Chapter 9 Back Up Book for Printing.pdf

Full Transcript

7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

Chapter 9 Back Up Book for Printing

Chapter 9: The Regulatory Treatment of Operational Risk

Learning outcomes and assessment criteria

9 Understand the role of regulation in the development and management of operational risk.

9.1 Define the key regulatory influences on operational risk.

9.2 Describe evolving approaches to regulation and supervision.

9.3 Describe regulatory interest in specific operational risk categories.

9.4 Explain the capital adequacy implications of operational risk management.

Key themes

The key themes are as follows:

The regulators’ approach to operational risk management in financial firms.
The emergence of a standard definition for operational risk.
The qualitative treatment of operational risk.
The work done on operational risk capital regulation by the Basel Committee and other regulators.
The modelling of operational risk.
Financial crime.
Key operational risks from the point of view of regulators.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 1/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

Key themes

Introduction to Chapter 9

This chapter considers the treatment of operational risk by international and national financial regulators. It begins by looking at international
standard-setters and then moves on to national approaches. It considers key types of operational risk from the point of view of regulators.
Finally it considers operational risk capital approaches applicable to banks and insurance companies.

By the end of this chapter you will be able to understand:

The approach to operational risk by key international standard-setters.
How national authorities supervise operational risk.
How regulatory operational risk capital is set for banks.
Key regulatory concerns around different types of operational risk.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 2/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.1 Define the key regulatory influences on operational risk

9.1.1 The Basel Committee on Banking Supervision (“The Basel Committee”)

The Basel Committee is located at the Bank for International Settlements (“BIS”). The BIS was set up to ensure the payment of German
reparations after World War I. Since its foundation it has acted as a clearing house for payments between central banks. The BIS has now
evolved other functions, one of which is to support the development of global banking regulation.

At the heart of this process is the Basel Committee. Originally, the Committee was made up of the G10 countries (Belgium, Canada, France,
Germany, Italy, Japan, the Netherlands, Sweden, Switzerland, the UK and the USA). Its membership has since widened to include Argentina,
Australia, Brazil, China, Hong Kong, India, Indonesia, Luxembourg, Mexico, Russia, Saudi Arabia, Singapore, South Africa, South Korea, Spain,
Turkey and the EU. It consists of the heads of supervisory bodies, i.e. central banks, independent regulatory agencies or both. The BIS has no
treaty status and the views of the Basel Committee are not binding. Instead the Basel Committee generally sets guidelines, primarily aimed at
internationally active banks. In practice these papers have come to be applied as a global standard, applied to national as well as international
banks. For example, the EU Capital Directives are based on Basel Committee guidelines.

In 1988 the Basel Committee issued the Basel Capital Accord – commonly known as Basel I. Since the 1970s, global financial flows had
increased considerably as a result of the floating of the US dollar, increased global trade, and the liberalisation of national current, and in
some cases, capital accounts. And some larger banks had started running their business on a global basis, while at the same time still
championing their respective home national interests. To prevent regulatory arbitrage and ensure a level playing field, regulators (who at that
time were almost all central banks) decided to put in place a set of international capital standards.

These first rules predominantly related to credit risk. Operational risk, as such, was still quite a new concept for financial firms and still being
developed as a discipline. Having said this, in the years after 1988 the Basel Committee did issue several guidelines on topics other than credit
risk. The most important of these for operational risk was a short paper Operational Risk Management (September 1998), which set down a
number of qualitative guidelines for banks in managing their operational risk.

As banks’ treatment of credit risk evolved in the years after 1988 the Basel Committee decided to revise the Basel I capital rules into a new
Accord that later became known as Basel II. This was first published in 2004 and finally implemented in 2008.

Although the main focus of Basel II was credit risk mitigation, it was also an important milestone for operational risk in that it required banks
for the first time to set regulatory capital for operational risk. This followed a raft of consultation papers and policy papers on operational risk
issued by the Basel Committee after 2001, notably the February 2003 paper 'Sound Practices for the Management and Supervision of
Operational Risk'. Later versions of this paper followed in 2011 and 2014 as the operational risk discipline continued to evolve, and with it the
regulators’ thinking on the topic.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 3/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.1 Define the key regulatory influences on operational risk
One early task was definition, as there was no commonly accepted definition of operational risk at the time. The eventual solution was the
following definition from the Basel Committee, which has since become the most widely-adopted definition among operational risk
practitioners: “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”.

