Regulators have always fostered an expectation that capital is what sustains banks in periods of stress and prevents them from failing. Perhaps a more appropriate view of the capital reserves that banks are forced to hold is that they are the ruler by which an organization counts down to failure, not the system that proactively prevents it.
So what offers a bank the greatest protection against failure, if it isn't capital? Quite simply, it is the risk culture embedded in its people and processes.
And at the core of any risk culture are the incentives for individual compensation that balance risk and return with short-term self interest and long-term stakeholder goals along with the early warning systems that highlight growing exposures to risk. Here, the yet to be implemented operational risk framework, the final piece of Basel II, which is intended to foster a risk-adjusted performance culture, offers the greatest hope for preventing future crises.
Basel II defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events." And federal regulators have called for a "consistent and comprehensive capture and assessment of data elements needed to identify, measure, monitor, and control the bank's operational risk exposure. This includes identifying the nature, type(s), and underlying cause(s) of the operational loss event(s)."
It is precisely this final piece of Basel II that should be fostering the creation of a risk-adjusted performance culture. Unfortunately for the financial industry, it is building operational risk management systems around self-assessments, indicators, and scenario analyses — the easier path — rather than enterprise systems that create a true risk-adjusted performance culture around its people, their processes, and the data they interact with.
Implementing such systems as intended by the framers of this first-ever truly global regulation, rather than finding fault with Basel II, as many have done in commenting on the current crisis, should be our first priority.
Specifically, Basel II classifies operational loss events as resulting from: internal fraud, external fraud, employment practices and workplace safety, clients/products/business practices, damage to physical assets, business interruption and systems failures, or execution/delivery/process management.
Many recent events can be slotted in to one or more of the above categories. Citibank reported, for example, that its Market Value at Risk (Market VaR) number does not include CDO positions because they are hard to value in an absence of prices or model inputs, a data problem; MF Global said a $141 million trading loss resulted from a systems control problem that let a trader evade contract limits; Merrill Lynch acknowledged $43 billion of OTC Derivative cash flow improperly recorded on both sides of the balance sheet; Credit Suisse took a $2.8 billion writedown for valuation-model pricing errors and use of stale prices; Societe Generale reported a $4.9 billion loss from trader fraud; and Bear Stearns nearly collapsed because it could not price its mortgage portfolios, among other things.
The Societe Generale and Bear Stearns near deaths are egregious examples of operational loss exposures not monitored and risk-adjusted performance gone awry. The former stated, among other things, that no controls existed over cancelled or modified transactions, over activities with a deferred transaction date that let trade confirmations be postponed, over transactions with technical counterparties that remained "blocked in buffer banks and escaped back-office control," or even over positions with a high nominal value.
Even the subprime failure, first brought to light by the collapse of two Bear Stearns-sponsored hedge funds, can be traced back to model errors, an operational risk in the clients/products/business practices category.
But even more egregious were the pay schemes that rewarded those who took big risks with shareholders' capital, made it to bonus day, then took their winnings off the table. When the new bonus year begins, it is another round of shareholder capital, not the employees' capital, at stake. Here, somewhere between internal fraud, employment practices and workplace safety, and clients/products/business practices,' are operational risks yet to be measured or protected against.
Again, rather than find fault with Basel II, we should be commending the framers and asking banks to speed up the adoption of these operational risk frameworks.
Operational risk can also be looked at in a dimension outside the scope of Basel II operational risk, loss-event categories — as losses that are expected and those that are unexpected.
Expected losses are priced into a bank's product costs and profit margins, as in the case of loan losses, which are priced into the yield and appropriately reserved for. Provisions for credit card losses, payments and securities settlement losses, uncollectible commercial loans, trade counterparty defaults, etc. are estimated as the potential cost of doing business.
Though we assume that a business unit's management is already assessing and pricing expected failures into severe but not catastrophic losses, we also note that such assessments are less rigorous than is thought by those who review balance sheets and otherwise try to understand a bank's vulnerabilities. Here, these estimates are part of the budget process, not the risk management process, and thus quite subjective.
The Basel II regime does not explicitly try to remedy this subjectivity in estimating expected losses — its focus is on unexpected losses. However, regulators expect to suggest that a capital charge be assessed should expected losses, on a bank-by-bank basis, be beyond estimating with any degree of rigor.
A key decision in any bank is how to allocate its capital to each business line. The business line is where stakeholders' capital is put "on the line" in the risk vs. reward culture of banks today.
First, in order to manage in this way, the organization must be structured into appropriate business units within a hierarchy of accountability. Implementing transfer-pricing schemes as well as cost accounting and performance attribution systems are prerequisites to fostering a well defined, risk-adjusted performance culture across business lines.
Closely aligned with management's responsibility for risk-adjusted performance are incentive compensation schemes. These too must be in place if performance and incentives on a risk-adjusted basis are to make sense in the organization. Here, closely aligned with the need to get on with measuring operational risk exposure is where the vast majority of banks err.
Second, operational risk exposure measures for the defined Basel II operational risk loss categories have yet to be developed. It is perplexing to do this because, unlike market and credit risk (the more developed categories of Basel II for which capital is set aside), operational risk has no naturally occurring monetary measure.
A robust risk-adjusted performance culture depends not only on being able to properly accumulate historical data on market prices and credit default histories but also on accumulated measures of operational risk, a task yet to be accomplished.
Further, though historical data on market prices and credit defaults is robust, the links between the identities of issuers of debt and equity and their identities as counterparties in trades or as borrowers are not made in a meaningful and consistent way. This is proving difficult to resolve because there is no standard identity for issuers, counterparties, or obligors or any hierarchical structures to link them.
For example, it is quite difficult to link a potential defaulting obligor the market price of whose public debt is declining (a market risk) with its subsidiary that has a loan outstanding whose probability of default is rising (a credit risk). So it is apparent that, though market and credit risk are linked, the diversification benefits between these two financial risks are lost in the added operational risk of faulty and nonstandardized data.
Finally, operational losses can be generalized as failures in either manual or automated processes or their interaction with faulty data. They occur either as one-time events or as the culmination of multiple failures that occur over extended periods. An exposure-to-risk measurement mechanism is lacking to quantify such exposures as they accumulate, thus enabling their continued monitoring. This was, and remains, the ultimate objective of the framers of Basel II.
Creating exposure-to-risk measurement that is responsive to changes in causal factors, typically key risk and performance indicators, is the province of operations people. Equating such measures to loss frequency and severity, the province of risk managers, is still to be developed.
A credible argument can be made that no profit incentive exists to heighten operational risk. This is in stark contrast to credit and market risk which, financial institutions say, they manage for higher returns within their risk culture and at the tolerance of their capital. Therefore regulators, by adding capital reduction incentives for mitigating operational risk exposure above the arbitrary 20% threshold can stimulate financial institutions to build enterprisewide operational risk systems, as has been the case for some time with market and credit risks.
