«Regulating and Supervising Operational Risk for Banks Abstract: There is a renewed interest of banks and supervisors in operational risk. In the new ...»
• Narrow definition on the basis of cause and effect as “unexpected losses from changes in credit rating owing to uncertain or erroneous information about the counterparties.” (A). By this definition, unexpected loan losses which are of operational origin are not credit risks.
Hans Geiger 9
• Definition based on effects as “unexpected losses arising from changes in credit rating” (a). In this definition, unexpected loan losses of operational origin (I) (e.g. owing to deficient credit monitoring) would also be classed as credit risks and should then not be listed again as “operational risks” in the overall risk analysis, unless it is expressly stated that they are being counted twice.
• Broad definition based on causes as “all unexpected losses from uncertain or erroneous information about counterparties”. This would also include for example an operational loss constituted by the higher costs of employing additional account managers. (B) In the RIM, “others” are listed both on the cause and effect axes. This row and column are intended merely to show that neither cause nor effect is adequately captured in the terms “credit”, “market” and “operational”.
4. Management of operational risk This study does not attempt to deal with the topic of managing operational risk in any detail. Nevertheless, some comments are necessary with respect to regulation and supervision.
The scope of operational risks is measured by the probability and impact of the unexpected losses stemming from the deficiency or failure of internal processes, persons and systems, or external occurrences. A quantitative assessment requires such losses to be quantified as expected costs and assumes that probabilities and actual losses can be measured. At the theoretical level, complete quantification is impossible.15 In practice, any analysis of probability and size of operational risks is also defeated by the lack of relevant data. Operational risks and the losses they generate should be captured systematically and completely at the level of the individual transaction in a database or “risk ledger”. They should then be 15 See Young (1999).
10 Regulating and Supervising Operational Risk for Banks analysed and where appropriate quantified and aggregated.16 This is one of the urgent tasks facing systematic operational risk management: to systematize operational risks and place them in the loss probability and size matrix (Fig. 2).17 Hence it is desirable that a standardized methodology to describe operational risks be developed for the financial services sector, as an aid to practical risk management, the arrangement of insurance solutions and also for academic research. A number of such data models already exist.18
Figure 2: Size and probability of unexpected losses. Source: own diagram For operational risk policy the following rules result from an analysis of the size and probability of losses: business areas with a high likelihood and high level of operational risk (A) are naturally to be avoided. Areas with a low level but high probability of losses (B) are often not perceived as “risk areas” but merely as “cost-intensive” or “low quality”. In such cases, the problems are frequently to be found in process and system 16 See Hoffman (1998) p. 37ff.
17 See Levine and Hoffmann (2000).
design and are thus closely related to the topic of quality management.19 They should be reduced by preventive measures. Small-scale losses with a low degree of probability should be accepted (C) if the costs of prevention exceed the amount of reducing the losses. The spectacular operational losses are mostly located in box D: “low probability, high level of loss” (D). For such cases, preventive measures such as governance, internal control and management incentives are most important. Although the relevant principles have been known for decades, the Basel Committee on Banking Supervision notes in a recent study that lack of internal controls is behind many a major loss. The Committee has thus drafted 13 principles for executive management and boards of directors and proposed rules for monitoring by the banking supervisory authorities.20 The methods developed in the field of finance, especially Value at Risk (VaR), are not suited to extreme losses. Insurance solutions can often be of assistance here, provided the problem of moral hazard can be kept under control. Additional reinsurance is advisable for extreme losses.
Very high deductibles are one of the measures used to cope with moral hazard. Recently the international market has been seeing insurance policies for operational risks, and for large banks too. One example is the FIORI policy developed by Swiss Re New Markets.21 The chances of an insurance policy being successful depend on the majority of the big banks participating, for “in the insurance paradigm, those needing capital come from exactly the same group as those with capital”.22 A new variant of the insurance solution is contingent capital. “In essence, a contingent capital instrument is an option to raise capital, subject to certain conditions.”23.
Provisions have to be made for all expected operational risks and for the 19 See Greenbaum and Thakor (1995) p.727 ff., and Bruhn (1996), especially p. 82 f.
20 Basle Committee on Banking Supervision (1998a), p. 2ff.
21 Swiss Re New Markets: Financial Institutions Operational Risk Insurance Policy. See also Avery and Milton (2000).
22 Gumerlock (1999), p.112.
unexpected ones up to the amount of the deductibles. It is clear that the insurer´s counterparty risk replaces the operational risk if insurance is taken out. Regulatory capital is not suitable to cover such risk.
Let me summarize: the main elements of operational risk management are: APIP&C: avoid, prevent, insure, provide and collect data.
In the day-to-day management of operational risks the following trends are visible in the banking community:24
• Creation of a formal organization of operational risk management, which clarifies competencies and responsibilities of business areas and hierarchy levels in a bank. An important first step in this direction is the systematic reporting of operational risks up through the hierarchy to the level of the board of directors.
• Inclusion of operational risks in an overall risk management concept.
• Development and implementation of tools for operational risk management. There are currently five main tools: (1) self-assessment (2) risk mapping (3) risk indicators (4) escalation triggers (5) loss event models.
• Inclusion of operational risk management in a value-oriented global management concept e.g. on the basis of a Risk Adjusted Performance Measurement: RAPM.25 The attempt is made here to identify economic capital for operational risks. As already discussed, I view this VaR-oriented approach as not very suitable for operational risks.