In December 2017 the Basel Committee on Banking Supervision published Basel III. The Basel III framework is a central element of the Basel
Committee’s response to the global financial crisis. It addresses a number of shortcomings in the pre-crisis regulatory framework and provides
a foundation for a resilient banking system that is designed to help avoid the build-up of systemic vulnerabilities. The Committee streamlined
the operational risk framework. The advanced measurement approaches (AMA) for calculating operational risk capital requirements and the
existing three standardised approaches (BIA, TSA and the alternative standardised approach) will be replaced with a single standardised
approach to be used by all banks when Basel III is implemented on 1 January 2022.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 4/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.1.2 The International Association of Insurance Supervisors (IAIS)

IAIS is the equivalent to the Basel Committee for the global insurance industry. Its secretariat is also based in Basel. However, unlike the Basel
Committee, the

IAIS is a wider body whose membership is open to all jurisdictions. So most national supervisors around the world are members. IAIS has set
out a number of qualitative guidance papers for the management of operational risk. However, there is no overall ‘sound practices’ paper, as
has been issued by the Basel Committee. Instead, there are a number of papers that cover certain aspects of operational risk. The key
examples of these are the following:

Issue paper on risks to insurers posed by electronic commerce (July 2003).
Issue paper on life insurance securitisation (October 2003).
Issue paper on approaches to group corporate governance (November 2014).
Application paper on approaches to conduct of business supervision (October 2014).

Unlike the banking sector, there is, as yet, no internationally agreed capital standard for insurance, although IAIS is currently working towards
one. In 2011, the Insurance Core Principles were significantly overhauled to include the requirement, in due course, to set capital for
internationally active insurance companies at a particular confidence level, although the latter is not specified within the requirements. For this
reason, both regulators and firms are obliged to consider a capital assessment for operational risk. However, IAIS remains non-prescriptive
about what approach is taken. At present, various possibilities are open to both firms and regulators. These include modelling, an adapted
version of the Standardised Approach for banking, and a version of the three-month winding-up requirement which applies to securities
industry firms. As set out in section 9.4.3 below, European Economic Area (EEA) firms are subject to the Solvency II directive, which sets a
requirement for insurance firms to hold capital based on a 99.5% confidence level over a one year period.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 5/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.1.3 The International Organisation of Securities Commissions (IOSCO)

IOSCO is the equivalent of the Basel Committee for the securities industry, based in Madrid. However, like IAIS, its membership is global with
most national securities regulatory bodies belonging to the organisation. Perhaps due to the fact that securities firms tend to be service
providers rather than position takers, IOSCO has no overriding approach to setting capital for operational risk.

In 2003, IOSCO issued its general guidelines to supervision, entitled 'Objectives and Principles of Securities Regulation'. These guidelines are
very general and do not specifically relate to operational risk as such. However, IOSCO has issued qualitative guidelines on certain aspects of
operational risk, notably:

Strengthening capital markets against financial fraud (February 2005);
Market intermediary business continuity and recovery planning (April 2015).

9.1.4 Sarbanes-Oxley

While the Basel Committee was gradually developing its approach to operational risk, followed by IAIS and IOSCO, events in the USA were
complementing these developments. Either side of the year 2000, there were a number of sudden failures of firms that, on the basis of their
financial accounts, otherwise seemed secure (including notably Enron and Worldcom).

As a result, the USA implemented the Sarbanes-Oxley Act of 2002 legislation (widely-known as “SOX”) which required large firms to identify
the key controls and processes around the production of financial accounts, ensure that they were clearly laid out, and then signed off by
specific people within the firm and by the external auditors. This assessment and assurance process would be made publicly available and, if
infringed, subject to criminal action. The approach was intended to encompass both on-balance sheet items and – in particular – the kind of
off-balance sheet items that eventually brought down Enron. SOX also aimed to increase disclosure significantly.

At the time there was controversy about SOX in that it was expensive to implement and resulted in a need for extensive documentation. Some
questioned whether external parties would read or, indeed, understand this documentation. Nevertheless, since its implementation in 2002,
SOX compliance has now become a routine part of US corporations' risk and control frameworks. And, with its emphasis on controls and
processes around financial accounts, it is an important complement to the other key global regulatory standards on operational risk.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 6/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.2 Describe evolving approaches to regulation and supervision

9.2.1 Supervision of standards

The three global standard-setting bodies mentioned in the last section (i.e. Basel Committee, IAIS and IOSCO) are themselves overseen by the
Financial Stability Board (FSB) which was established by the Group of Twenty in 1999 to promote global financial stability by coordinating the
development of regulatory, supervisory and other financial sector policies. It has a key role in promoting the reform of international financial
regulation. The FSB determines broad strategy and ensures that the other three agencies are joined-up at a high level. There was also a Joint
Forum (now disbanded) which published several high-level papers on operational risk, some of which are cited below.

