March 31, 2016
On March 4, 2016, the Basel Committee on Banking Supervision (BCBS) proposed a new Standardised Measurement Approach (SMA) for operational risk, which replaces the three existing standardized approaches for calculating operational risk capital – the Basic Indicator Approach (BIA) and the Standardized Approach (TSA), including its variant the Alternative Standardized Approach (ASA) – as well as the Advanced Measurement Approach (AMA).
The proposals are not unexpected since the Basel Committee first proposed Revisions to the standardised approaches for calculating operational risk capital in October 2014, which indicated that the Committee was continuing with a review of banks’ operational risk modeling practices and capital outcomes that focused on whether the AMA was fit for the purpose. Following this review, the Basel Committee has determined that the AMA’s “inherent complexity” and “the lack of comparability arising from a wide range of internal modelling practices” have “exacerbated variability in risk-weighted asset calculations, and eroded confidence in risk-weighted capital ratios. The Committee is therefore proposing to remove the AMA from the regulatory framework.”
Stefan Ingves, Chairman of the Basel Committee on Banking Supervision and Governor of Sveriges Riksbank, described the proposals as an “important step towards completing the post-crisis reforms during the current year.” He further stated that although the Basel Committee expects that these proposals “will have a relatively neutral impact on capital” for most banks, he also stressed that “while the objective of these proposals is not to significantly increase overall capital requirements, it is inevitable that minimum capital requirements will increase for some banks.”
The new proposals continue the Basel Committee’s broader goal of simplifying capital requirements frameworks for all risk disciplines, which responds to the call from the Financial Stability Board (FSB) for the Basel Committee to update its capital requirements. Both credit risk and market risk capital requirements have been significantly revised and simplified already,1 which the Basel Committee refers to in its November 2015 report to the G20 that also comments on the proposals to remove the AMA for operational risk.2
The revised operational risk capital framework will be based on a single non-model-based method for the estimation of operational risk capital, termed the Standardized Measurement Approach (SMA). According to the Basel Committee’s consultation paper, the SMA “builds on the simplicity and comparability of a standardized approach, and embodies the risk sensitivity of an advanced approach. The combination, in a standardized way, of financial statement information and banks’ internal loss experience promotes consistency and comparability in operational risk capital measurement.”
The revised methodology combines a financial statement-based measure of operational risk – the so-called “Business Indicator” (BI) – with an individual firm’s past operational losses, thereby retaining a key component of the AMA.
In the October 2014 consultation paper, the BI, comprising three macro-components of a bank’s income statement, was introduced as a replacement measure for gross income (GI).
Although the BI is stable and comparable across banks, business volume is only one factor that influences exposure to operational risk. Significant differences in the risk profile of medium to large banks cannot be fully accounted for by an approach that relies only on financial statement proxies. Since other sources of information are required to increase risk sensitivity, the Basel Committee supports the introduction of historical loss experience as a relevant risk indicator of future operational risk loss exposure.
The Basel Committee has introduced a loss component into the framework that it says will both enhance the SMA’s risk sensitivity and provide incentives for banks to improve operational risk management. “Banks with more effective risk management and low operational risk losses will be required to hold a comparatively lower operational risk regulatory capital charge,” says the paper.
The individual sections of the new SMA are discussed in more detail below.
The Business Indictor
The BI replaces GI as a measure for modeling operational risk. The BI is made up of almost the same profit and loss (P&L) items that are found in the composition of the GI. The main difference relates to how the items are combined. The BI uses positive values of its components to avoid counterintuitive negative contributions from some of the bank’s businesses to the capital charge (e.g., negative P&L on the trading book), which is possible under the GI. In addition, the BI includes income statement items related to activities that produce operational risk that are omitted (e.g., P&L on the banking book) or netted (e.g., fee expenses, other operating expenses) in the GI.
The Basel Committee states that changing the impact of other operating expenses on capital requirements from negative (in GI) to positive (in the BI) is “necessary to improve the coherence of the BI as a proxy indicator for operational loss exposure, as other operating expenses typically include operational losses, and thus an increase in other operating expenses should not result in a decrease in operational risk capital requirements.”
The Basel Committee’s analysis shows that operational loss exposure increases more than proportionally with the BI, and therefore the proposed calibration includes progressively increasing marginal coefficients for the BI.
