«Regulating and Supervising Operational Risk for Banks Abstract: There is a renewed interest of banks and supervisors in operational risk. In the new ...»
Hans Geiger 1
Regulating and Supervising Operational Risk for Banks
Abstract: There is a renewed interest of banks and supervisors in
operational risk. In the new Capital Adequacy Framework of June 1999
the Basel Committee calls for capital charges for operational risks as a
component of Pillar one. Based on an analysis of the definitions of
operational risk and its demarcation versus credit and market risk, this
paper argues that it would be inappropriate to introduce extra capital charges for operational risks in Pillar one. The correct answer to the challenges of operational risk is not seen in Pillar one but in Pillar two, the supervisory review process, and in Pillar three, the effective use of market discipline.
This paper was presented at the Conference “Future of Financial Regulation: Global Regulatory Reform and Implications for Japan” (17 Oct 2000) in Tokyo.
Hans Geiger is professor at the Swiss Institute of Banking of the University of Zurich and a member of the European Shadow Financial Regulatory Committee.
1. History of operational risk Operational risk is not a new, but the oldest risk which banks face. A newly-established bank is confronted with operational risks before it even decides on its first credit transaction or market position. There are, however, some aspects which are new and hence of topical interest: (1) the perception that operational risks have increased markedly in the last few years (2) the realization that the merely quantitative approach to credit and market risk overlooks key danger areas and that operational risk management should consequently be developed into a discipline in its 2 Regulating and Supervising Operational Risk for Banks own right (3) the inclusion of operational risks in any type of total risk management (4) and last but not least the renewed interest of supervisory authorities in operational risk.
The most important cause of this interest in the subject have been those spectacular cases in which banks have suffered publicly-disclosed losses resulting from operational risks. The most prominent case has been the substantial Barings losses which brought the bank down at the start of 1995, setting off a mid-sized earthquake in banking and regulatory supervisory circles. It is now the conventional wisdom that the derivatives losses of GBP 827 million were not actually market risks so much as operational risks.1 This opinion will be dealt with in greater detail below.
The supervisory authorities have only recently started to take a closer look at operational risks. In September 1998 the Basel Committee published an initial report on this topic, without mentioning the question of regulation. The report merely said: “The Committee will continue to monitor developments in this area.” In the new Capital Adequacy Framework of June 1999 the Basel Committee then expressly called for capital charges for operational risks as a component of Pillar one:3 “From a regulatory perspective, the growing importance of this risk category [i.e.
operational and other risk] has also led the Committee to conclude that such risks are too important not to be treated separately within the capital framework”. In the update of November 1999 this intention was confirmed and defined in more concrete terms: “The Risk Management Group … is developing a framework for applying capital charges …… to operational risk”. The supervisors assume on the basis of surveys that some 25% of current regulatory capital is needed for operational risks.
The Risk Management Group of the Basel Committee has conducted 1 Bank of England (1995), and Parsley (1996), p. 74.
2 Basle Committee on Banking Supervision (1998b) p. 7.
3 The new capital framework consists of three pillars: minimum capital requirements (pillar 1), a supervisory review process (pillar 2), effective use of market discipline (pillar 3) 4 Basel Committee on Banking Supervision (1999c), p. 50.
recent surveys on the top-down approach and the bottom-up, or box, approach. The former focuses on a capital charge on non-interest income, the latter on the compilation of risk indicators, business volume indicators and availability of loss data for the various business lines and nine new risk types.6 An important reason for the interest of the supervisory authorities in a capital requirement for operational risks seems to be that as a result of the unbundling of risk and capital charges, overall capital adequacy requirements fall, which the supervisory authorities wish to prevent.
2. Definition of operational risk
The prerequisite for the theoretical analysis of a problem is the definition of terms. The term “operational risks” has only been defined in the last few years. The chronological development of this definition is given here in brief, as it is relevant to our subject.
Risk is not understood merely as “uncertainty about the future” or the “probability of sustaining a loss” but is defined as “ an expression of the danger that the effective future outcome will deviate from the expected or planned outcome in a negative way.”7 This definition implies that a bank does not accept risks simply as fate but deals with them actively. Risk is measured by the probability and impact of a negative deviation. It follows from this concept that the opposite of “risk” is “opportunity”. Other authors define risk neutrally, comprising not only negative but positive deviations. This difference is not relevant for operational risks. In contrast to credit and market risk, the assumption of operational risk does not generate higher revenue. Nor are operational risks proportional to trading volume. This definition, it is important to note, does not class every loss as a risk, only the unexpected loss. Taking the example of lending: only those loan losses are designated as risks which exceed the expected losses 6 Basel Committee on Banking Supervision Risk Management Group (2000)
which have been factored into the price. This notion of risk implies that a bank has an idea of its expected losses for the various areas of risk. These ideas are based on more or less validated information about the future external environment (e.g. in relation to the business cycle and interest rate levels) on the one hand and the future internal environment of the bank on the other. Past experience almost always plays a key role.
Another definition of terms is important for an understanding of risk: it is not only the distinction between “expected” and “unexpected” losses which is significant, but also that between “acceptable” and “unacceptable”. These two terms reflect a bank’s capacity to take on risk and its attitude to risk. The acceptance of unexpected losses is determined not only by economic but to a great extent by sociological and psychological elements.
The search for a generally-valid definition of operational risks has only taken on momentum in banking in the past few years.9 This definition must fit into the framework of general risk definition mentioned above.