The approach by national authorities to supervision, including the supervision of operational risk, is determined at a high level by the
appropriate international body in each sector. Thus, the Basel Committee has set out 29 core principles for banking supervisors to adhere to
(see 'Core Principles for Effective Banking Supervision', September 2012). In its turn IAIS has set out 26 international core principles for the
insurance industry (see 'Insurance Core Principles, Standards, Guidance and Assessment Methodology', October 2011).

In the case of the Basel Committee, core principle 25 relates specifically to operational risk. It sets out broad requirements for supervisors to
assess banks’ frameworks for the assessment, reporting and control of operational risk. IAIS has no specific insurance core principle relating to
operational risk. Others, however, touch on components of operational risk; such as insurance core principle 7 on corporate governance and
insurance core principle 21 on fraud.

Adherence to these principles by national authorities is assessed periodically. Traditionally, the key assessing body has been the International
Monetary Fund (IMF) through its financial stability assessment programs (FSAPs). This is a resource-intensive approach and, depending on the
country, there can be a gap of anything up to a decade or so between FSAP assessments. In contrast, the IAIS runs periodic self-assessment
exercises whereby national authorities analyse their own adherence to the rules, subject to peer review by the IAIS. In 2012, the Basel
Committee began Regulatory Consistency Assessment Programmes, which involve peer review independent of the IMF. Where gaps are
identified between practice and the various core principles, the national authority is expected to put in place a remedial action plan to address
the problems.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 7/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.2.2 Supervision of operational risk by national authorities

Supervisors treat operational risk in line with other risk categories such as credit risk and market risk. Supervisors look at the mitigation of
operational risk through an appropriate risk framework, including operational risk controls, key risk indicators and management information
systems.

Supervisory approaches differ across countries, reflecting different local market practices, different legal and institutional set-ups, and the
different pace of evolution towards implementing global standards. Nevertheless there are some common principles of supervisory
approaches in different countries.

Supervisors allocate resources in line with their own risk appetite. This allocation is usually determined via a risk-based approach which
considers the probability and impact of certain events occurring. These events may adversely affect the regulator’s statutory objectives, for
instance preserving market stability or protecting customers.

A key issue in recent years has been how to integrate prudential supervision – which looks at the solvency of a firm – with conduct supervision
– which considers whether firms treat their customers properly. At one extreme, these two aims can be in conflict. A life insurance firm may
seek to bypass its obligation to policyholders in order to sustain its solvency. Some jurisdictions have sought to resolve this tension by placing
prudential and conduct regulation in one institution, though the current trend is to place them in different institutions. Whatever model is
used, supervisors see the failure to deliver fair and transparent services to retail customers, in particular, as a key operational risk. Not least
given the large fines and cost of remedial actions that can be imposed on the firms that fail in this area.

In terms of operational risk, the regulator needs to have the ability to understand the result of failure to manage operational risk at the firm-
specific level as well as any wider systemic implications. For example, if a bank fails to manage its IT risk properly, that could affect the public’s
ability to access cash through ATMs. This could be detrimental to both individual consumers and the economy as a whole, as people find
themselves unable to pay for goods and services.

Supervisory resources are split between desk-based work and on-site examinations. For desk-based work, supervisors look at the operational
risk framework and resources, complaints, the quality of reporting to the board and more specific data relating to specific operational risks
such as outsourcing. On-site examinations include face-to-face meetings with both senior management and the senior staff holding specific
control functions such as the CRO, the head of compliance or the head of outsourcing. Selective file examination, for example around the
treatment of customers, may also take place during an on-site visit.

In addition to firm-specific supervision, most supervisors undertake thematic on-site visits. These might well cover a specific type of
operational risk, such as cyber-crime or financial crime risk. The thematic visit is likely to result in a general paper by which the supervisor will
indicate to the industry as a whole where improvements are required, if necessary. Thematic visits can also, however, result in the supervisor's

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 8/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.2.2 Supervision of operational risk by national authorities
specifying firm-specific supervisory action.

No supervisory body has the knowledge or resources to cover every single aspect of operational risk in detail. The supervisory body, therefore,
is likely to make use of either members of its own staff who have specific skills, say in operational risk modelling, or external consultants hired
for the purpose, e.g. a cyber-crime expert.

While national supervisors try to cover all types of operational risk, their resources are usually channelled according to the requirements of the
time. For example, after 9/11 many supervisors enhanced their supervision of business continuity management. In the wake of the 2007-9
crisis similar attention was paid to documentation risk in businesses such as securitisation.

Supervisors issue policies, procedures and guidance on all aspects of operational risk. These are usually linked to documents issued by the
various standard-setters. Some supervisors issue more detailed guidance – either to their own staff or more widely – while others rely on a
more high-level principles-based approach. The preferred approach often depends on local market factors including the legal framework,
history and culture. For example more litigious cultures often have more prescriptive and detailed rules.