The BI Component
The BI Component is calculated as follows:
BI buckets in the BI Component
€0 to €1bn
€1bn to €3bn
€110m + 0.15(BI - €1bn)
€3bn to €10bn
€410m + 0.19(BI - €3bn)
€10bn to €30bn
€1.74bn + 0.23(BI - €10bn)
€30bn to +∞
€6.34bn + 0.29(BI - €30bn)
The Internal Loss Multiplier and Loss Component
As business volume is only one factor that influences exposure to operational risk, the Basel Committee has also proposed the use of historical loss experience as an indicator of future operational risk exposure.
Following an investigation, the Committee decided that the same proportion of banks required to collect and report operational losses under the current regime should be prepared to calculate the loss component of the SMA. The analysis showed that more than 80% of the banks with BI > €1 billion are non-BIA banks. Also, most banks in buckets 2–5 are medium- to large-sized banks with total assets above €20 billion. With this in mind, the Basel Committee is proposing that internal losses should be used by banks in buckets 2–5, but not by banks in bucket 1. The internal loss experience is introduced to the SMA through the Internal Loss Multiplier formula.
The loss component is designed to reflect the bank’s potential exposure to operational risk losses, which can be inferred from its internal loss experience. The paper states: “The loss component distinguishes between loss events above €10 million and €100 million and smaller loss events to differentiate between banks with different loss distribution tails but similar average loss totals.” There is some debate as to how this will work in practice, however.
Banks are required to “use 10 years of good-quality loss data to calculate the averages used in the Loss Component,” adding that banks may use a minimum of five years of data to calculate the Loss Component if they currently don’t have 10 years of data. Banks that do not have five years of good data are required to calculate the capital requirement based solely on the BI Component.
For banks that will be required to calculate the loss component, the paper provides stringent criteria for the identification, collection and treatment of loss data. As stated above, firms are required to use 10 years of “good quality” data. Good quality data needs to include much more than gross loss amounts. The paper specifically states that firms must collect information that includes: the reference dates of the operational risk event, including the date when the event happened or first began (“date of occurrence”), where available; the date on which the bank became aware of the event (“date of discovery”); and the date when a loss, reserve or provision against a loss was first recognized in the bank’s P&L accounts (“date of accounting”). In addition, the bank must collect information on recoveries of gross loss amounts as well as descriptive information about the drivers or causes of the loss event. The level of detail of any descriptive information should be commensurate with the size of the gross loss amount.
Moreover, the paper stresses that banks using the SMA’s Loss Component must adhere to the minimum loss data standards set out above. If supervisors are not comfortable with the quality of this data, banks’ capital would “at a minimum equal 100% of the BI Component.”
The Basel Committee recognizes that some firms with heavy losses could seek to arbitrage Pillar 1 capital by choosing not to meet the qualitative requirements. In response, the paper stresses that in such cases, “supervisors will ensure that such banks apply a multiplier to the BI Component which is also disclosed.”
Banks are also required to have in place an appropriate de minimis gross loss threshold for internal loss data collection in. The Basel Committee has set the highest threshold limit at €10,000, although when the bank first moves to the SMA, a de minimis gross loss threshold of €20,000 is acceptable.
The paper specifies that operational risk losses related to credit risk that have historically been included in banks’ credit risk databases (e.g., collateral management failures) will continue to be treated as credit risk, while operational risk losses related to market risk are treated as operational risk for the purposes of calculating minimum regulatory capital under this framework and are therefore subject to the SMA for regulatory capital.
The Implications of the Revised Framework
The implications of the introduction of the SMA for operational risk are far reaching for larger financial institutions that have spent more than a decade and millions of dollars on building and refining their AMA programs. The initial reaction to the loss of the AMA currently falls into two distinct camps: One sees this reaction as a disproportionate solution to the problems associated with operational risk internal models and a waste of such a significant investment over the past decade, while the other camp has welcomed the change saying that operational risk is impossible to model to such a high confidence level and that the AMA was severely flawed.
Smaller and medium-sized banks that have followed a BIA or TSA approach will be less affected by the revisions, although they will be subject to greater rigor in their loss data collection efforts. In theory, the SMA should create a level playing field for all sizes of banks while removing some of the questionable outcomes that the modeling element of AMA has provided. The Basel Committee claims that the SMA “embeds greater risk sensitivity in the standardized approach for operational risk and ensures greater comparability,” however many critics of the SMA recognize that the removal of the internal model reduces risk sensitivity.
