Segmentation of Project Activities
Without doubt this would have to be the most common project planning misdemeanor facing a bank in the Basel II operational risk camp. Generally all risk frameworks whether they are measuring market, credit or operational, will consist of three parts. These parts are Policy, Methodologies and Infrastructure and while these parts are separate agendas for the framework they have lots of cross over activities. Failure to understand how campaigns from policy can be combined with specific business unit facing discussions for methodologies will result in the business units having to be revisited more often than required and is a major cause for escalating costs on the Basel II program.
Unable to integrate the Methodologies
Whether the institution selects Loss Data Approach, Risk Drivers and Controls Assessment or Scenario Analysis as their spearhead modeling technique, the Basel II project will be very much the same, the only difference lies in how the methodologies are combined in the capital calculation. Some of the key methodologies that are used include: Risk Registration, the capture of Loss Data, Integration of External Data, Scenario Analysis, Controlled Self Assessment and Risk Indicators. Many Basel II programs will address each one of these methodologies in a siloed manner without consideration of how variables are used from one methodology to the next. Indicators alone are powerful tools but when correlated with loss data have a certain level of accuracy and of course scenarios need to make sure they only address the tails. Scenario analysis that is detached from external and internal loss data often results in a list of events that have unjustifiable weights and a poor clarification on where the tail begins, certainly we don’t want scenarios to result in expected loss events being captured twice.
Homogeneous Risk Classifications
The estimation of capital is generally a stochastic exercise which relies on pure definitions for a good and accurate result. We all accept operational risk is a nebulous and heterogeneous risk classification but banks’ inability to classify events transparently exacerbate the confidence of exposure calculations, reduce the ability for the institution to benchmark and encourage capital disputes. Interestingly if every bank has a different definition of what comprises a fraud how useful is external data going to be in the risk calculation. What amazes me most is that while the accord has been quite prescriptive with the risk classifications in its annex VII, some operational risk teams seem to stubbornly go ahead wasting their time creating another incommensurable list of loss categories and their efforts are neither fruitful nor an efficient use of time.
Policy and Treatment of risk
Project teams that assign too much of their budget to the infrastructure (software systems and databases) component will find that additional work will have to be planned during deployment to ensure policy is aligned to the business unit measurement methodologies. Risk is not about software and policy describes when an operational risk has occurred, what a near miss is, how both of these should be treated and how the outcomes should be recorded. Very few banks seem to include a serious piece of work around policy design and its associated education campaigns. The result is inconsistent view of exposure from one year to the next and staff will be able to game that system. Sadly how these institutions back test their risk facilities is a mystery to them as much as it must be to the regulator and I am sure overtime they end up having to revisit this piece of work to be in any kind of position to plan strategic improvements in consideration of operational exposure.
Business Unit Mapping
If the risk register is the central domain for operational risk, then Unit Mapping must be a conduit for capital. It isn’t directly stipulated in the ‘AMA qualification moiety’ of the accord however I suppose it is assumed that if standard approaches require lines of business to be established that theme would apply to Advanced Measurement Approach. What granular level should these capital boundaries be set at seems to confuse many operational risk analysts. If the level is too broad, an inherent issue with top down approaches to operational risk, there is a threat that the maps will not furnish a good understanding of causality and then management improvements won’t be tied to a potential event for capital reduction. If on the other hand the maps are a microcosm, the cost of maintaining those maps against the value they return is totally skewed.
Business Unit Reporting
Basel II and operational risk is not about generating OpVar numbers. In reality some of the assessments that are carried out require business unit input however these very same people won’t be able to see how an OpVar number applies to their exposure unless this is reported to them in fashion that translates to exposures they can monitor and controls they can influence. If the operational risk economic capital calculation uses the more actuarial techniques of extreme value theory, the Basel II program must be able to translate the results into management activities for the business unit otherwise they are going to be unlikely to accept and sign off on the results that are displayed to them.
Central Facilities
I have debated business continuity exposures born from systemic faults inherent in a banks central facilities in an earlier article on this journal however while this seems very obvious to most analysts, measuring such exposures is a minefield of complexities. It requires specific focus in its own right, particularly as the cause for an event and its impacts will inevitability lie across capital boundaries.
Factoring Change into the Capital Equation
As with central facilities, factoring change into the capital equation seems to feature in only a small handful of Basel II frameworks. This is concerning because as institutions change, back testing exercises are going to be very long winded and the ability for an institution to use its operational risk capital in the design of sound strategy will be diminished. Again change management needs specific metrics and a transparent approach to measuring exposure for a close proximity of loss to be accounted for.
Demarcation Exercises
Operational risk may be novel to the Basel accord but it certainly isn’t new to banks and has always featured in some way in the capital tiers. One common trend I have been witnessing is the propensity for the credit risk team to throw their loss events over the fence now that there is formal bias for them to do so. While operational risk should account for such losses, definitions need to be clearly established to treat credit events that contain some operational exposure. Specifically paragraph 673 of the Basel Accord makes mention to this however very few institutions that I have visited are taking steps to resolve capital arbitrage between the core disciplines market – operational, credit – operational and credit – market.
Accounting for Insurance
In paragraph 667 of the Basel Accord the recognition of insurance attracts a further 20% reduction of capital against the operational risk capital charge. But for this value to be ascertained banks need to carry out an exercise of attaching insurance to potential loss estimates and centrally modeling the gaps of under or over insurance, the time line before insurance is paid and specifically what events insurance covers for each asset type in turn. With some of the larger banking groups spanning diverse fields of banking (retail, insurance, wholesale, brokerage etc) and multiple geographic locations, the complexity of this exercise should not be underestimated.
So there we have a top ten hit list, please accept this is as not determinative and that priorities between banks will differ, certainly it shows the extensibility of Basel II should not be taken lightly and I hope that this text stimulates some thought.