An important principle for regulators, both for operational risk and more widely, is the emphasis on corporate governance and holding senior
executives and board members accountable. This continues to be a key theme of supervision. Over the last ten years supervisors have
rebalanced their supervisory visits away from a credit and market risk focus and more towards an operational risk focus. Often supervisory
visits now include detailed questioning of senior executives and board members about their knowledge of operational risk and the
effectiveness of routine reporting on operational risks. Firms are required to be open with their regulators about how they manage
operational risk, and they have a duty to report actual and prospective problems.

In terms of compliance, regulators prefer a co-operative relationship with firms and expect them to respond positively to supervisory signals. If
this does not happen, the regulator has escalating powers to bring about change. And it should always be remembered that a licence to
provide financial services is a privilege rather than a right. In extreme cases, the regulator can also take enforcement action, though specific
powers vary considerably from one regulator to another.

Recently several large regulators have indeed taken strong enforcement action. These have included multi-billion dollar fines relating to
operational risk failures relating to financial crime, IT and conduct risk. The LIBOR and foreign exchange market rigging scandals, and other
scandals such as PPI and interest rate swap mis-selling, have been catastrophic for the banking industry in terms of both financial and
reputational impact. These scandals demonstrate that the consequences – both direct and indirect – of failing to manage operational risk can
be damaging for firms, their management and their shareholders.

Learning activity
https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 9/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.2.2 Supervision of operational risk by national authorities
Find the ‘final notice’ enforcement page for a regulator of your choice and look for recent sanctions imposed on firms for breaches of
operational risk related regulations. As an example for the UK regulators, the following pages are a good
start: http://www.bankofengland.co.uk/pra/Pages/supervision/regulatoryaction/enforcementnotices.aspx and http://fca.org.uk/your-fca/list?
ttypes=final+notice&

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 10/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.2.3 Regulation and the mitigation of financial crime

Regulators are also involved in ensuring that financial firms follow global and national requirements on the mitigation of financial crime.
Failures in this area, particularly by banks, have elicited fines from regulatory and judicial bodies, sometimes in the billions of dollars.

The key global standard setter on financial crime is the Financial Action Task Force on money laundering (FATF). This body was established in
1989, originally by the G7 but membership now consists of around 34 member jurisdictions. In addition, the FATF itself has several associate
members divided along regional lines – for example the Asia/Pacific Group on money laundering. In effect, therefore, all jurisdictions must
follow the FATF. Accordingly the FATF has produced 40 recommendations and nine special recommendations on terrorist financing.

Periodically, the FATF and the associate members undertake inspections which include consideration of whether or not the regulator has
played its proper part in the mitigation exercise. Regulators, therefore, pay close attention to the FATF.

Regulators also have to operate within national laws designed to mitigate financial crime. For example, key items of legislation in the UK are
the Proceeds of Crime Act (2002) and the Bribery Act (2010). In Germany the Anti Money Laundering Law (1993/2008), the criminal code and
the revenue code are the main items of legislation to mitigate financial crime. Given the status of the US dollar as a reserve currency, the US
Patriot Act (2001) is also relevant.

In considering whether a financial firm has adequate systems and controls against financial crime, the regulator looks at a number of areas.
These include training, risk framework, customer due diligence, client profiling, transaction monitoring and the treatment of politically
exposed persons. The regulator pays particular attention to the competence and experience of individuals responsible for financial crime risks
(e.g. Money Laundering Reporting Officer or Head of Compliance), but also looks at the extent to which the business as a whole takes its
responsibilities seriously. This starts at board level. The regulator’s aim is to determine whether or not the board ensures that incentives are
appropriate for the mitigation of financial crime. Also, it checks whether adequate resources and training are dedicated to this area
throughout the firm. Regulators look right across the firm, for example at customer facing employees involved in cash related transactions, to
form a judgment on this point. They are especially looking out for evidence of a box-ticking approach by a firm, of firms appearing to go
through the motions, and of any obvious differences between the business line and compliance in their approach to mitigating financial
crime.

Regulators are increasingly using central inspection units as a tool to focus on the mitigation of financial crime. These enable them to
concentrate their expertise and help them make peer-to-peer comparisons. These units conduct oversight through a mixture of desk-based
and inspection visits. But it is the inspection visits, including interviews and file research, which now best characterise this form of regulation.
In conducting their supervision, the regulators themselves are subject to reporting and disclosure requirements if they come across anything
untoward.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 11/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.2.3 Regulation and the mitigation of financial crime
Regulators are unlikely to be impressed by a financial institution that keeps asking the regulator about how to administer the rules and how to
determine its own risk appetite. The regulator expects each firm to take a proportionate and appropriate response in framing its anti-financial
crime infrastructure and practices.

