Professional Documents
Culture Documents
It is clear that banks are now aware that a sound operational risk management infrastructure will generate significant benefits to their business operations.
Self-assessment development and execution Capital allocation methodology (including Basel II proposals) Measurement and quantification of operational risk Creation of operational risk indicators and limit reports
As a rough and ready checklist the above activities are an extremely useful place to start in the building of an operational risk management infrastructure and banks should certainly ensure that these activities are covered.
Perceived increase in operational risk. Due to the growth in service-oriented businesses, compounded by globalisation of firms, increases in volumes, adoption of e-commerce, shorter settlement times, straight-through processing, more complex products, increasing reliance on technology, increasing incidence of money laundering and the heightened risk of terrorist attacks, it is not surprising that operational risk features high on a banks agenda. Regulatory attention. Many regulators have chosen operational risk as a point of focus and in particular base their work on the principles and practices established by the Basel Committee. Impact of internal and external events. Banks are becoming much more proactive
and aware of the impact that an accumulation of smaller events, as well as a single large event, can have. This cumulative effect can have a significant financial impact as well as an impact on service.
Current concerns
Bringing all of the above together, it can be seen that the whole area of operational risk has been elevated as a key issue to be addressed by banks. Principal concerns are concentrated into the following headings: Operations and transactions risk representing the traditional focus of operational risk Business risk representing the core strategies of the bank Growth strategy Information technology Business continuity Fraud and criminal risk Compliance Reputation
September 2004
Basel II
The Basel II Revised Framework issued in June 2004 stipulates that an explicit capital charge should be made to cover other unmeasured risks not included in the market risk or credit risk calculations. A capital charge for operational risk is not an option but a fundamental part of Basel II. The simpler approaches - basic indicator, standardised or alternative standardised approaches - are relatively straightforward to implement (the last two require banks to be able to provide an appropriate breakdown of gross income into business lines). The Accord has as its foundation three pillars. The Three Pillars Pillar One: covering minimum capital requirements, specific new rules for credit and operational risk Pillar Two: covering supervisory review Pillar Three: covering market discipline Pillar One: Calculating operational risk capital The Basel Committee identified three methods of calculating operational risk capital, in order of increasing sophistication and risk sensitivity, as follows: Basic indicator approach: This approach is an elementary, top down approach that can be followed by any bank, irrespective of its size or complexity. Under this approach, the operational risk capital is calculated using a proxy indicator for the entire bank, such as gross income. This indicator is multiplied by a parameter . This parameter is calibrated so that the operational risk capital equals approximately 15% of the minimum capital requirement. Standardised approach: This method breaks out the above calculation by business line. Eight business lines have been identified by the Committee: Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking, Payment and Settlement, Agency Services and Custody, Asset Management, and Retail Brokerage. For each business line the operational risk capital is calculated as the parameter X . The Committee has specified that Gross Income should used as for all business lines. The values of the betas are detailed below: Business Lines Corporate finance (1 ) Trading and sales (2) Retail Banking (3) Commercial Banking (4) Payment and Settlement (5) Agency Services (6) Retail Brokerage (7) Asset Management (8) Beta Factors 18% 18% 12% 15% 18% 15% 12% 12%
At national supervisory discretion a supervisor can choose to allow a bank to use the Alternative Standardised Approach (ASA) provided the bank is able to satisfy its
3 September 2004
supervisor that this alternative approach provides an improved basis by, for example, avoiding double counting of risks. Once a bank has been allowed to use the ASA, it will not be allowed to revert to use of the Standardised Approach without the permission of its supervisor. It is not envisaged that large diversified banks in major markets would use the ASA. Under the ASA, the operational risk capital charge/methodology is the same as for the Standardised Approach except for two business lines retail banking and commercial banking. For these business lines, loans and advances multiplied by a fixed factor replaces gross income as the exposure indicator. Advanced measurement approaches (AMA): Bottom up approaches allowing for greater granularity in risk assessment are grouped under AMA. It is unlikely that banks in the GCC will adopt this approach and will go for, at a minimum, the basic approach or (more likely) the standardised approach.
