Table of Contents
Introduction to Basel
Basel : In 1995 Barings PLC, Britain’s oldest merchant bank, suffered a loss of $1.3 billion due to the actions of a rogue trader who was able to hide substantial losses through the use of a segregated account that he controlled and that was not subject to review by superiors. The loss to Barings, which exceeded its capital base, forced the firm to enter into bankruptcy, and it was eventually acquired by another bank, ING. The collapse of Barings brought into focus the issues of management and controls. The incident showed how mismanagement and lack of controls can impact the operations bringing down an institution with rapid speed.
This is just one of the many incidents reported and classified in the industry under operational Risk, which could have been avoided or loss minimized had proper controls and procedures been in place.
Definition of Operational Risk
Basel defines Operational risk as the “Risk of loss resulting from inadequate or failed internal processes, people or systems or from external events.” ‘Legal’ risk is included under the purview of operational risk while ‘Strategic’ and ‘Reputation’ risk are excluded.
Operational risk embraces the entire gamut of banks’ operations including among others, all aspects of technology, ecommerce, operations, controls, processes, products, product systems / applications, outsourcing, interfaces, business practices, employment practices, fraud (internal / external), clients’ actions (e.g. Money laundering), physical assets, intelligence, financing, special risks, catastrophe, etc. In fact losses resulting from the terrorist attacks on USA on September 11th 2001 would be classified as Operational Risk Loss under “External Events.”
Over $7 billion in operational risk losses have been reported by financial services firms to the press in 2002-03. This figure represents only reported tangible losses. The actual losses would be certainly in multiples of that amount.
Drivers behind Operational Risk
Until recently, Operational Risk was mostly an afterthought to Market Risk and Credit Risk and mostly relegated to the backroom of IT departments. However, several operational loss incidents in the industry; the deadline of Jan 1 2008 set by the Basel accord to comply with its laid norms; and the need for improvements in productivity and performance have propelled industry participants to invest in Operational Risk Solutions. The section below highlights some of the major drivers to the Operational risk initiative.
- Basel II Regulations : The latest Basel Capital Accord (Basel II) stipulates that all large financial institutions must set aside a certain amount of capital based on the extent to which they manage their operational Risk. Therefore, the banks can reduce their capital allocation by taking stronger measures towards mitigating operational risk.
- Return on Investment (ROI) : The financial institutions have realised that they can increase their profitability by managing operational risk and subsequently preventing failure of processes and controls and reducing potential losses. It allows profitable businesses, products, customer groups and delivery channels to be identified more accurately and nurtured, leaving loss-making areas to one’s competitors.
- Operational Cost : The industry has seen meteoric rise in the cost of operations. This rise is a result of spiraling cost of hardware, software, and personnel. As a result, reducing the probability of operational failure is of paramount importance
- Complexity of Operations and Risk Management : The industry has witnessed introduction of new complex sophisticated products and support requirements. There is increasing dependency on technology, thus opening yet another avenue for potential operational losses
- Demanding Customers : Financial Institutions are increasingly becoming customer focused tailoring their services and products to meet client requirements. Banks can no longer just survive by offering standard services and products. Clients and counter parties are looking for assurance that both adequate management structures and skilled personnel are in place to minimise any chances of operational risk
- Shareholder Expectations : The corporations are under significant pressure from the investor community to reduce losses, improve efficiency and justifying new investments. Operational risk measurement allows performance metrics to be expressed fully on a risk/return basis and aligned with the creation of shareholder wealth.
- Other Regulatory Guidelines : It is not enough for the financial industry to be compliant with Basel II. The Regulatory focus is getting stronger with initiatives such as Sarbanes Oxley, USA Patriot act, mobilising industry participants to act promptly and start programs towards their adherence
The Basel II Accord – Operational Risk
Basel II capital adequacy revised framework was released in June 2004, and banks now have to decide how they will implement it. The Central bank governors and head of supervisory authorities in Group of Ten (G10) countries endorsed the publication of “International Convergence of Capital Measurement and Capital Standards: a revised framework”, also known as Basel II. The Basel II framework outlines the protocol for adopting risk sensitive minimum capital requirements for banks. The new framework reinforces these risk-sensitive requirements by laying out principles for banks to assess the adequacy of their capital and for supervisors to review such assessments to ensure banks have adequate capital to support their risks. It also seeks to strengthen market discipline by enhancing transparency in banks’ financial reporting.