In its report to the G20, the Basel Committee states that although “in principle, internal models allow for more accurate risk measurement,” if they are used to set minimum capital requirements, banks have “unintended incentives to underestimate risk” and that “some asset classes are inherently difficult to model,” which “undermines the assumption underlying the current architecture that internal models are always more accurate.”
It is too early to tell whether these changes will be sufficient to appropriately capture changes in operational risk exposure. The foremost benefit of this new framework is that, under the SMA, all banks will be required to capture loss data, which is generally accepted as a positive move. Good quality loss data provides real insight into where operational risk occurs, identifying areas of control weakness as well as areas where firms need to invest in developing remediation programs. Establishing a complete and accurate risk event/loss data source will not be an easy task for some banks but it will go far in improving risk management activities and techniques.
Our preliminary calculations for a number of AMA banks – based upon reasonable assumptions where proprietary data is not available – suggest that the revised methodology produces operational risk capital amounts that are broadly in line with current capital levels. We suggest that operational risk managers at financial institutions affected by the SMA changes should already be working on pre-communicating with their boards and senior management about the proposed amendments to the capital calculations and have a good understanding of the difference those amendments will make to their bank. Firms should be able to add their data into the calculation formulas easily, but gaining further insight as to how they will compare with peers might prove more difficult.
Although some industry experts have expressed concern that the lack of an internal model approach could somehow demote the standing of operational risk management as a risk discipline, others say that such fears will be unrealized. Risk and Control Self-Assessments (RCSAs), for example, are used more today as management tools, while operational risk departments generally own the issue management process and have responsibility for the management of operational risks including technology and cyber risk, model risk, and third-party risk.
One banker said: “Regardless of the new regulatory capital direction, there is a lot more awareness and understanding of the operational risk profile within our organizations, which we can continue to build on and I suspect for some, will mean re-focusing attention to more management-focused work.” Another banker added that although the “SMA is not a great step forward in that many of the lessons and knowledge developed to measure operational risk are not going to be required in the Pillar I calculations, this shouldn’t stop us from using this expertise in other ways to manage operational risk and I suspect some regulators will expect this in the likes of Pillar II and the evolving stress testing requirements.”
In the United States, the Office of the Comptroller of the Currency’s (OCC) Heightened Standards guidance has also served to elevate the standing of the management of operational risk as a discipline.3 Indeed, the hope is that the removal of the internal model requirement should free up resources that have previously been devoted to documenting, challenging and justifying the AMA results, allowing them to be diverted to actually managing operational risks and adding more value to the business.
Nevertheless, there may well be a strong response from the critics of the SMA to the consultation paper. The main criticisms appear to be centered on the simplicity of the formula and the removal of any risk sensitivity. In addition, there will likely be a push from the existing AMA quant community for some degree of internal loss modeling to be restored to the proposals.
There is a feeling from some in the industry that the nature of the proposed changes reflects the inability of the Basel Committee to come to an agreement on amendments to the AMA before it was required to report to the G20. The SMA is therefore being viewed by many as a poor compromise.
That being said, at this late stage, any significant changes appear unlikely. Some commentators have indicated that national regulators will move to ensure some form of internal modeling is kept in Pillar 2 for modeling the Internal Capital Adequacy Assessment Process (ICAAP). Though national regulators have not made any response to these proposals, industry observers have stated that they are receiving a very clear message from their regulators not to abandon their model risk tools just yet.
During the course of 2016, the Basel Committee has stated that it will provide further details on the timeline for the withdrawal of the AMA and the implementation of the SMA.
The Basel Committee is continuing with a quantitative impact study (QIS) to assess its proposed revisions to the regulatory framework. The QIS will help ensure that the framework produces capital requirements that are prudent and stable, while retaining risk sensitivity. The SMA paper reiterates that the objective of these proposals is to not significantly increase overall capital requirements but adds that the “impact of the new operational risk framework will vary from bank to bank and may lead to an increase in minimum capital requirements for some banks.”
Once the Basel Committee has reviewed responses to this second consultative document and the QIS results, it intends to publish the final standard within “an appropriate timeframe and provide sufficient time for implementation.”
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.
Ranked 57 on the 2016 Fortune 100 Best Companies to Work For® list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Global Leader, Financial
Risk & Compliance
Risk & Compliance
1Minimum capital requirements for market risk. See also Protiviti’s Flash Report on the changes to market risk capital requirements, and Revisions to the Standardised Approach for credit risk
2Finalising post-crisis reforms: an update - A report to G20 Leaders