• Generally, managements are adopting the bottom-up method for operational risk rather than the top-down approach.
24 British Bankers' Association et al. (2000), p. 3ff.
5. Consequences for regulation and supervision of operational risk From the standpoint discussed above of defining and demarcating operational risks, it would seem inappropriate for several reasons for the regulatory authorities to plan extra capital charges for operational risks in
Pillar 1 in addition to credit and market risks:
• Firstly operational risks are frequently reflected in unexpected credit and market losses. Where this is the case, the current regulations already include them in the calculation of statutory capital and provisions. It would thus be implausible to have them underpinned twice over in arbitrary fashion, for example by capital charges on non-interest income, as stated in the Consultative Paper of the Basel Committee and the related commentaries since its publication.26 Even if a charge on income were sensible, the proposed non-inclusion of interest income is difficult to justify on theoretical grounds.
• Secondly, the problems of operational risks are of quite a different order than those of market and credit risks: it is not a matter of unexpected losses from transactions and external events but of the behaviour of the bank management and staff and of prevention and measures which the bank has to take or avoid. The assumption of operational risk does not lead to higher yields and the risks are hardly proportional to business volume. The operational risk management of a bank resembles the risk management of the industrial and energy sectors much more than it does credit and market risk management.
Analysis of causes, prevention, early warning systems and emergency measures are more important than measurement, diversification and hedging. Insights derived from industrial total quality management are arguably of great use in this regard, because process aspects and prevention play a central role. All these measures call for considerable resources, albeit not in the form of
capital but in the form of personnel, technology and systems. In the final analysis, the various 26 Basel Committee on Banking Supervison (1999), p. 50 – 51.
14 Regulating and Supervising Operational Risk for Banks challenges of operational risk management have to do with the bank´s risk culture. Operational risk management is not a one-off task which management can delegate when the work has been completed but an ongoing process of improvements in, and learning at the bank.
• A third big difference between the management of credit and market risk on the one hand and operational risks on the other is the combination of various risks: for credit and market risks the combination of various risks reduces risk through diversification. The combination of three portfolios with CHF 10 million market risk each may result in a total market risk of CHF 20 million. Our hypothesis is that the combination of various operational risks does not diversify but multiply the potential losses. The hypothesis of the “curse of multiplication” of operational risk is not based on empirical or theoretical work, but rather on evidence from famous cases27 and personal experience in the banking industry. The hypothesis can be illustrated with the example of a business principal’s duty of care and diligence towards his staff under Roman law. This duty comprises three tasks: the careful selection (S), training (T) and monitoring (M) of personnel.28 If a deficiency in these three duties generates a loss of CHF 10 million in each, the total loss produced when combining the three is not CHF 20 million, nor even 30 million but more likely a multiple of that, say perhaps CHF 1,000 million.29 That is pretty much what happened to Barings.
There are obvious limits to the hypothesis of the “curse of multiplication”. The hypothesis is not meant to provide a formula for computing aggregate operational risks, but rather to illustrate a fundamental difference between market and credit risk and operational risk. One theoretical limit is that no single risk factor must have a value of zero, because in this case the result of the 27 E.g. Barings (1995), Credit Suisse Chiasso (1977), Daiwa (1995), Deutsche Morgan Grenfell (1996), Sumitomo (1996) 28 “cura in eligendo”, “cura in instruendo”, “cura in custodiendo”. See Rey (1998), p. 204 f.
multiplication would be zero. A second limit lies in the fact that the multiplication formula does not take into account the sequence and timing of the different risk factors and the feedback between them.30 The rules of risk reduction through diversification do apply in some technical areas of operational risk management: Building a back-up computer center in another area of the country reduces the probability of both failing at the same time owing to e.g. power failure or earthquake.
• Fourthly, capital charges are basically the wrong way to tackle operational risks. If expected and unexpected credit and market losses actually occur, then both the business and the capital will have theoretically vanished and the bank will be no more. If on the other hand the expected and unexpected operational risks occur (as causes), the capital base would be gone but the business would still be there, at least to some extent. The result would be a bank which would or could no longer fulfil its capital requirements.
• Fifthly, it can hardly be argued that big and well-known operational losses could have been avoided or reduced by capital requirements.
On the contrary, having to comply with a not very sensible statutory capital requirement could be an alibi for not implementing the measures which actually were necessary.
• Finally, it is interesting to observe the first stages of a new debate on the appropriateness of the corporate finance standard risk model. In Shimpi´s opinion, this standard model on which regulatory capital requirements are based has to be combined with the insurance model.
The resulting “insurative model” would include various sorts of onbalance-sheet capital as well as off-balance-sheet capital, especially in the form of insurance.31 The insurance solution is decisive given the possibility of extreme operational losses.
These arguments highlight the faulty reasoning behind the new capital adequacy requirement. However, I am not generally of the opinion that today´s banks have enough or too much equity capital for their businesses. On the contrary, I subscribe to the opinion of the Sub-Group of the Shadow Financial Regulatory Committees of Europe, Japan, and U.S.: “that minimum capital ratios should be higher than those currently in place.” Nor should my criticism be construed as implying that the regulatory authorities ought not to intervene in the field of operational risks. The correct answer, however, is not Pillar one but Pillar two, the supervisory review process, and especially the utilization of Pillar three, the effective use of market discipline, for operational risk too.