use of complicated internal models.

"The committee recently consulted on revisions to operational risk and the internal ratings-based approaches for credit risk," said Bill Coenwilliam-coen-0043 (pictured), secretary-general of the Basel Committee, in a speech in Sydney on April 5. "For operational risk, our proposal did not include a modelled approach. While internal models are an essential part of risk management for many banks, the question is what role they should play in prudential rules. This is particularly relevant for operational risk."

Currently, banks may calculate their op risk capital under three broad approaches: a standardised approach; a basic indicator approach; and an advanced measurement approach (AMA). The most sophisticated of these approaches is the AMA, which allows banks to take four broad categories of input – internal loss data, external loss data, scenario analysis, and business environment and internal control factors – and incorporate them into their models in whichever proportion they see fit.

Part of the reasoning behind the AMA was to allow banks to experiment and innovate with new modelling methods. But the inherent difficulty of modelling large but infrequent risks, such as rogue trading, has led to criticism of the AMA.

Separately, the Basel Committee began consulting on possible revisions to the simpler approaches to op risk in October 2014. While those revisions were shelved amid criticism from industry practitioners, the committee's revised standardised approach shares one key feature with the SMA.

Within the SMA approach there is the potential for firms that reflect operational risk in their pricing to get penalised twice
Michael Grimwade, Mitsubishi UFJ Securities

Specifically, the SMA uses the ‘business indicator' – a proxy for bank size based on gross income. To work out their op risk capital, banks must first calculate this indicator, which combines profit-and-loss items from the banking and trading books; lease, interest, fee and dividend incomes and expenses; and operating and services incomes and expenses.

Based on the size of the resulting number, banks are assigned to one of five buckets. Firms in the smallest of the five buckets see their capital rise and fall in a linear fashion with the business indicator, while firms in the other four buckets must combine the business indicator with a multiplier. The multiplier is determined by the op risk losses the bank has suffered during the past 10 years. All losses larger than €10,000 ($11,300) must be included, with bigger weightings given to losses above €10 million and €100 million, respectively.

One issue with the SMA is the potential for double-charging. Under the AMA, banks could alleviate their capital requirements by pricing in likely op risk losses for particular products and business lines. With the SMA, this is no longer possible, so banks that are already pricing in potential op risk losses will be hit twice.

"Within the SMA approach there is the potential for firms that reflect operational risk in their pricing to get penalised twice," says Michael Grimwademichael-grimwade-2 (pictured), London-based international head of operational risk at Mitsubishi UFJ Securities. "Once for recognising higher revenues to absorb these losses, and secondly for the actual losses themselves, if greater than €10,000. That seems a little bit harsh."

The Basel Committee argues the SMA is risk-sensitive because of the role of the loss multiplier, which will help determine the size of the capital charge for all but the smallest banks. But losses are just one input to banks' internal models under the AMA, which allows banks to realise capital benefits when they make other risk management improvements. For example, the SMA gives firms no immediate credit for improving their business environment or risk controls – something that could make it harder to argue for future changes.

"The fact that your management practices feed into your operational risk capital model means you are able to engage management on a more quantitative basis, and that actually gets people to the table to talk about op risk management," says the South African bank's head of op risk. "When we move to a standardised calculation like the SMA, it's not that easy to drive those conversations any more, because the number is what it is, regardless of what risk mitigation plans you put in place."

Jonathan Humphries, London-based head of financial institutions at consultancy firm Aon, agrees. "To have a conversation with the business which is linked to capital is more meaningful," he says. "You've got greater ability to influence decisions and bring them on board. In this new world, such leverage will be weakened."

There is also concern that interest in op risk modelling may wither in general as a result of the Basel Committee's plans. With the AMA, banks are able to use techniques such as scenario analysis to forecast future losses. Op risk practitioners say huge strides have been made in the area of scenario analysis since the inception of the AMA. However, if that progress is no longer linked to capital, then banks' resources and expertise are likely to be moved elsewhere.

"[The SMA] sends the signal that operational risk management initiatives will not impact capital in the short term," says Humphries. "It would be an opportune moment for updated guidance from the supervisors on risk management expectations."

The purpose of operational risk management isn't to reduce the regulatory capital charge, it's to avoid losses
Daniel Davies, Frontline Analysts

This may not spell the end of op risk modelling entirely. While AMA elements such as scenario analysis would no longer be used to calculate Pillar 1 capital, some countries might still incorporate this into their frameworks for Pillar 2 capital, which is set at the discretion of national supervisors (see box: Finding shelter under Pillar 2).

