In 1999 the Bank for International Settlement announced a new version of the Basel Capital Accord. This would replace the 1988 accord which defined the amounts that international trading banks had to put aside to cover their credit and market risks. The first draft of the New Basel Capital Accord, known as Basel II, was released in early 2001.
There were many new proposals in Basel II and the one which caught the imagination of the technology community was the introduction of operational risk and the need to reserve capital to cover its potential losses. This was a new risk category, standing alongside credit and market risk, which was designed to quantify "the risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events". In other words, it would cover everything from the rogue trader through failed communications networks to an arson attack on an off-shore processing centre. At the less catastrophic level, poor processes resulting in lost documentation, untrained staff and poor software would also be covered.
These events cause losses to regulated financial institutions which reduce their robustness and affect depositors, investors and counterparties. Strengthening and formalising the awareness of operational risk and including it in the supervisory and regulatory environment can only be praised and supported. Basel II including regulation and disclosure in its recommendations (where the previous Accord had really only been about reserved risk capital calculations) and defined operational risk management criteria. However, the issue of specific risk capital allocated to the operational risk, in my opinion, diverted the attention of the market and supporting technology vendors.
Basel II gives institutions the flexibility to measure all risk to differing levels of detail with the benefit that, the greater the detail, the greater the possible saving on capital. This rewards those who put in better reporting and controls. At the lower levels of compliance, operational risk reserved capital is a value derived from gross income or similar indicators by applying a regulator set factor. No problem here. The issue is that, at the high levels, and those attractive to heavy traders in high risk markets, the intention is that this value is derived by internal calculations using probability and value at risk indicators. Operational risk, and even more so, operational value at risk is not yet able to be satisfactorily mathematically derived and this is diverting attention from the risk management requirements.
There is a huge range of potential events, few statistics as to their past occurrence, vagueness in potential value at risk and overlapping impacts with resulting difficulty of classification. Credit and market risk deal in areas that are better understood and have large volumes of statistics going back many years. They are simpler and there is a large body of research. In contrast, loss probability, mathematical modelling, non-linear techniques and scenario analysis for operational risk in the financial area are at very early stages and results appear inconclusive being, at some stage, based on assumptions or self-assessed values.
There is a lot of work going on with many propositions being put forward and I do not want to be accused of criticising academic investigation. But, what is being missed, possibly as being less interesting, is the importance in the regulation and disclosure areas of operational risk! Basel II, and in the UK, the resulting FSA directives, are specific on how risk needs to be managed, communicated, disclosed and governed. Regardless of capital adequacy strategies, not formally required until 2007 at the earliest, institutions will have to assess their risk, investigate those with high potential and introduce processes to manage and inform. These requirements will come into force in the UK from 2004, three years before any capital requirement conditions.
The principles of Basel II have been widened to apply to most financial institutions. These, whatever their approach to capital adequacy, must introduce processes to assess their operational risk, encourage its mitigation, manage and report on events and then demonstrate this fact to the regulator and disclose it to the market. 2004 is not far away and I believe that self-assessment through a balanced scorecard approach is the only way that these conditions can be fulfilled for the vast majority. In parallel, the major global specialists in risk management, the arbitragers and derivatives traders, can, and should, continue sponsoring research into mathematical derivations of operational value at risk. In the meantime the market will, through the required risk event recording processes, be building the event databases that will support the higher methods.
Most regulated institutions can ignore the capital adequacy implications of operational risk for the moment (but not credit and market risk if relevant) and concentrate on installing the right operational risk management systems and controls. They should score their businesses, set up continuous assessment improvement processes and record and manage loss events. They will benefit from improved understanding of their processes, will satisfy the regulator that they are ahead of compliance requirements, can disclose that compliance to the market and be well equipped to take advantage of capital adequacy developments in operational risk as and when they occur.
David Millar is a Director of OpRisk Limited and has over twenty years experience in systems and processes in the financial industry. He has been monitoring the developments of Basel II and the FSA requirements for two years and has written and presented on this subject.