Workplace reflection

How is your firm organised to deal with financial crime? Is it obvious who in your firm is responsible for financial crime risk? What issues have
the regulators identified, if any, in relation to your firm’s approach to mitigating financial crime?

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 12/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.3 Describe regulatory interest in specific operational risk categories

As discussed in section 9.2.2 above the detailed treatment of operational risk can vary between regulators in different jurisdictions. However,
generally regulators view overall corporate governance, the risk management infrastructure, and the second and third lines of defence (as set
out in Chapter 2) as part of the firm’s wider risk management framework. They generally view operational risk as a subset of this framework.

The following paragraphs set out some specific operational risks that the regulators have focused on in recent years, and some of the key
things that regulators focus on under these headings.

Outsourcing risk: Outsourcing risk has been on the minds of regulators for some twenty years. The main concern is that by outsourcing
particular functions firms lose control of activities performed by such functions. Regulators emphasise that, though functions might be
outsourced, the firm remains accountable for their management and any associated risks. They cannot blame the provider for errors.
Another concern of regulators has been outsourcing of functions to non-regulated entities, possibly based in a foreign country. The
concern here has been that regulators could lose the ability to inspect these outsourced bodies and have limited control over them. In
some cases, the regulatory authorities have in effect ended up treating the outsourced bodies as licensed financial firms. Differing
treatment of data privacy around the world has also been an issue. In order to mitigate these concerns, regulators now routinely include
outsourcing in their everyday supervision and will sometimes send inspection teams to the outsourced body. In these cases the
regulator will also follow up on whether or not that body has in turn outsourced activities – i.e. chain outsourcing.
Business continuity management: This risk went to the top of the regulators’ list of concerns after 9/11, when the backup arrangements
of several key financial firms in New York were shown to be faulty, resulting in potential systemic risk. Since 9/11, regulators have
insisted that financial firms not only have an effective business continuity management plan but also periodically test it in live
conditions. Other tools used are business-wide scenarios and peer comparison. To address potential systemic issues, regulators have
overseen business continuity tests with certain key firms. For example, a hypothetical terrorist attack in London with a live business
continuity test involving firms and regulators over a weekend. An introduction on regulatory thinking on this subject is 'High-Level
Principles for Business Continuity' (Joint Forum, August, 2006).
Legal and documentation risk: With litigation increasingly prevalent, regulators are becoming more concerned with this type of risk,
partly influenced by the problems in the securitisation market after 2007 and banks’ failure to effectively distance themselves from
securitisation origination. Regulators focus on ensuring that firms’ legal procedures and documentation are up to date and in line with
current legal practice; and that, where appropriate, specific third party legal opinions have been taken. Subject to proportionality, firms
should have appropriate support from general counsel and consider legal risk separately in the ‘first line of defence’.
Change management: Regulators are aware that the rate of business, IT and regulatory change at financial institutions has increased,
and that firms have to be able to deliver change while simultaneously serving their client base. Regulators, therefore, pay attention to
the oversight of change and take comfort when they see evidence of effective project management techniques. This includes expert

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 13/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.3 Describe regulatory interest in specific operational risk categories
project management teams and committees. Regulators will ask questions about change overload, and the impact of change on all
parts of the business.
Systems (IT) risk: This is an inherent and important part of operational risk but one that is especially difficult to manage. It is not easy for
non-IT experts to realistically gauge and understand the extent of IT risk exposures for a financial firm. Traditional regulators have taken
an audit approach to this subject, ensuring that system procedures were in line with standards. But this is now evolving into a closer
understanding through the use of third party IT experts.
Conduct risk: The creation of the Financial Conduct Authority (FCA) in April 2013 helped elevate the topic of “conduct risk” within
financial services firms. The creation of the FCA followed a series of scandals, including mis-selling of payment protection insurance (PPI)
and interest rate swaps, and in the wholesale markets, the rigging of benchmarks including LIBOR, front running in foreign exchange
markets. This followed revelations of egregious misconduct and rank incompetence by senior managers of banks during the financial
crisis. The additional personal accountability introduced by the Senior Managers Regime (SMCR) in 2016 has further heightened the
focus on conduct risk. The increased regulatory focus upon conduct is part of a global trend. In Australia, the conduct regulator
Australia Securities and Investments Commission (ASIC) has started jailing bankers for a year for mis-selling. Conduct risk is also
addressed in various EU Directives, most notably Markets in Financial Instruments Directive (MiFID) and European Market Infrastructure
Regulation (EMIR), and Capital Requirements Directive (CRD3).

Learning activity

Using the materials above, and your own independent research, answer the following questions:

1. Why are regulators worried about outsourcing?
2. What mitigation do regulators expect around business continuity management?
3. What is the primary objective of conduct related regulation?