Nevertheless, industry observers suggest banks' opposition to the SMA shows they are too concerned about achieving capital benefits.

"The purpose of operational risk management isn't to reduce the regulatory capital charge, it's to avoid losses," says Daniel Davies, UK-based managing director of equity at research firm Frontline Analysts. "One might have hoped that the business side would be interested in not having rogue traders and billion-dollar conduct fines, even if there was no risk-weighted asset benefit from doing so."

Loss data

Putting the lack of capital benefits for risk management aside, practitioners say the importance of historical losses within the SMA raises a number of thorny problems.

In order to use the SMA fully, the Basel Committee's proposals say banks' internal loss data would have to meet minimum quality standards laid down by supervisors. Usually, banks would need 10 years' worth of data, although firms that are moving from the standardised approaches may use five years of data in exceptional circumstances.

But practitioners doubt whether previous op risk blunders – which may be as old as nine or 10 years in some cases – are a reliable guide to future losses. This would be particularly true if banks had significantly changed their business during that period – for instance, by entering or exiting new products or business lines.

"Your risk profile changes on a constant basis, but that's not going to be reflected," says the head of op risk at the South African bank. "You could be sitting with a loss that's going to be there regardless of what you've done to remediate it, and that's going to influence your capital."

At the same time, practitioners worry the SMA might not adequately capture emerging risks, for which 10-year historical losses are likely to be a poor guide to future threats.

"The classic example would be something like cyber crime," says Mitsubishi UFJ's Grimwade. "It would be a general industry view that the level of losses that firms have suffered from cyber crime over the last 10 years may well be significantly lower than what the industry might suffer over the next 10 years. But that wouldn't be reflected within this methodology for calculating capital."

When an unexpected loss occurs at a bank, it might not always be easy to categorise, say practitioners. The distinction between op risk and credit risk losses is particularly blurry; one tricky example might be if personnel or technology failures relating to loan repayments exacerbated losses on those loans. Unpicking how much of that loss can be attributed to credit and op risk is rarely straightforward.

The Basel Committee is being very optimistic about banks coming clean about their losses
Head of op risk capital modelling at a large European bank

Critics of the SMA argue banks will use this to their advantage, miscategorising losses as credit or market risk in order to push down their SMA capital charge. In its proposals, the Basel Committee itself noted that "the soundness of data collection and the quality and integrity of the data are crucial". It also acknowledged the possibility that loss data collection and reporting could be gamed.

"In terms of operational risk, classifying events isn't an exact science," says a head of operational risk modelling at an Australian bank. "I don't think the regulators really understand that if they're going to have events used in this way, people will see those sets of rules and try and arbitrage them. If you write this loss up as a credit risk event, as opposed to a fraud event, and it's going to mean $20 million of capital to the organisation, people will go, ‘Let's write it off as a credit event'."

One head of op risk capital modelling at a large European bank agrees. "The Basel Committee is being very optimistic about banks coming clean about their losses," he says. "There will be banks out there that will do the right thing, but there will be banks incentivised to do exactly the wrong thing. They'll start playing games with whether something should be a credit loss or whether it should be called something completely different."

The Basel Committee's proposals require that banks record costs associated with every op risk loss, in addition to the actual loss itself. If there were an episode of rogue trading, for instance, the bank would not just have to report the loss, but might also have to factor in remediation costs and consultancy fees.

This opens further avenues for possible gaming, thinks the Australian bank's operational risk modelling head. The possibility of gaming might be particularly problematic if any of the additional charges pushed the overall loss above the €10 million or €100 million thresholds, he adds.

"To get them recorded accurately, you need to rely on the good intentions of the people recording the events," he says. "In the current framework, who's going to include the extra €5 million of consultants' fees that they paid for a €95 million event if they know that it's going to push them above the €100 million threshold? They're not going to – and that's so easy to hide."

These concerns mean that making the Basel Committee's proposals work properly requires a strict auditing process, say practitioners. If there are differences in the way firms categorise and record their losses, this could lead to significant variation in their capital charges, delivering a blow to the committee's aim of comparability between banks.

"Because of the loss component playing such a critical role in the calculation, you might find variances in what people are actually reporting into their loss database and what is being considered," says the South African bank's head of op risk. "So one needs to make very sure that there is extreme consistency between the banks."

Capital hike

Since the Basel Committee's 2014 consultation on revisions to the simpler approaches, there has been plenty of speculation about a hike in op risk capital.

