consultative paper proposed revisions in the global capital accord, changes of capital adequacy requirements for credit and market risk have got the lion's share of attention. But buried deep in the 62-page document was a new proposal that significantly expands the scope of the capital adequacy framework.
The proposal requires banks to set aside capital for potential losses arising out of operational risk, which could cost the industry billions of dollars -- as much as $126 billion for the 100 largest world banks alone.
Operational risk -- posed by procedural errors, computer and network crashes, service or product quality lapses, fraud, failure to comply with regulations or company policies, or shifting political landscapes -- has always been present but not always well recognized. Though many people associate such risk-taking with the headline-grabbing downfall of Barings Bank in 1995 is perhaps the best-known example, a phenomenal number of business and process-level operational risks occur every day.
Globalization, consolidation, and new technology have lavished the banking industry with profit-making opportunities on the banking industry and, at the same time, left it open to equal amounts of operational risk. The industry's risk-control structure has not kept pace.
The Basel committee, saying that operational risk has become too important to ignore, decided that banks must take a disciplined and proactive approach to managing it. Though the final guidelines are not expected until after March 2000, it is likely that banks will be required to apply an explicit capital charge to cover losses arising from operational risks.
Ultimately, this would require two measurement models: one for operational risk and one to determine how much capital must be allocated. These models are currently in their formative stages, with multiple ideas and proposals being discussed. In the meantime, many "best practices" banks have created reserves for operational risk losses by substituting noninterest expense for the data that the models would otherwise provide. To determine their capital allocation, they simply use a percentage of noninterest expense. These banks have allocated 8% of noninterest expense to as much as 36%.
If the top 100 banks -- which have a combined $422 billion of noninterest expense -- set aside 30%, the allocation would total $126 billion. As with buying insurance, the banks would have to take an annual charge -- using current interest rates of about 9% -- of $10 billion to $12 billion to buy access to this reserve.
On a microeconomic level, a commercial bank with $2.5 billion of noninterest expense would have to take an annual charge of about $68 million to finance a $750 million allocation, according to the same calculations. Obviously, financing this kind of capital reserve would further challenge bankers trying to meet their profit goals.
In the absence of good models, regulators could potentially rely on a percentage of noninterest expense or another data substitute to establish the required capital cushion. The inherent risk in this plan is that, regardless of operational risk performance, all banks would be treated alike, and better performers would be penalized.
There could well be an exception to the percentage plan. Banks that develop models to accurately measure their operational risk can allocate just enough capital to cover their exposure.
As a result, banks that manage their risk effectively, measure it effectively, and allocate capital effectively would be rewarded with a smaller regulatory burden and more capital to support innovation and to expand. At the same time, their customers would be protected not by unnecessary amounts of "insurance" but by solid operational risk management.
More importantly, true competitive advantages arise from developing an organizational culture that proactively manages day-to-day risk, identifies new risk, shares best practices, and systematically tracks exposures.
Building the right culture for that begins with instituting a disciplined approach to operational risk management, starting with the board and filtering down through every level and business unit and across every major process in the organization. Once the infrastructure is in place, banks must learn to assess the quality of their risk risk-management programs and assign dollar values to the risks they confront.
That is the starting point for building a model that banks can use instead of the standard percentage rate that regulators will probably assign across the industry.
Operational risk is more difficult to measure than market or credit risk. The problem lies in a lack of objective data. Behind the operational elements of managing market risk is the factual world of prices, volatility, and other external data, packaged with significant history in large data bases.
Similarly, credit risk relies on the assessment and analysis of historic and factual data. Operational risk, however, is an "inside job," related to the interaction of people, processes, systems, and culture.
An actuarial approach to operational risk struggles with this lack of objective data.
There are few historical data on operational risk occurrence and, despite pleas to develop shared data bases, the likelihood of gathering enough data to support an actuarial method seems remote. Indeed, given the evolving nature of operations, a historical view of operational risk may not be the right approach.
Instead, banks should develop suitable internal measures of operational risk to substitute for historical risk data. This means identifying categories and classes of risk and gathering all readily available evidence, which together can support a reliable measure of operational risk in each area of activity and for each category. The evidence can include known risk experience, inherent risk risk-scoring mechanisms, and subjectively based measurements of risk impact and likelihood.
Better risk management means that banks are less likely to have major losses through error, fraud, or failure to deliver quality service. Having a risk risk-control strategy is much preferable to having to ask, "Why didn't someone prevent this."?"
Along with protecting a company from potential damage, proactive risk management contributes to the bottom line. The benefits include protection of assets by preventing major losses, protection of shareholder value, avoidance of regulatory censure, the ability to render services without interruption, and the maintenance of a good reputation and public confidence. In the long run, these new rules will motivate better control of operational risk, leading to greater efficiencies in pricing and, ultimately, lower costs for lending money. Institutions with enterprisewide operational risk awareness and ownership and clear processes to monitor and manage it will be best equipped to embrace change and profit from it.
