Basel II embodies several important new ideas but arguably the most important aspect of it is that it represents a wake up call to the banking industry to take operational risk more seriously.
In this report we look at those aspects of Basel II that relate to Operational Risk. A good introduction to this is the Basel Committee’s paper “Sound Practices for the Management and Supervision of Operational Risk”
Firstly it requires there to be an executive responsible for Operational Risk who
- Is not part of the audit function
- Is free from conflict of interest between business and operational risk
In short this person looks a lot like the head of credit risk, and we know how important this person is in a bank.
Secondly, Basel II requires banks to set aside capital for operational risk, actually rather a lot of capital, £Bn for a UK clearing bank. Finally, it allows for this capital charge to vary significantly in the light of the regulator’s view of the quality of the operational risk management of a bank. Hence this new senior executive will have substantial leverage. We analyse the implications of Basel II Operational Risk in three parts:
- The minimum required
- The short to medium term
- The longer term
Minimum Required
The least a bank can do is ensure it is capable of calculating the capital charge using either the basic indicator approach or the standardised approach. This is an MI systems requirement that needs to line up with the Basel II Credit Risk systems and the IAS 39 statutory reporting. For example it would not be acceptable to have differing values for loans in the three different disclosures. This is another requirement drawing the risk and financial MI systems more tightly together (see “The Principle Basel II Required Changes to Current MI Systems” and “The Principle IAS 39 Required Changes to MI Systems” – both of which can be found in MI Systems Architecture Implications of Basel II and IAS 39).
Short to Medium Term
As described in ‘Pillar 1 – Minimum Capital Requirements’ (see What is Basel II?) a bank can adopt one of three approaches to calculating the regulatory capital it must put up. The first two (Basic Indicator Approach and Standardised Approach) are essentially calculations based on the volume of banking activities. For example, they use the quantity or value of loans. The Advanced Measurements Approach (AMA) is altogether more sophisticated and the regulator expects the large banks to strive for this approach. One key feature of the Advanced approach is the need for the bank to store “experience” data on risk events. Examples might be
- Staff frauds
- Process failures
- Fires and Floods
- Terrorist Incidents
Most banks do not collect and analyse this data and so a new database system will have to be setup. More importantly, extensive across-the-organisation management processes will need to be setup to get staff to “identify” these risk events. This may involve some culture change as many layers of management would prefer to sweep such events under the carpet to avoid looking bad. Even more challenging will be getting outsourced operations to own up to these events. It is reasonable to suppose that quite a large business operations programme will be needed with process manuals and staff training as a result of the operational risk requirements of Basel II.
If the operational risk world evolves along the same lines as the (more mature) Health and Safety world in industrial companies; “near miss” operational data will be very important to track and may be even harder to get operations line management to own up to. For example in the railway industry the number of “signals passed at danger (SPAD) which do not cause an accident” is considered a very important indicator of the likelihood of an accident. The operational risk equivalent of a SPAD might be a low value rogue trading event or a hoax terrorist warning. These will be important data in a bank’s internal operational risk model and management approach.
A second key feature of the Basel II accord for Operational Risk is the need to start building statistical models of the operational risk profile the bank is incurring. This will be a new/additional computer system for most banks that will have to work at the group wide level.
The new system will be partly fuelled by the bank’s internal event data. Additionally, data on risk events will need to be shared amongst banks to give valid statistical sample sizes for very low probability/very high impact events. Examples of these kinds of events are terrorist outrages such as the September 11 attack on the World Trade Center and the IRA bombing of Bishopsgate in London. Other examples might be the rogue trading catastrophes at Barings Bank and more recently at Allied Irish Bank.
Longer Term
This section is much more a subjective view of where the Risk departments in banks may be heading. One can imagine banks wanting to view the Income and Costs of a contract according to the following model –
The idea of this model is that it helps bank managers understand their risk reward decisions. The concepts are
In practice the industry is a long way from being able to achieve this kind of analysis. Some banks can cover the break down of the cost of contract by market and credit risk in a patchy way but almost no bank can allocate operational risk costs.
The rationale for this breakdown would be that the cost of capital could be calculated for each element and an overall return on capital derived from the contract.