May 4, 2007
« More Economic Letters
U.S. Supervisory Standards for Operational Risk Management
Jose A. Lopez
The U.S. bank supervisory agencies recently issued for public comment revised guidance regarding the implementation of the proposed Basel II-related, risk-based capital requirements. Among the revisions is an important update to guidance regarding operational risk management. Operational risk generally refers to the risk of monetary losses resulting from inadequate or failed internal processes, people, and systems, or from external events, such as natural disasters.
For other dimensions of risk, such as credit and market risk, the Basel II framework includes considerable detail on using economic models for quantifying risk exposures. However, operational risk is a relatively new field, so understandably financial institutions have made less progress in developing formal models for it. Therefore, the supervisory agencies have emphasized standards regarding robust systems for operational risk management among banking organizations. This Economic Letter reviews key components of the U.S. supervisory standards proposed in the recent guidance and of recent survey data regarding how operational risk management systems are being implemented worldwide.
Financial institutions are in the business of managing and reallocating risk. This includes credit risk (the possibility that a counterparty may default by failing to repay its debt obligations in a timely manner) and market risk (the risk of loss due to changes in prices of financial assets). It also includes events that fall under the rubric of operational risk, such as computer failures or employee fraud, that can have financial effects. Cummins et al. (2006), for example, find that public announcements of operational loss events by financial firms cause negative stock price reactions and losses in firm market value that exceed the reported losses, implying concerns about firms’ future cash flows.
The potential for adverse financial effects is the reason the Basel II capital framework folds the treatment of operational risk into risk-based capital requirements. The framework calls for banking organizations to hold capital to absorb possible losses from their exposures to operational risk. While recognizing that, currently, risks of loss from a bank’s operation are not as amenable to statistical modeling as are other risks, Basel II sets new criteria for implementing risk-based capital requirements for operational risk.
The Basel II framework includes three methods for calculating operational risk capital charges, but in the U.S., the supervisory agencies have proposed that only the advanced measurement approaches (AMA) be used. Under these approaches, the regulatory capital requirement for operational risk would be determined primarily by a bank’s own internal risk measurement system, subject to certain qualitative and quantitative supervisory criteria. As currently proposed in the draft rule, all core banks (large or internationally active banks that would be required to adopt the Basel II-based rules) as well as opt-in banks (banks that voluntarily decide to adopt the advanced approaches) would be required to meet certain qualitative requirements before using AMA systems for regulatory capital purposes.
On February 28, the U.S. banking supervisory agencies issued for public comment revised guidance regarding implementation of the Basel II Framework (Federal Register, 2007). With respect to operational risk, the agencies proposed supervisory standards that a bank should follow in implementing and maintaining an AMA system for regulatory capital purposes. The 32 standards can be grouped into three general categories corresponding to internal governance issues, data issues, and quantification issues.
While banks have always engaged in operational risk management, the proposed Basel II-related rules introduce new dimensions to this practice in the form of explicit capital requirements and corresponding changes in supervisory oversight. Internal governance, particularly with respect to corporate responsibilities and risk management documentation, might be expected to adapt accordingly.
The proposed standards include several requirements for a bank’s AMA system. It should encompass operational risk across the entire firm. Its operational risk management and audit functions should be separate and independent of business line management in order to avoid conflicts of interest. The bank should have comprehensive documentation regarding its operational risk management policies and procedures; for example, the documentation should describe clearly how the bank identifies, measures, monitors, and controls its operational risk exposures, and it should describe how internal and external operational risk loss data (as well as the other two elements of the AMA described below) are captured and used for determining the bank’s operational risk exposures.
The roles and responsibilities of the bank’s board of directors, operational risk management function, and senior management should be detailed and communicated clearly. For example, the supervisory standards propose that the board of directors evaluate the effectiveness of the bank’s AMA system at least once a year. Bank directors and senior management should receive quarterly reports on operational risk exposures, losses, and related information. The roles and responsibilities of the bank’s independent verification and validation functions should also be delineated. Specifically, the verification function is responsible for determining whether the components of the AMA system are implemented properly and are working in a manner consistent with approved policies, while the validation function examines the accuracy of models used to quantify operational risk exposures and their risk-based capital requirements.
According to a 2006 survey on actual AMA-related practices by the Basel Committee on Banking Supervision (BCBS), internal governance structures are still evolving in response to the development of operational risk management as a distinct discipline. For example, the involvement of boards of directors and senior management in the oversight of operational risk management was found to vary widely across international banks, ranging from an active use of operational risk management as a means for generating tangible benefits to the bank to simply complying with minimum regulatory requirements. An important caveat to this finding was that many surveyed banks did not as of yet have their AMA systems fully in place. For such banks, operational risk exposures and other outputs from an effective operational risk system were not yet available for internal discussion and supervisory oversight.
The validation of AMA-related models is another area where a wide range of practices was observed in the survey. The reasons for this diversity are a general shortage of operational loss data, the early stage of development of operational risk models, and the limited availability of qualified staff that is also independent of the model development process. In light of these challenges, many banks are currently relying on external parties for model validation or have crafted temporary internal solutions until they acquire the needed resources.
The nature and quality of a bank’s operational risk data are clearly important factors in its operational risk management system. Accordingly, several of the proposed U.S. supervisory standards delineate supervisors’ minimum expectations regarding operational risk data integrity and comprehensiveness. These standards relate principally to the characteristics of the data and how it would be collected and used. For example, banks would need to have in place a systematic process for consistently incorporating internal and external loss event data, as well as other relevant inputs, into their AMA systems and risk-based capital requirements.
