It is an interesting dialectic I have come across before and a good bias for debate depending on ones point of view, so lets investigate these view points but before we do so there have been some startling figures published by institutions in and out of the financial sector over the last couple of years that we need to review as part of the argument.
Statement released by Accenture about 10 months ago from industry research:
Almost half (45 percent) of the executives interviewed said they expect to spend in excess of €50 million through 2007 on Basel II compliance, up significantly from 23 percent in last year’s survey. Banks now have a much better idea of their total cost of compliance than they did last year, with only 10 percent of survey respondents saying they remain unsure of the total cost, compared with 29 percent last year.
This is a massive cost centre number and while some banks are obviously taking Basel II seriously, the variance or spread of spends against institution sizes gives us all an insight in the fact that many banks are obviously struggling with very inefficient programs.
One of the problems many risk managers seem to express to me also tends to indicate that the measurement of operational risk competes with many alternative compliance initiatives such as Sarbanes and Oxley (SOX), Anti Money Laundering, Patriot Act, International Accounting Standards, miFID just to name a few. With only a limited budget an efficient group risk, treasury or accounts department will try and balance all risk investments, placing emphasis on the ones with the highest return. In this way the scope is also broadened and operational risk now competes with credit and market initiatives. In Australia many of the large banks were pertaining to gearing their risk practices this way, moving to internal ratings based approach in credit and slackening the operational risk camp to the basic and standardised structures however their moves were quashed by the regulator with this ruling.
Statement released by APRA on ERM May 2005
In Australia’s case, however, it may be possible to tailor a standardised approach that better meets our needs. That is because APRA’s requirement that all banks adopting one of the sophisticated, or internal ratings based approaches, for credit risk must also adopt the AMA for operational risk.
So Australian banks can’t cherry pick as the saying goes, if they want sophisticated credit systems, they will run operational risk in its full capacity as well. To the outsider gearing credit up against the cost of an operational risk program may seem an immoral activity but now that operational risk is part of the Risk Weighted Assets under the Tier 1 / 2 capital holding it becomes another “portfolio” that is balanced in decision.
Before Basel II of course the measurement of operational risk was not prescribed, it didn’t have to be parametric and was usually budgeted from one year to the next. The Capital Accord changes this because it takes the market risk concept of VaR, translates that to credit, then to operational risk (OpVar) and in doing so the whole ethos of compliance is now at question.
Bankers that haven’t seen this evolutionary shift as significant may miss the objective underscore of the accord, we’ll call that the ‘x-factor’ for recurring reference purposes in this article. Let’s assume for the sake of argument there is a more accurate, perhaps useable measure of operational risk than opVar. Is this believable? Certainly OpVaR has its critics but hypothetically even if there was a more superior measure than OpVar, the industry would be unlikely to accept it because it would be on a different plane to that of market and credit. It would also not be transparent with industry data but from the perspective of our executive board, OpVaR allows us to measure a semblance of Risk Adjusted Return of Capital in the operational risk conduit. RAROC is traditionally common in the credit camp but increasingly we are hearing sophisticated risk managers such as Zhouwei from BOC talk about injecting investments into exercises that reduce exposure and measuring the risk reduction effect against the cost of those exercises. There is also the hope that the bank will be able to scale back its regulatory capital in the process as well as improve its measured operating position but that is an ongoing dispute with many regulators at present.
On the far extreme away from RAROC we'll take a pure compliance exercise such as SOX. I came across this grand avouchment from Bob Garrat the professor at Cass Business School some months ago and I have dropped it in here because it sums up what this article drives at in quite an enigmatic manner.
'Sarbanes-Oxley is a greater threat to capitalism than Karl Marx.' He believes that the codes around Sarbanes and Oxley are well with their intentions but that regulation might have just gone too far. 'The orgy of box-ticking has developed into a bonanza for the people who got us into this mess in the first place.'
I picked on Sarbanes and Oxley because it is often the responsibility of the operational risk department and it isn’t a parametric exercise. It doesn’t furnish our executive board with a comparable measure of ‘risk adjusted potential loss’ and in this essence it differs to Basel II as it is a pre-control exercise rather than post control, or to be blunt it misses our x-factor.
Nice and one can sympathise with risk managers such Bob Garrat who realise that ticking off a compliance to do list or in-disparately installing controls isn’t a targeted risk exercise. It is expensive but it may not be the best use of a risk budget as it doesn't put cost, threat and return next to each other in a comparable manner even though theoretical risk performance improves and hopefully the company reaches the regulation standard.
Compliance and Operational risk do overlap however they are very alternate management disciplines not to be confused. It is here though that the problem lies. Compliance without Operational Risk is simply nothing more than a policing agenda and Operational Risk without compliance doesn’t seem to have a channel for enforcement, its pre-designed strategies seem to have little measure for success or failure and become whimsical political hype for the customers and shareholders. Yet when compliance takes a lead, banks suffer escalating regulatory costs without the same margins of return; that is there seems to be this shortfall between performance, number of risk events and cost of compliance.
