Banks and the financial regulatory world have changed significantly since I started consulting and training on the Basel accords ten years ago. Unfortunately, the neglect of operational risk remains the same.
Credit risk has always been the bride with all eyes upon her. Of course, in the mid-2000s, the bride should have received even more attention! Since the 2008 crisis, the Basel committee and domestic regulators have again focused on credit risk, revamping regulations and issuing numerous consultative papers. The Basel Committee on Banking Supervision released Basel III in 2010 with substantial enhancements in the area of credit risk. Last year, it issued more guidance on credit.
Now that, for many, the crisis is in the rearview mirror, market risk has been allowed to be a bridesmaid. The Basel Committee recently issued guidelines on market risk-weighted assets and has focused on how to measure the risk of traded assets. Yet, operational risk does not even get to be in the wedding party, despite the fact that the worst bank losses in the last four decades have been due to operational not credit or market risks.
Operational risk is the breach in the day-to-day running of a company due to people, processes, systems/technology and external threats. Think Herstatt Bank, Barings, Allied Irish Banks and, more recently, Société Générale, UBS and JPMorgan Chase. In all of these operational risk cases, failures in people, processes, systems or external threats led to liquidity, credit or reputational risks. In some of the aforementioned cases, these operational risks led to ruin.
Despite these cases and the fact that the Basel Committee issued supervisory guidelines in 2011 on this topic, I have heard bankers and even some regulators relay different definitions for operational risk. Fraud and settlement risk are the most typical ones. If market participants cannot agree on what operational risk is, how can we believe banks have sound practices to identify, measure, control and monitor it or, moreover, have sufficient capital to withstand possibly rare, but high impact operational risk events?
For any market participant who thinks the three Basel II and III methods for credit risk are complex or leave too much at the discretion of the banks, you really need to look at Basel’s guidance for operational risk measurement found in Pillar I.
Like with credit risk, a bank must be approved by its bank supervisor to use one of three methods starting with the Basic Approach, which is the most general, one size fits all, to the Advanced Measurement Approach, where banks get to use their own historical internal loss data. Unlike for credit and market risks, the market lags in good strong operational risk measurement models. Operational risk is much harder to measure than other risks because of the paucity of high quality data.
Additionally, other than insurance for some operations risk aspects, there are no operational risk derivatives to hedge it. You can try to tell people not to lie, but given human nature that strategy may prove ineffective. You can fire people and try to send them to jail, as many have been clamoring for this year, but so many aspects of operational risk fail to rise to the level of an enforcement action, though, they can certainly cause banks to lose tremendous amounts of money.)
Even if you are somewhat able to identify, measure and control this type of risk, operational risk officers are left with the challenge of figuring out how to allocate capital for the probability that it may appear, for example, in the form of high impact fraud, insider trading, settlement failure or a natural disaster. Risk officers often find they can under allocate capital for operational risk and are not prepared when it materializes. Or they can end up allocating capital to survive the impact of a natural disaster only to find out that the impact was a lot less severe than had been anticipated. Capital is not free, so no one wants to over allocate it.