In October 2014, the Basel Committee published for consultation a revised Standardised Approach for operational risk that sought to address weaknesses in the then existing approaches. The Committee also embarked on a review of the costs and benefits of the framework’s Advanced Measurement Approaches (AMA) for operational risk. What followed was much of a muchness for nothing very much, accompanied by all the moaning and groaning one associates with banks seeing inevitable and massive increases in Capital requirements.
The Committee has concluded that “the AMA’s inherent complexity and the lack of comparability arising from a wide range of modelling practices have exacerbated variability in risk-weighted asset calculations, and eroded confidence in capital ratios” …. I think it means “sorry, but we would like to see much higher capital numbers”. The Committee wants a new framework based on a single non-model-based method, euphemistically named the Standardised Measurement Approach. It combines a “Business Indicator”, the new eureka in the search for a simple financial proxy of operational risk exposure, with bank-specific operational loss data. In doing so, it wants to be seen as overcoming the fundamental weaknesses from the use of “Gross Income” as a proxy indicator, and the concomitant assumption that banks’ operational risk exposure increases linearly in proportion to revenue. So, we have a new paper last week http://www.bis.org/bcbs/publ/d355.pdf… positing this combination of a BI and internal loss, to provide a “sufficiently risk sensitive measure of operational risk”. The Regulators will retain their big sticks (not carried silently) in the form of rights to apply ‘multipliers’ in all shapes and forms. Other weapons remain intact, and have acquired significant meaning in recent years compared to the fundamental capital modeling approaches, or lack thereof. The Comprehensive Capital Analysis and Review (CCAR) evaluates capital planning processes and capital adequacy of the largest U.S. bank holding companies, including capital actions such as dividend payments and share issuance/buyback activity. The Dodd-Frank Act stress tests are meant to help assess whether firms have sufficient capital. And of course, as with AML/KYC, cybersecurity, business continuity, fraud, rogue trading, all these remain well beyond the capability and capacity of most if not all banks.
.
As a sidebar, “Business Indicator (BI)” versus “Gross Income (GI)” is pure cuteness, rather than any fundamental move forward in representing operational-risk exposure. The BI comprises the presumed three major pieces of a bank’s income statement: the interest component, the services component, and the financial component. The BI’s claimed power over GI, is in its superior (the Committee’s adjective; I would dare not use such, not least for the moral hazard involved) ability to capture a bank’s exposure to the operational risk inherent in its mix of business activities in the Operational risk Capital-at-Risk (OpCaR) model.
- Operational Risk was defined once upon a time as risk arising from weaknesses or failures in people, processes, and systems, or from external shocks. In the decade since its evolution, we have seen very little work, bank or regulatory, to derive directly from this some view of exposure, risk sensitivity, or potential loss. Increasingly, there is less and less effort and incentive for it, even aswe hurtle towards the end of OpRisk as a presumptive risk-discipline, in favor of it succumbing completely to the GRC school of non-risk.
- I ask my audiences everywhere I go “Why do you need Capital?”. The answer is inevitably wrong even, or especially, from bankers. “To do business” is not a necessary or sufficient condition for capital. Capital is needed to cover your unexpected losses, the idea (hope?) being that your Revenues cover your expected losses
- The High Severity versus High Frequency ends of Operational Risk have been crystal clear over the years. The Regulatory Lines of Business as first defined under Basel II can easily be ranked in order of their operational-riskiness. Equity and Debt Underwriting remain right on top, with Sales & Trading very close behind, again easy to rank based on the instruments. Highly manual processes are far riskier operationally than automated ones, even given the explicit technology-risks. Payments, Treasury, Correspondent Banking, most Transactional services are by far the least risky, notwithstanding they are often at the High-Frequency end. Corporate Banking is bang in the middle, with differentiation possible by obligor and facility risk category. To distinguish operational riskiness in any other way, is to simply invite more arbitrage play, even as the basic capital arbitrage between the risk-disciplines themselves remains unchecked.
- Large losses continue to drive risk profiles, and therefore should drive the capital requirement. As for frequency, banks continue to blithely fudge their internal loss distributions, in so many malign and benign ways. With all of the data standards that have evolved, and all of the canvassing by risk and audit and regulator everywhere, there is very little to suggest that we are anywhere closer to better, fuller, cleaner data than we have ever been before. Isn’t it time to absolutely mandate that risk books and financial books needs must be the same?
- Yes, it has always been correct to argue that Gross Income is not a good proxy for operational risks; although I don’t easily buy the given examples of inverse rather than direct correlation, I have always anyway argued against the assumption of exposures increasing linearly with revenue. And I am not able to see the Business Indicator definitions eliminating this problem; whereas they do try and realign the medicine to the correct disease, insofar as removing the outlandish penalties for some banks’ business or process-mixes.
- Where I come out is with the argument for a capital-construct that formally recognizes:
- The business-mix of a bank, and clear weights by operational-riskiness of each line
- Mandatory process-mapping, and risk identification at process & activity levels
- Largest historical internal loss in each category
- Frequency / arrival-rate of internal losses
- Mandatory reconcilement (and attestation) for internal loss data with general-ledgers
- Largest industry loss in each line of business
- All Issues arising out of Self, Audit & Regulatory examinations, with weights
- Past-Dues in corrective/remediation actions, with weights for ageing
- Penal multipliers for fails, escalated metrics and tail-end scenarios in cybersecurity, business-continuity, vendor-management, internal fraud, AML/KYC/Dodd-Frank/FATCA compliance
I do want to pick up a tailpiece of this in a discussion on Regulatory fines versus Capital multipliers.