Operational Risk: Too Big to Ignore

Under pressure to create regulations that more accurately reflect the realities of the changing global business environment, the Basle Committee on Banking Supervision in its June consultative paper proposed revisions to the Capital Accord. So far, changes to the capital adequacy requirements for credit and market risk have received the lion’s share of attention, but buried deep in the 62-page document lies a new proposal that significantly expands the scope of the capital adequacy framework. The new proposal would require banks to set aside capital for potential losses arising out of operational risk, which could cost the industry billions of dollars. In fact, it could amount to as much as $126 billion for the world’s 100 largest banks alone.

Operational risku00e2u20ac”the chance that procedural errors, computer and network crashes, service or product quality lapses, fraud, failure to comply with regulations or company policies, or shifting political landscapes can lead to financial lossesu00e2u20ac”has always been present but has not always been well recognized. Though the headline-grabbing downfall of Barings Bank in 1995 is perhaps the best-known example, there are a phenomenal number of business and process-level operational risks that occur every day.

Globalization, consolidation, and new technology have lavished the banking industry with profit-making opportunities and, at the same time, laid the industry open to equal amounts of operational risk. The industry’s risk control structure has not kept pace.

Taking action

The Basle Committee, saying that operational risk has become too important to ignore, decided that banks must take a disciplined and proactive approach to managing it. Though the final guidelines have not been written (they’re not expected until after March 2000), it is expected that banks will be required to apply an explicit capital charge to cover losses rising from operational risk in their organization.

Ultimately, this necessitates two measurement models: one to measure operational risk and one to determine how much capital must be allocated based on operational risk exposure. These models are currently in their formative stages, with multiple ideas and proposals being discussed. In the meantime, many “best practice” banks have created reserves for operational risk losses by substituting noninterest expenses for the data that the models would otherwise provide. To determine their capital allocation, they simply use a percentage of their noninterest expense to estimate the capital cushion against their operational risk exposure. These banks use rates ranging from 8% of noninterest expense to as much as 36%.

For example, if the top 100 banksu00e2u20ac”which have a combined $422 billion in noninterest expensesu00e2u20ac”set aside 30%, they would be required to allocate $126 billion to cover potential operational risk-related losses. Like buying insurance, the banks would have to take an annual chargeu00e2u20ac”calculated using current interest rates of about 9%u00e2u20ac”of between $10 billion and $12 billion to buy access to this reserve. On a microeconomic level, a commercial bank with $2.5 billion in non-interest expense would have to take an annual charge of about $68 million to finance a $750 million allocation, according to the same calculations. Obviously, financing this kind of capital reserve will add to bankers’ challenge of meeting their profit goals.

In the absence of good models, regulators could potentially rely on a percentage of noninterest expense or another datum substitute to establish the required capital cushion. The inherent problem with this plan is that, regardless of operational risk performance, all banks would be treated alike and better performers would be penalized.

The proactive approach

There could well be an exception, however, to the broad-sweep percentage plan. Banks that develop models to accurately measure their operational risk can allocate just enough capital to cover their exposure.

As a result, banks that manage their risk effectively, measure it effectively, and allocate capital effectively will be rewarded with a smaller regulatory burden and more capital to support innovation and to expand. At the same time, their customers will be protected, not by unnecessary amounts of “insurance,” but by solid operational risk management.

More important than the regulatory advantages that come from good operational risk management, there are true competitive advantages that arise from developing an organizational culture that proactively manages day-to-day risk, identifies new risk, shares best practices, and systematically tracks risk exposures.

Building a strong risk-management culture begins with instituting a disciplined approach to operational risk management, starting with the board and filtering down through every level and business unit and across every major process in the organization. Once that infrastructure is in place, banks must learn to assess the quality of their risk management programs and assign dollar values to the risk they confront. This is the starting point for building a model that banks can use instead of the percentage rate regulators will likely assign across the industry.

Operational risk is difficult to measureu00e2u20ac”more so than market or credit risk. The problem lies in the lack of available objective data. Behind the operational elements of managing market risk is the factual world of prices, volatility, and other external data, packaged with its significant history in large databases. Similarly, credit risk relies on the assessment and analysis of historic and factual data. Operational risk, however, is an “inside job,” related to the interaction of people, processes, systems, and culture. An actuarial approach to operational risk struggles with the lack of objective data.

There is little historic data of operational risk occurrences and, despite pleas to develop shared-loss databases, the likelihood of gathering enough historic data on operational risk to support an actuarial method of risk assessment seems remote. Indeed, given the evolving nature of operations, a historic view of operational risk may not be the right approach.

Instead, banks should develop suitable internal measures of operational risk to substitute for historic risk data. This means identifying the categories and classes of operational risk and gathering all readily available evidence, which together can support a reliable measure of operational risk in each area of activity and for each category. The evidence can include known risk experiences, inherent risk-scoring mechanisms, and subjectively based measurements of risk impact and likelihood. Cultural measurement techniques, as well as business and process modeling techniques, can also be used to determine exposure to operational risk.

Better risk management means that banks are less likely to experience major losses through error, fraud, or failure to deliver quality service. The avoidance of a major catastrophe is a superior alternative to dealing with the impact of an operational loss. Having a risk control strategy is much preferable to having to ask, “Why didn’t someone prevent this?”
Along with protecting a company from potential risk-related damage, proactive risk management contributes to the bottom line. The benefits include the protection of the bank’s assets by preventing major financial losses, protection of shareholder value, avoidance of regulatory censure, the ability to render services without interruption, and the maintenance of a good reputation and public confidence. Over the long run, these new rules will motivate better control of operational risk, leading to greater efficiencies in pricing and, ultimately, a lower cost for lending money.

The rapid rate of change in the financial services industry offers both challenges and opportunities. Those institutions with enterprisewide operational risk awareness and ownership, and clear processes to monitor and manage it, will be best equipped to embrace change and profit from it.