In its proposals, the committee said the final calibration of the SMA would be determined once a quantitative impact study had taken place among banks. While the proposals were not designed to raise capital across the board, the committee noted that some firms might experience an increase as a result.

"While we do not intend to significantly increase overall capital requirements, this does not mean avoiding any increase for any bank," echoed Coen in his April 5 speech.

While nobody is certain about the precise impact of the SMA, banks fear it will lead to punitive capital charges. Sources say European banks would suffer the biggest increases in regulatory capital: the results of one analysis shared with Risk.net suggest a hike in op risk capital of between 50% and 100% for some systemically important banks.

Perhaps unsurprisingly, the firms expected to be worst hit are those that have experienced hefty op risk losses during the past 10 years – for example, those that have suffered high-profile rogue trading incidents, costly IT outages or fines related to the Libor scandal or payment protection insurance.

jouni-aaltonen-web"A one-size-fits-all approach and laying it out for global banks at a group level may result in significant overcapitalisation, as operational risks that firms are exposed to vary between jurisdictions," says Jouni Aaltonen (pictured), director in the prudential regulation division of the Association for Financial Markets in Europe. "A lot of member firms have been saying the capital outcomes will be punitive – at least, based on this draft consultation paper."

As well as its size, another worry is that the capital charge generated by the SMA will be volatile. Because it relies on looking back at 10 years of historical losses, practitioners say the charge will be heavily affected as large new losses enter the data series and older historical losses run off.

"It's surely going to cause you problems," says the large European bank's head of op risk capital modelling. "After the 10 years, when that loss drops out of the calculation, your risk profile miraculously recovers, apparently, according to this formula. The concern is the pure stability of this formula. The Basel Committee is looking for confidence in capital ratios; I can't see this giving any confidence in capital ratios at all."

Theoretically, supervisors could avoid the risk of volatility in the SMA by making tweaks to the formula that smooth out the capital numbers produced. But op risk practitioners remain concerned about the potential for erratic capital charges arising from the SMA. They fear that banks' forward planning, capital management and shareholder confidence could suffer as op risk capital skyrockets and then crashes down to earth.

This could give banks an even bigger reason to misreport losses, says the head of operational risk modelling at the Australian bank. "It's just going to be a greater incentive not to report," he says. "If there is that potential for volatility in their numbers, because people are trying to hit targets and so on, it's the behavioural consequences that are really the issue."

Supervisors are by no means united on the benefits of the SMA, and some have criticised aspects of the new approach. But many are concerned that the AMA is itself open to gaming, saying the use of internal models has resulted in a wide discrepancy between banks' capital charges. In contrast, they argue the SMA is not just a simpler rocket, but also one that is safer and less likely to blow up.

Finding shelter under Pillar 2

Since the inception of the advanced measurement approach (AMA) to operational risk, banks have spent time, money and effort building their op risk modelling infrastructure – for example, by hiring quants, purchasing software, setting up processes to feed data into their IT systems and refining their capital models.

Even though the Basel Committee on Banking Supervision is eager to scrap the AMA, many banks are hopeful they will be able to continue using their AMA infrastructure – particularly scenario analysis – as part of the discretionary Pillar 2 requirements set by national supervisors.

Not everybody agrees this is desirable. Sources close to the Basel Committee are quick to pour cold water on the idea, while some in the industry point out that the whole idea of Pillar 2 runs counter to the committee's goal of comparability between banks.

The idea of the AMA becoming part of Pillar 2 "sounds like wishful thinking", says Daniel Davies, managing director at independent research firm Frontline Analysts. "Basel wants standardisation, but the people at the sharp end want discretion - and specifically, they want discretion to say ‘nope not happening' when somebody shows up with a bright and shiny model demanding an op risk capital reduction."

Nonetheless, Risk.net understands some regulators are receptive to the idea. In Australia, the largest four banks all use the AMA to calculate their op risk capital. Sources close to the Australian Prudential Regulation Authority say it would like to maintain elements of the AMA, and that using Pillar 2 is one option being considered.

In its guidance on Pillar 2, the UK Prudential Regulation Authority (PRA) calls the existing standardised approach based on gross income "not risk sensitive" and sets out detailed requirements for the quantitative op risk management it expects, including the requirements for non-AMA firms. Industry sources that attended a meeting with the PRA earlier this year say it has advised banks not to write off their AMA programmes just yet, potentially leaving the door open for Pillar 2 to come to the rescue of internal models.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here