The basic indicator approach is unlikely to be adopted by the majority of banks as regulators will in all likelihood expect banks to be more proactive in the risk assessment process than simply applying a basic indicator to the entire banks operations. This may suggest to the regulator that the bank has not taken significant steps to implement latest generally accepted risk management techniques. Accordingly it is highly likely that most banks will adopt the standardised approach, with only the largest and most complex banks going for the advanced measurement approach. To be able to implement the standardised approach banks must meet all of the following criteria. The following criteria are Its board of directors and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework; It has an operational risk management system that is conceptually sound and is implemented with integrity ; and It has sufficient resources in the use of the approach in the major business lines as well as the control and audit areas.
An internationally active bank using the Standardised Approach must meet the following additional criteria: The bank must have an operational risk management system with clear responsibilities assigned to an operational risk management function. As part of the banks internal operational risk assessment system, the bank must systematically track relevant operational risk data including material losses by business line. There must be regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors. The bank must have procedures for taking appropriate action according to the information within the management reports.
4 September 2004
The banks operational risk management system must be well documented. The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of noncompliance issues. The banks operational risk management processes and assessment system must be subject to validation and regular independent review. These reviews must include both the activities of the business units and of the operational risk management function. The banks operational risk assessment system (including the internal validation processes) must be subject to regular review by external auditors and/or supervisors.
Since all of the above criteria are comprehensively dealt with our approach and methodology, it follows that banks implementing this approach can adopt the standardised approach. Pillar Two: Supervisory review Pillar Two of the Basel II Accord focuses on the establishment of internal systems to monitor, measure, and control risk and on supervisory assessment risk management for capital adequacy purposes. In this respect, the development of detailed guidelines for banks as well as the supervisors became critical. The Basel Committee published its Sound Practices for the Management and Supervision of Operational Risk, covered fully by Business Performance Consultancy who cross reference these principles to the steps in their methodology. It therefore follows that banks complying with the our
methodology will be able to comply with Pillar Two of the Basel Capital Accord.
Pillar Three: Disclosure Pillar Three relates to market discipline and disclosure. The Basel Committee believes that disclosure requirements can induce banks to build a strong capital base, in order to be viewed favourably by other market participants and improve access to the markets. This in turn will support the objectives of Pillars one and two, and promote safety and soundness in the banking system. Requirements on disclosure are still being evolved, but once again, compliance with our methodology should enable a fairly painless disclosure process to be developed.
Banks must treat Basel II and the whole area of operational risk as a major project.
September 2004
Phase 5 Create Capital Adequacy Calculation Establish business lines Identify gross income (for 3 years as necessary) for each business line as defined in Basel II Apply percentages Calculate capital charge Phase 6 - Software solutions (optional) Evaluate software solutions, both internally developed and externally purchased Select preferred software solution Implement recommended solution External software solutions are an option for banks that need to be carefully considered before committing the expenditure. Small to medium sized banks can in all probability develop their own internal database and spreadsheet solutions to maintain risk assessment records, losses, key risk indicators and capital allocation models. Banks should ensure they do not become seduced into implementing a solution appropriate for (and perhaps endorsed by) a large and complex multinational bank, which is wholly inappropriate for themselves. We can assist in this process.
When to start
Basically now, as the deadline is 2006 Large accounting firms are advising to treat this as a major project (many banks may take over a year) and start now Significant time and resource requirement
September 2004
Why Ourselves
Currently there is little practical help available to embark on this yourself Other business priorities will make resource and brainpower scarce We can provide the solution through a structured practical approach following Basel principles that will satisfy regulators, auditors and rating agencies
Finally: But the effort is just at its beginning. In time we expect banks to focus increasingly on the what, how and how much of operational risks, and in fact it is quite likely that soon their efforts in this field will at least match what they do in market and credit risk assessment. - Moodys Investors Service
September 2004