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 14/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.4 Explain the capital adequacy implications of operational risk management

9.4.1 Regulators’ approach to operational risk capital

It should be clear from the previous section that the Basel Committee believes the management of operational risk in banks goes beyond the
setting of appropriate capital adequacy rules. All the early Basel papers on operational risk focused more on qualitative and management
techniques than on capital adequacy measures, including 'Sound Practices for the Management and Supervision of Operational Risk', updated
in 2011 and reviewed in 2014.

Nevertheless the first decade of the century also witnessed significant breakthroughs in the capital adequacy rules relating to banks’
operational risk. Why did banking regulators consider that there should be capital for operational risk? Some of these considerations are
outlined in the previous section. One was the emergence of IT. This made banking faster and more efficient but, in turn, created new IT risk
exposures. Another was the emergence of outsourcing and especially cross-border outsourcing to non-banking firms. Further the
development of securitisation created new legal and documentation risks for banks. Then there were a number of notable cases of operational
risk arising from rogue trading, for example Nick Leeson’s activities resulting in the demise of Barings Bank in 1995. In these cases, banks
could lose large amounts of capital from operational risk.

As with other forms of risk capital, the operational risk capital rules since Basel II distinguish between regulatory minimum capital (known as
Pillar 1) and additional requirements imposed institution-by-institution following supervisory review (known as Pillar 2). Pillar 2 is also
sometimes known as economic capital. Pillar 1 charges are mandatory, although there are different ways of calculating the requirements.
These are set out in the section below.

Pillar 2, on the other hand, is a matter for individual national supervisors: some do not use Pillar 2 at all, or use it only exceptionally. Where
they do, it is often because the national supervisor thinks that the operational risk charge in Pillar 1 is insufficient. Alternatively the regulator
might consider that a bank is particularly vulnerable to operational risk, has a specific operational risk problem, or faces particular issues in its
business environment or its internal control environment. As part of the supervisory review process, the regulator will often require a bank to
undertake its own economic capital risk assessment, and will often use this as the basis of the Pillar 2 charge. The key point is that the
methodology for assessing operational risk capital under Pillar 2 differs from supervisor to supervisor and from firm to firm, and is less
systematic than Pillar 1.

For completeness Pillar 3 relates to external disclosure by firms. Pillar 3 requires banks to be transparent about their operational risks and how
they are managed. However, disclosure about operational risk is also governed by requirements set out by Stock Exchanges, by rating
agencies and also by practical issues around commercial disclosure. So loss data currently collected by banks and insurance companies, for

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 15/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.4 Explain the capital adequacy implications of operational risk management
example, are not generally disclosed or available to the public in spite of Pillar 3 requirements. The rest of this section sets out in more detail
the Pillar 1 operational risk capital requirements applicable to banks, and the equivalent Solvency Ratio requirements applicable to insurance
firms.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 16/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.4.2 Operational risk capital for banks

Four approaches are currently allowed for the setting of Pillar 1 capital requirements against operational risk:

Basic Indicator Approach.
Standardised Approach.
The Alternative Standardised Approach.
Advanced Measurement Approach.

Escalating qualitative requirements apply as you move up through the three approaches from Basic to Standardised to Advanced. AMA
requires review and pre-approval by the local regulator. Generally, only bigger banks have received AMA approval.

Basic Indicator Approach (BIA): This produces an average percentage of income that can be simply applied by any bank without further
calculation. The presumption being that the greater the income of a bank the greater its exposure to operational risk (more income
indicating a larger and hence riskier operation). For each bank, the BIA is derived simply. Operational risk is derived as a percentage of
the average annual gross income over three years. This is called alpha and is set at 15%.
The Standardised Approach (TSA): The Standardised Approach takes the same approach but is risk weighted according to the business
line in which the income has been generated, using what is termed a beta factor in this case. The Business Line Beta Factors (risk
weightings) are as follows:

Corporate finance (β1) 18%.
Trading and sales (β2) 18%.
Retail banking (β3) 12%.
Commercial banking (β4) 15%.
Payment and settlement (β5) 18%.
Agency services (β6) 15%.
Asset management (β7) 12%.
Retail brokerage (β8) 12%.
The Alternative Standardised Approach (ASA) – At national discretion a supervisor can choose to allow a bank to use the ASA. Under the
little used ASA, the operational risk capital charge change/methodology is the same as for the Standardised Approach except for two
business lines, retail banking and commercial banking. For these business lines, loans and advances (multiplied by 0.035) replaces gross
income as the exposure indicator. The higher the beta, the greater the level of operational risk that is assumed to be related to a specific
business line.