The new Basel II Capital Accord proposed for the first time that banks recognize and provide capital for Operational Risk (OR) in addition to Market and Credit Risk.
The key objective of Basel II is to strengthen the stability of banking and financial industry through improved risk management practices and requiring them to hold capital commensurate with their risk profile to serve as a source for sustainable growth for the broader economy.
Need for Allocation of Capital
The Bank’s capital serves as a foundation for its future growth and acts as a cushion against its unexpected losses. Adequately capitalised and well managed banks are better able to withstand losses and to service its customers alike throughout the entire business cycle, including downturns. The challenge for both banks and regulators is to determine how much capital is necessary to serve as a sufficient buffer against unexpected losses. If capital levels are too low, banks may be unable to absorb high levels of losses, increasing the risk of bank failures, putting depositors’ funds at risk. High levels of capital allocation may not be the most efficient use of their resources, which may constrain the banks ability to make credit available.
From Basel I to Basel II
The 1988 Basel Capital Accord set out the first internationally accepted definition of, and a minimum measure for, bank capital. It requires banks to divide their exposures up into broad “classes” reflecting similar types of borrowers. While the 1988 Accord was applied initially to internationally active banks in the G10 countries, it quickly became acknowledged as a benchmark measure of a bank’s solvency and is believed to have been adopted in some form by more than 100 countries.
Advances in risk management practices, technology, and banking markets have made the 1988 Accord’s simple approach to measuring capital less meaningful for many banking organisations. The Basel II Framework is more reflective of the underlying risks in banking and provides stronger incentives for improved risk management. It builds on the 1988 Accord’s basic structure for setting capital requirements and improves the capital framework’s sensitivity to the risks that banks actually face. Basel II combines these minimum capital requirements with supervisory review and market discipline to encourage improvements in risk management and to provide incentives to adopt the more advanced risk-sensitive approaches.
Three Pillars of Basel II
The Basel objective is accomplished through the introduction of “three pillars” that reinforce each other and that create incentives for banks to enhance the quality of their control processes.
Operational Risk Capital Calculation
The Basel II framework outlines three methods for calculating operational risk capital charges in a spectrum of increasing sophistication and risk sensitivity requiring significant investment in systems that measure, manage and predict potential losses.
The three approaches are as detailed below:
- Basic Indicator Approach allocates operational risk capital using an average over the previous three years of a fixed percentage (denoted alpha) of positive annual gross income. Any negative or zero gross income is excluded from the calculations from both the numerator and denominator.
- Standardized Approach differs from the Basic Indicator Approach as it segregates a bank’s activities into different standardized business units and business lines. This allows banks to allocate capital charges more effectively among the bank’s various business activities and provides a more efficient way to allocate capital among business activities with varying degrees of risk.
- Within each business line, gross income is a broad indicator that serves as a proxy for the scale of business operations. The capital charge for each business line is calculated by multiplying gross income by a factor (denoted beta) assigned to that business line. Beta serves as a proxy for the industry-wide relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that business line. The total capital charge is calculated as the three-year average of the simple summation of the regulatory capital charges across each of the business lines in each year.
The strength of both these approaches is its simplicity which can be easily implemented. However, it is not risk sensitive as it focuses on the principle of “One size fits all.” Also it fails to capture the effect of bank’s management of operational risk. The approach doesn’t give any incentive for the bank to invest in Operational risk infrastructure nor does it take into account any of the qualitative factors. - Advanced Measurement Approach is meant to be a quantitative and qualitative approach to allocating capital based on sophisticated measurement of risk for each respective business activity. Given the continuing evolution of analytical approaches for operational risk, the framework doesn’t specify the approach or distributional assumptions used to generate the operational risk measure for regulatory capital purposes. Rather, it gives the flexibility to banks in the development of an operational risk measurement and management system. However, banks must have and maintain rigorous procedures in place for operational risk model development and independent model validation so that it can demonstrate that its approach captures potentially severe ‘tail’ loss events and meets a soundness standard comparable to that of the internal ratings-based approach for credit risk.
The Basel committee review will continually review evolving industry practices regarding credible and consistent estimates of potential operational losses. It will also review accumulated data, and the level of capital requirements estimated by the AMA, and may refine its proposals if appropriate.
Banks with international operations or banks with significant operational exposures are encouraged to use the more sophisticated modeling techniques. The use of AMA provides the following benefits compared to the other approaches detailed earlier.
- Risk sensitivity : The capital allocated reflects the size and scope of bank’s activities.