Unlike in industry, banks' risk management in the past focused largely on credit and market risk, with mathematical modelling and measurement playing a strong role.
The last few years have seen the search for a generally recognized concept of operational risk, conducted principally by practitioners and banking supervisors, giving rise to a wealth of definitions, often mutually irreconcilable. The definitions can be split into two categories: indirect and direct definitions. Under the indirect definition, operational risks are understood to be all those risks which cannot be classed as credit or market risks. As it is a simple definition, this formulation was widely welcomed at the outset and supervisory authorities have been utilizing it until very recently. But a closer examination reveals that an indirect definition is unsatisfactory on practical and theoretical grounds. From a theoretical standpoint, the indirect definition is unsatisfactory because it 8 Luhmann speaks in this connection of catastrophe threshold. See Luhmann (1991), p. 11.
fails to address nearly all the key issues of defining and demarcating terms.
A survey of the definitions published in the last few years by a total of 16 banks, consultancies and supervisory authorities shows that the following words occur most frequently: processes and procedures, people and human errors, internal control, internal and external events, direct and indirect losses, failure, technology and systems. Nearly all definitions emphasize the internal side of operations but frequently unexpected external events are also classed as operational risks. Many approaches speak of losses both in the sense of direct financial losses, and also of indirect ones which frequently derive from the loss of a bank’s reputation and market value. I regard the wording of the British Bankers´Association (BBA) as the best one and one which seems to be sweeping the field of late. It is: “Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.” Adapting this to my general concept of risk, I define the term as follows: “Operational risk is an expression of the danger of unexpected direct or indirect losses resulting from inadequate or failed internal processes, people, and systems or from external events.”
The most important characteristics of this definition are:
• The focus on internal aspects which the bank can and should shape and influence. These are often actions or failure to take action by the bank and its staff. These risks are clearly separate from market and credit risks.
• The importance of process orientation in the operational risk concept. The emphasis placed on the process aspects locates the definition of operational risk management in the vicinity of “total quality management”. The operational risks in the banking sector resemble similar risks in industry more closely than they do market or credit risks in a bank.
10 British Bankers' Association et al. (2000), p. 39.
6 Regulating and Supervising Operational Risk for Banks • The decisive role played by human beings and the errors they commit, both out of self-interest as well as ignorance. There are three types of operational risk in this context: Hazards, errors, conflicts.11 In this connection behavioural risks and the incentive effects of business structures, compensation and promotion systems and generally speaking, the selection, instruction and monitoring of staff, customers and other business partners are of great significance.12
• The external incidents are natural, political or military events, losses and deficiencies in the technical infrastructure, as well as changes in and problems with the legal, tax and regulatory environment, all occurring outside the realms of credit and market risk.
• The important role played by the internal control system, the elements and rules of which have been known and accepted for decades but which are often forgotten or neglected during periods of restructuring or product and process innovation.13 Many of the notorious losses in recent banking history could have been avoided or limited had the established rules been followed.
3. Identification and demarcation versus credit and market risk (RIM) 14 It is desirable both in terms of practical utility and theoretical clarification to distinguish the operational risks defined in the last section from other risk categories, thereby allocating all a bank´s risks to well-defined risk 11 Guldimann (1999), p. 54.
12 These questions were already regulated in Roman law. The due care and diligence of the principal comprises “cura in eligendo”,“ cura in instruendo”, “cura in custodiendo”. See Rey (1998), p. 204 f.
13 Basle Committee on Banking Supervision (1998b), p. 8ff.
categories that do not overlap each other. But comprehensive risk modelling of this nature would go well beyond the scope of the present discussion. Hence we shall limit ourselves to differentiating operational risks from credit and market risks, and from all other types of risk.
The focus is on whether we understand by risk the causes of a negative deviation from desired or planned outcome or whether we see the negative effects as the risk. Not a few definitions and explanations of operational risk fail to clarify this aspect. Sometimes a mixture of cause and effect is used for identification and demarcation. For example, if we examine the conventional wisdom that Barings’ derivatives losses were actually not market risks but operational risks in the light this approach, we find that the statement makes little sense. It is not a matter of “eitheror” but “cause and effect”. The causes were doubtless operational: the grossly negligent breach of recognized internal control principles. But it is just as clear that the effect was an unexpected loss of market value, that is, market risk.
Below, a cause/effect matrix, known as a “Risk Identification Matrix” (RIM), is used to identify and demarcate operational risks. The causes are used to demarcate the operational from other risks. Operational risks are all unexpected losses which have their origin in internal errors or staffrelated deficiencies, in processes and systems and in external events. The (negative) effect is manifested either directly in unexpected credit (I), market (II) or operational losses (unexpected extra costs (III) or lower revenues (IV) or indirectly, in an unexpected reduction of market value (V) of the bank. The direct losses are reflected in the balance sheet and profit and loss statement and the indirect ones in the value of the discounted future cash flow. The possible effects of operational risks are marked in Figure 1 with an arrow (È) 8 Regulating and Supervising Operational Risk for Banks
Source: Geiger, Piaz 2000 Figure 1: Risk Identification Matrix (RIM). Source: Geiger and Piaz (2000) The RIM is a conceptual aid. It serves to enhance linguistic communication and helps to convey an overall picture of how the causes and effects of risks are related. Using the RIM, credit and market risks can be defined more clearly. Credit risk could be defined in three different