Learning activity
https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 17/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.4.2 Operational risk capital for banks
Reflect on the risk weightings applied under the Standardised Approach. Why might retail banking be assumed to have a lower level of
operational risk associated with it than, say, payment and settlement activities?

Advanced Measurement Approach (AMA): The AMA approach requires banks to consider four elements in developing their own
estimate of their operational risk capital at the 99.9% confidence interval. The elements being:
Industry loss data (also called external loss data);
Internal loss data;
Scenario analysis, with a particular aim of populating the ‘tail’ of the operational risk loss distribution; and
An adjustment factor for internal controls.

The core of the AMA is a graph showing frequency and probability. A normal distribution is demonstrated by a bell-shaped curve – where
losses occur with equal probability to the average. An operational risk model is shaped very differently. There are typically many small losses
with a high frequency, some of which reflect the cost of undertaking business. At the other extreme, there are a sometimes a few very large
losses, that can impact on a firm’s annual profitability and even perhaps on its solvency. Modellers use various statistical approaches –
including extreme value theory – to model big, infrequent losses to populate the tail of the loss distribution curve.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 18/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.4.2 Operational risk capital for banks

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 19/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.4.2 Operational risk capital for banks

Figure 9.4.2: Operational risk model showing probability (i.e. frequency) vs. severity (i.e. losses)

Industry views on the three approaches:

All three approaches outlined above have received criticism from commentators and practitioners. This reflects the difficulty of setting
appropriately calibrated capital standards to such a broad-ranging set of risks. One commonly held view was that there was little point in
setting capital for operational risk in the first place, as most operational losses were absorbed in annual profit and loss. On the other hand,
were a catastrophic operational risk event to take place, then the kind of capital levels envisaged by the Basel Committee would be
inadequate to protect the bank. This resulted in some discussion about the overlap and correlation between operational, credit and market
risk. If no correlation existed then the bank would in effect be supported by its credit and market risk capital in the event of a major
operational risk failure. Others argued that the setting of capital would distract the bank from its main function, which was to manage
operational risk through effective systems and controls.

In the case of TSA, ASA and BIA there was a sense that alphas and betas were set arbitrarily and did not reflect the true level of operational
risk that banks face. There was also criticism that an operational risk loss of significant size would reduce income (via associated business
interruption issues) and, therefore, lead to a lower capital charge for operational risk. This was even if the bank had just suffered such a loss
and might even be prone to operational risk failures. For example a significant IT systems disruption could lead to a loss of customers and,
hence, income. There was also criticism that the banks would arbitrage across the various business lines in order to reduce the capital charge,
and requests for a more reliable indicator of operational risk than net income. Nevertheless, these approaches had the benefit of simplicity
and presented a formal and workable solution to a difficult problem at the time.

The AMA has drawn various responses from commentators. In summary, there has been a mixture of praise and criticism. Some saw the AMA
as an innovative approach to operational risk that balanced specific approaches with wider industry practices. They felt that, irrespective of the
credibility of the model, the AMA led to banks spending significant resources on operational risk infrastructure and mitigation. However it is
also perceived that the lack of prescription enables banks to manipulate the operational risk capital number down to the lowest they could
convince regulators to be appropriate.

Whatever their views, as a result of the AMA many banks began cleaning and collecting loss data as a useful way of calibrating and even
controlling operational losses. The AMA process has thus helped the industry to become more focused on operational risk data. As set out in
Chapter 4 and section 7.2, this includes a standard data taxonomy for operational risk loss events which is now used across the industry, and
includes the following data categories:

Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery.
https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 20/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.4.2 Operational risk capital for banks
External Fraud - theft of information, hacking damage, third-party theft and forgery.
Employment Practices and Workplace Safety - discrimination, workers’ compensation, employee health and safety.
Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account
churning.
Damage to Physical Assets - natural disasters, terrorism, vandalism.
Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures.
Execution, Delivery, and Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client
assets.

AMA banks are also required to develop an effective operational risk framework. This includes the production of scenarios embedded in
everyday business, strong internal control systems, and accurate and effective risk reporting to bank boards.

By 2007, many internationally active banks had achieved AMA status and yet over the ensuing years it was many of these banks that also
suffered catastrophic operational risk losses. Rogue trading, internal fraud, financial crime, securitisation and retail mis-selling have been the
most high-profile and prominent losses. Events after 2007 have also, rightly or wrongly, dealt a major blow to the faith of regulators in models
of any kind, be they credit, market or operational. Banks have been accused of trying to ‘game’ the AMA, with the aim of simply achieving a
lower Pillar 1 operational risk charge than they would otherwise have received through the Standardised Approach.