- Flexibility : Banks could choose supportive methodologies reflective of their business. Capital allocation can be integrated into scorecards, risk indicators, warning systems and audit scores used to measure and monitor operational risk.
- Reward better control environmentsn : Actions that reduce loss experience, reduce the likelihood or severity of extreme events can reduce capital
- Appropriate allocation of capital : As the industry improves the measuring, modeling, monitoring and mitigation of operational risk, the capital allocation becomes more refined.
The AMA approach poses the following challenges to the risk management community:
- Greater complexity/resource commitment than the other approaches.
- Numerous modeling issues/ decisions need to be made by the bank including incorporation of external data, scenario analysis.
- Combining quantitative techniques and qualitative factors into a comprehensive integrated methodology.
The reform recommendations of the Basel Committee have far-reaching consequences for banks’ minimum capital, risk management and disclosure requirements. Banks need to take immediate action if they want to take the dual advantage of capital optimization along with improved business efficiency and effectiveness.
Bringing Business Value for Banks
The implementation of the Operational Risk system means a manifold benefits for the banks. The benefit derived by the banks can easily exceed their investments by multiple proportions. The benefits can be classified into “Tangible” and “Intangible” benefits. The Tangible benefits directly affect the banks financial performance, while the intangible benefits indirectly aid the bank getting new business, capital and competitive edge.
Banks having proper systems, processes and controls in place to mitigate risk will certainly be able to reduce the amount of Operational Risk capital required to be kept aside as per norms. The freed up capital can be ploughed back into the different avenues for generating more business and improving the bottom line. Complying with Basel II requirements will ensures bank’s future competitiveness.
Designing and Implementing an Enterprise Wide Operational Risk Solution
Operational risk, unlike credit and market risk, does not easily lend itself to quantitative measurement and analysis. So in developing risk management infrastructure institutions needs to adopt a pragmatic hands-on approach that utilizes the best available tools and technology.
Operational Risk can only be managed on an enterprise wide basis as it includes the entire policies, culture, procedures, expertise and systems that an institution needs to manage all the risks resulting from financial transactions. To effectively manage market risk and credit risk, it is necessary to have the relevant skills and expertise in staff, organizational infrastructure as well as monitoring and control systems. As all of the above are components of operational risk, it then becomes apparent that an integrated risk management approach needs to focus on operational risk.
The key components of the operational risk management system are risk measurement, data integration, monitoring exposure and managing information systems designed to meet the regulatory guidelines and supervisory soundness standard. The system must make use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control systems. A bank’s risk measurement system must be sufficiently ‘granular’ to capture the major drivers of operational risk affecting the shape of the ‘tail’ of the loss estimates.
Diverse User Community
The users of the operational risk system would include operational risk managers, information risk managers, audit, and regulatory officers besides senior and top management who would look forward to derive meaningful information from the reports. The information from the system forms the basis for decision regarding business performance, risk exposure and capital allocation.
The requirements of each of these user groups are varied and the system should cater to the different groups of users providing meaningful and complete information than which already exists within the institution.
Understanding Business requirements
- Risk Capture : The system needs to provide for capture of operational risk measures such as loss event information, business environment assessments, audit reports, use external loss event data to the firm’s advantage.
- Risk Measurement : The captured risk measures need to be translated into numeric terms for the purpose of Capital Modeling. These measures feed the capital engine for capital calculation / allocation.
- Risk Metrics and Monitoring : The system needs to provide tools to monitor trends, alerts, performance summaries, compare information across different risk measures within and across business lines and industry participants. The reporting framework needs to robust and flexible in providing chart and drill down features, what-if capabilities, allowing risk managers to develop their own matrices to monitor the operations, identify and manage risk as it transpires.
Highlighting Design Considerations
- An operational risk system catering to enterprise-wide needs have to provide some of the following design parameters besides incorporating best architecture practices.
- Considering the enterprise nature of the application spanning various business lines and geographies incase of a large firm, the system needs to be easily accessible by all employees of the firm irrespective of their location. System needs to have a scalable architectural framework catering to firm wide user’s needs.
- The system needs to integrate with other disparate systems, data sources, legacy systems, organisation reference information etc. The gathered data needs to be cleansed, transformed and loaded into a database, a data mart or a data warehouse for analysis and reporting.
- The system needs to easily enable integration with other risk management tools and the ability to accommodate dynamic risk management needs and business environment.
- The system needs to be modular and flexible, integrating the different modules of the operational risk system.
