Operational Risk

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.

This definition includes legal risk, but excludes strategic and reputational risk.

The Basel framework outlined three methods for calculating operational risk capital charges:

(i) the Basic Indicator Approach

(ii) the Standardised Approach

(iii) Advanced Measurement Approaches (AMA)

The simplest is the Basic Indicator Approach (BIA), by which the capital charge is calculated as a percentage (alpha) of Gross Income (GI), a proxy for operational risk exposure.

Being the most basic approach, its adoption does not require prior supervisory approval.

The most advanced methodology is the advanced measurement approaches (AMA), which allows banks to use internal models to calculate their capital requirements.

Adoption of the AMA requires prior supervisory approval and involves implementation of a rigorous risk management framework.

The third approach, the Standardised Approach (TSA), which is positioned as an intermediate approach between the BIA and the AMA, requires banks to divide their total GI into eight business lines and to calculate capital requirements as a sum of the products of the GI attributed to each business line and the specific regulatory coefficients (betas) assigned to each line.

Since the adoption of the TSA requires compliance with a set of qualitative criteria relating to operational risk management systems, banks are required to obtain prior approval from their supervisory authorities before moving to this approach.

A variant of the TSA, the Alternative Standardised Approach (ASA), allows banks with high interest margins to calculate their operational risk capital requirements by replacing the GI for two business lines – retail banking and commercial banking – with a fixed percentage of their loans and advances.

Adoption of the ASA is allowed by the respective supervisory authorities at their national discretion.

Banks are encouraged to move along the spectrum of available approaches as they develop more sophisticated operational risk measurement systems and practices.

Internationally active banks and banks with significant operational risk exposures (for example, specialised processing banks) are expected to use an approach that is more sophisticated than the Basic Indicator Approach and that is appropriate for the risk profile of the institution.

A bank will be permitted to use the Basic Indicator or Standardised Approach for some parts of its operations and an AMA for others provided certain minimum criteria are met.

A bank will not be allowed to choose to revert to a simpler approach once it has been approved for a more advanced approach without supervisory approval.

However, if a supervisor determines that a bank using a more advanced approach no longer meets the qualifying criteria for this approach, it may require the bank to revert to a simpler approach for some or all of its operations, until it meets the conditions specified by the supervisor for returning to a more advanced approach.

The work of the Accord Implementation Group's Operational Risk Subgroup (AIGOR) focuses on the practical challenges associated with the development, implementation and maintenance of an operational risk management framework meeting the requirements of the Basel framework, particularly as they relate to the Advanced Measurement Approaches (AMA).

The AIGOR has been specifically mandated to, among other things, exchange and catalogue subgroup members' views on operational risk implementation issues and the range of acceptable bank practices for measuring and managing operational risk under the AMA.

In recognition of the evolutionary nature of operational risk management as a risk management discipline, the Basel Framework intentionally provides a significant degree of flexibility for banks in the development of an operational risk management framework under the AMA.

It is not surprising, therefore, that the range of practice that has emerged in relation to any given issue tends to be quite broad.

The flexibility provided banks in the development of an AMA, however, should not be interpreted to suggest a lesser standard of supervisory review and assessment or that supervisors are prepared to accept as reasonable any and all responses to the challenges banks face in this area.

On the contrary, prudential supervisors have an interest in identifying and encouraging bank operational risk practices that are consistent with safety and soundness and level playing field objectives.

Business environment and internal control factors (BEICFs) are indicators of a bank's operational risk profile that reflect underlying business risk factors and an assessment of the effectiveness of the internal control environment.

They introduce a forward-looking element to an AMA by considering, for example, rate of growth, new product introductions, findings from the challenge process (eg internal audit results), employee turnover and system downtime.

Incorporating BEICFs into an AMA helps to ensure that key drivers of operational risk are captured and that a bank's operational risk capital estimates are sensitive to its changing operational risk profile.

In principle, a bank with strong internal controls in a stable business environment will have, all else being equal, less exposure to operational risk than a bank with internal control weaknesses or that is experiencing rapid growth or introducing new products.

Accordingly, banks are expected to assess the level of and trends in the operational risk and related control structures across the organisation and build the results of such assessments, generally referred to as BEICFs, into the risk management and measurement aspects of their AMA methodology.

The assessments should be current and comprehensive and should identify the critical operational risks facing the bank.

The assessment process should be sufficiently flexible to encompass a bank's full range of activities (including new activities), changes in internal control systems or an increased volume of information.

If a bank reduces its operational risk estimate on the strength of robust internal control factors, then there should be some process for ensuring that the impact of internal control factors on the final capital estimate is plausible, prudent and consistent with actual experience.

Basel III Amendments

The Basel Committee on Banking Supervision not only wants to address the weaknesses that were revealed during the crisis, but also to reflect the experience gained with implementation of the operational risk framework since 2004.

At that time, the Committee made clear that it intended to revisit the framework when more data became available.

Despite an increase in the number and severity of operational risk events during and after the financial crisis, capital requirements for operational risk have remained stable or even fallen for the standardised approaches.

This indicates that the existing set of simple approaches for operational risk – the Basic Indicator Approach (BIA) and the Standardised Approach (TSA), including its variant the Alternative Standardised Approach (ASA) – do not correctly estimate the operational risk capital requirements of a wide spectrum of banks.

The weaknesses of these simpler approaches stem mainly from the use of Gross Income (GI) as a proxy indicator for operational risk exposure, based on the assumption that banks’ operational risk exposure increases linearly in proportion to revenue.

This assumption usually turns out to be invalid.

In particular, where a bank experiences a decline in its GI due to systemic or bank-specific events including those involving operational risk losses, its operational risk capital falls when it should be increasing.

Moreover, the existing approaches do not take into account the fact that the relationship between the size and the operational risk of a bank does not remain constant or that operational risk exposure increases with a bank’s size in a non-linear fashion. In addition, the changing operational risk profiles of banks may render a calibration based on the past behaviour of variables unfit for the future.

Proxy-based indicators used in the operational risk approaches and the calibration of the associated parameters should therefore be periodically tested to ensure their continued validity.

Such a review is all the more important given the lack of relevant operational risk data and experience in operational risk modelling when the original framework was designed in the early 2000s.

We now have not only a richer data set to support the quantitative analysis, but also almost a decade of experience with implementation of the framework.

The Basel Committee has therefore undertaken a fundamental review of the simpler approaches for operational risk based on extensive data relating to operational risk losses and exposure indicators from a wide range of banks.

These data were assembled in several exercises, including the 2008 Loss Data Collection Exercise, the 2010 Quantitative Impact Study (QIS) and, more recently, specific collections on operational risk losses and candidate proxy indicators based on supervisory reports and other sources available to the Committee’s members.

Another loss data collection effort (the new QIS) is under way in parallel to this consultation, the results of which will be used to validate the proposals outlined in this paper.

The Committee’s preliminary findings, based on the existing data, indicate that the current standardised framework comprising the BIA, TSA and ASA is on average undercalibrated, especially for large and complex banks, and that Advanced Measurement Approaches (AMA) capital charges are often benchmarked against this undercalibrated capital requirement. Reflecting this concern, the revised Standardised Approach (SA) attempts to improve the calibration while addressing the weaknesses of the existing approaches identified above.

Join the International Association of Risk and Compliance Professionals (IARCP). Membership is Free

Reading Room

Certified Risk and Compliance Management Professional (CRCMP)

Certified Information Systems Risk and Compliance Professional (CISRCP)