In December 2017 the Basel Committee on Banking Supervision published Basel III: Finalising postcrisis reforms. The reforms replace all the
existing approaches (AMA, TSA, ASA and BIA) with a new standardised approach to operational risk. Many commentators incorrectly refer to
this new approached as the standardised measurement approach (SMA). While the term SMA was used during the consultation process, it has
not been used in Basel III. The term standardised approach will therefore be used in this work book.

The standardised approach comes into effect on 1 January 2022. For many banks the new standardised approach for operational risk uses a
measure of a bank’s income and a measure of a banks historical losses to determine operational risk capital. The operational risk capital
requirement can be summarised as follows:

Operational risk capital = BIC x ILM

Where:

Business Indicator Component (BIC) =

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 21/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.4.2 Operational risk capital for banks
BI (Business Indicator) is the sum of three components: the interest, leases and dividends component; the services component; and the
financial component.
is a set of marginal coefficients that are multiplied by the BI based on three buckets (i = 1, 2, 3 denotes the bucket), as given below:

ILM (the Internal Loss Multiplier) is a function of the BIC and the Loss Component (LC), where the latter is equal to 15 times a bank’s
average historical losses over the preceding10 years. The ILM increases as the ratio of (LC/BIC) increases, although at a decreasing rate.

At national discretion, supervisors can elect to set ILM equal to one for all banks in their jurisdiction. This means that capital requirements in
such cases would be determined solely by the BIC. That is, capital requirements would not be related to a bank’s historical operational risk
losses. However, to aid comparability, all banks would be required to disclose their historical operational risk losses, even in jurisdictions where
the ILM is set to one.

Workplace reflection

If you work for a bank, find out which approach your firm has chosen to use. Why did it choose this option, what are the advantages and
disadvantages? If different approaches are used for economic and regulatory capital, find out why.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 22/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

9.4.3 Operational risk capital for insurance firms

In the European Economic Area, insurance firms are obliged to abide by the Solvency I directive, dating from 1973. This directive says very
little about operational risk. However, the regulatory position for insurance firms changed dramatically when the Solvency II directive came
into effect on 1 st January 2016. Solvency II was a watershed in insurance regulation. For the first time, it set a requirement for insurance firms
to hold capital based on a 99.5% confidence level over a one year period.

In many respects Solvency II imitates Basel II: by, for example, structuring the regulatory approach along three pillars, in requiring firms to
evolve an operational risk framework and highlighting the importance of the effective management of operational risk. And apart from the
qualitative side, there is, as in Basel II, a quantitative capital requirement for operational risk. This is set out in the Solvency.

Capital Requirement (SCR) and is simply a standardised calculation, based on the type of insurance business covered, premiums, expenses,
income and/or technical provisions. Also the capital requirement for operational risk is not allowed any offset (reduction) based on
diversification with other risk types.

Insurance firms, as with the Basel AMA for banks, can opt to substitute their own measurement of operational risk through their own internal
models for the standardised approach, albeit as part of a wider internal model covering general risks.

Workplace reflection

If you work for an insurer covered by Solvency II (see above) identify whether it has chosen to use internal models or the standard formula for
its operational risk exposures. Again, what are the advantages and disadvantages?

Learning activity

1. Why does the Basel Committee require regulatory capital for operational risk (see above, but also consider your own view)?
2. Using the materials above and your own independent reading and research, what is Pillar I (see above but also check out the website of
the regulatory authority for your own jurisdiction)?
3. What are the advantages and disadvantages of the Advanced Measurement Approach for operational risk versus the Standardised
Approach? To find more information, insert the following into an internet search engine: ‘advantages of AMA for operational risk’ and
‘standardised approach to operational risk’.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 23/24
7/29/24, 10:06 AM Chapter 9 Back Up Book for Printing

Summary

The past twenty years or so has seen a significant increase in the level of regulatory focus on operational risk management. Operational risk
has been defined, industry loss data consortiums have emerged, regulatory capital is required for operational risk, modelling is commonplace,
there are many regulatory qualitative guidelines and the regulatory oversight of operational risk has become much more intensive.

Nevertheless, operational risks have become more and more prevalent amongst financial firms and major operational risk loss events more
common. Recent years have seen major cases of rogue trading, IT failures, conduct abuse, financial crime and so on. Both regulators and firms
will, therefore, continue to look at new ways to mitigate operational risk.

Key learning

You will have understood the key topics in this chapter if you can confidently answer the following questions:

1. What are some of the key aspects considered by regulators in prioritising their supervision activities for management of operational risk
across firms within their jurisdictions?
2. Why do the regulatory guidelines for operational risk management emphasize that firms need to consider management of operational
risk beyond just defining appropriate level of regulatory capital?
3. What key regulatory guidelines mentioned in this chapter apply to your firm?

https://www.irmvle.org/mod/book/tool/print/index.php?id=4167&chapterid=2326 24/24