Business Architecture Framework
A typical comprehensive Operational Risk Management System would consist of the following operational risk measures.
- Risk Event system : This measure captures and accumulates individual operational loss events across business units and basel event categories. Though data is captured after the event occurs on a reactive basis, it can be analyzed and used for proactive and predictive analysis. The data collected can be sliced, diced and analyzed in various ways to establish best practices and document ‘lessons learnt.’
External Loss Data: This measure can provide vital inputs, for an organization lacking sufficient or incomplete loss data. Organizations can use this information to model fat tail events in quantification models, as also to validate and benchmark internal loss data. - Qualitative Self Assessment : This measure is used to assess the business / control environment for the different business lines under the firm’s umbrella. It is an assessment of their own business units to gain an agreement on the risks and define steps for mitigation. Independent audit verification strengthens the checks on the assessment reinforcing the business ratings. These ratings can be translated into scores that measure the potential risk of control non-compliance. The self assessment exercise can be made more meaningful by identifying and monitoring the internal controls as required by the Sarbanes-Oxley Act.
- Key Risk Indicators : This measure provides the risk managers and business users an insight into their operations, which can serve an early warning signal and offer a directional input for senior management. The KRI’s are identified from a pool of business data / indicators collected from its operations, which are drivers of risk and potential for loss.
- Scenario Analysis : It can give a different dimension to the data collected by other operational risk measures. A qualitative, forward looking exercise involving senior management, risk teams facilitated by an operational risk trainer can help the businesses come up with possible scenarios given its risk environment and aggregate the exposure at the firm level. Scenarios can be used along with external loss data can help in modeling the fat tail to the firm’s environment.
- Capital Allocation : This module takes inputs from the different risk measures and calculates the capital based on defined quantitative models and AMA approach. The calculated capital can be further allocated to each business unit across the firm and used for incentives and performance analysis.
- Risk Monitoring and Control : This module provides the tools such as Management Dashboards facilitating the top management to monitor trends, integrated reporting on Loss Data, self assessment scores, Audit grades and capital for each line of business. Identify potential weaknesses and issues by examining KRIs and trends across all types of risk. The plethora of information collected from the various operational risk measures can be sliced, diced and compared to provide intuitive details.
- Reporting and Analysis : This module provides insightful analytical reports for a variety of audiences including the senior management, regulators, risk managers and the process owners. Drill-up – Drill-down capability in reporting helps the users to get to the root of the cause behind certain behavior. ‘What-if’ analysis functionality facilitates simulation of changes in Capital allocation with changes in business / control environment.
Challenges involved
- Managing Requirements : Operational Risk is a relatively nascent area in the realm of Risk Management compared to its matured counterparts – Credit risk and market risk. Financial institutions are still learning and understanding the implications of the guidelines laid down by Basel and Regulatory agencies. Timely implementation of operational risk solution lies in scoping and freezing requirements early in the project life cycle. Firms would do better to approach the program on an incremental and phased manner.
- Data Management : As Operational risk being an enterprise wide solution, the authentic and appropriate source of reference data information is a big issue. Data Migration from existing / peripheral application is a challenge as institutions are entrenched with poor data quality, disparate, overlapping systems and inappropriate data structures.
Basel II continues to be among the top priorities for banks today as they busy implement the solution as per specified guidelines. Implementing operational risk is a challenge ahead of banks as they incorporate this charge for the first time in the capital allocation. Banks should use this opportunity to achieve improved operational process and efficiency, as they meet the regulatory objective.
Designing an operational risk solution is a challenge as it does not lend itself to quantitative measurement and analysis unlike credit and market risk. Operational risk is best managed on an enterprise wide basis as it includes the entire policies, culture, procedures, expertise and systems that an institution needs to manage risks resulting from financial transactions and its architecture framework needs to confirm to the same. The different components in the operational risk framework need to integrate with each other as well as other disparate source systems.
Success of an operational risk program lies in effectively managing business requirements as firms understand Basel guidelines and implement the solution in parallel.
For more about Basel Norm :
- Bank for International Settlements
Website: www.bis.org - Basel Committee on Banking Supervision
Website: www.en.wikipedia.org/wiki/Basel - Board of Governors of the Federal Reserve System
Website: www.federalreserve.gov - Federal Reserve Bank of Chicago
Website: www.chicagofed.com - Global Association of Risk Management
Website: www.garp.com - Risk Center
Website: www.riskcenter.com