Regarding internal data, the proposed standards would require the consistent capture of loss event data across all of the bank’s business lines, corporate functions, product types, and geographic locations. The bank should have a minimum of five years of historical internal operational loss data for AMA use, although shorter transitional periods may be approved by the bank’s primary supervisor. The bank should have clear policies for identifying when an operational loss is to be recognized and added to its loss event database. For example, a bank should have policies for consistently identifying and capturing multiple loss events that occur within one or across several time periods, but that result from the same initial operational loss event. The bank may establish internal thresholds for identifying operational loss events, but it should be able to justify the appropriateness of these thresholds to its primary supervisor.
External data refer to operational loss data generated by other organizations. Banks may acquire external loss data from such sources as membership in industry consortia, third-party data vendors, or public outlets, such as media reports. However, bank management should carefully evaluate whether such data are relevant to their banks’ risk exposures and are clearly reported. Sufficient information should be collected and documented to permit comparisons between the bank’s internal systems and any external data.
In light of the serious challenges posed by operational risk data shortages, the proposed standards would require banks to use two other types of analytical inputs to their AMA systems. The first, known as scenario analysis, is a systematic process of obtaining expert opinions from bank management about the likelihood and potential losses arising from hypothetical, yet plausible, high-severity operational risks. The bank’s documentation of these scenario analyses should include such key elements as who would be responsible for formulating scenarios, how they would be generated, how often they would be updated, and what is the scope and coverage of operational loss events they are intended to reflect. According to the BCBS survey, the rigor applied to scenario analysis by banks varied greatly in practice, especially concerning the quantity and quality of scenarios as well as how the scenarios were incorporated into banks’ AMA systems.
The fourth source of analytical information regarding operational risk is the bank’s so-called business environment and internal control factors (BEICFs), which indicate a bank’s actual operational risk profile and the effectiveness of its internal control environment. Examples include business line growth rates, new product introductions, findings from internal audit results, employee turnover, and computer system downtime. Incorporating these BEICF indicators into an AMA system should help ensure that key drivers of operational risk are being monitored for potentially important changes. According to the BCBS survey, most banks have methods in place for measuring key BEICFs, but very few banks have determined how to quantify their impact on operational risk exposures and regulatory capital calculations.
Research by DeFontnouvelle et al. (2006) and others has advanced the modeling of operational risk. However, limited data and significant differences in loss experiences across banks make it difficult to determine a commonly accepted set of models or analytical methods. Accordingly, there is and will continue to be significant variation in operational risk analysis across banks, with each bank tailoring its analysis to match its information technology platforms, risk management procedures, and staff resources. The proposed supervisory standards regarding operational risk quantification do not specify which models or methods should be used, but they are intended to provide supervisors with enough flexibility to accommodate the continued evolution of operational risk quantification techniques while still applying consistent supervision and enforcement across banks. For example, the standards would require that modeling assumptions be interpreted conservatively to reflect the degree of uncertainty present in evolving AMA systems. A bank should review and update its operational risk quantification system whenever information that may have a material effect on the bank’s estimate of operational risk exposure is discovered, but no less frequently than annually.
Another challenging component of operational risk quantification is how to account for risk transfers through operational risk mitigation products. The primary mechanism currently used for mitigating operational risk exposure is insurance. Since insurance policies are expected to decrease a bank’s operational risk exposure and regulatory capital requirements, certain conditions should be met before these deductions can be realized. For example, the policy should be provided by a highly rated insurance company and have a minimum length of one year. As before, the proposed standards do not specify how the amount of risk mitigation provided by such policies should be calculated, but they do suggest that conservative assumptions are appropriate. In addition, any such risk reductions are currently limited to permit a maximum 20% reduction in overall operational risk exposures.
The main objective of the proposed Basel II capital framework is to establish regulatory capital requirements that are more closely related to banks’ actual risk exposures, including operational risk. The recently published revisions to the proposed U.S. implementation of this framework provide a clear indication of the supervisory concerns and requirements regarding operational risk issues. The proposed standards and subsequent comments by industry participants should help in the development of robust risk management systems. The comment period ends May 29, 2007.
Jose A. Lopez
[URLs accessed April 2007.]
Basel Committee on Banking Supervision. 2006. “Observed Range of Practice in Key Elements of Advanced Measurement Approaches (AMA)” (October).
Cummins, J.D., C.M. Lewis, and R. Wei. 2006. “The Market Value Impact of Operational Loss Events for U.S. Banks and Insurers.” Journal of Banking and Finance 30(10) (October) pp. 2,605-2,634.
DeFontnouvelle, P., V. DeJesus-Rueff, J.S. Jordan, and E.S. Rosengren. 2006. “Capital and Risk: New Evidence on the Implications of Large Operational Losses.” Journal of Money, Credit, and Banking 38(7) (October) pp. 1,819-1,846.
Federal Register. 2007. “Proposed Supervisory Guidance for Internal Ratings-Based Systems for Credit Risk, Advanced Measurement Approaches for Operational Risk, and the Supervisory Review Process (Pillar 2) Related to Basel II Implementation.” Docket Number OP-1277, 72(39) (February) pp. 9,084-9,182.
More Economic Letters
Opinions expressed in FRBSF Economic Letter do not necessarily reflect the views of the management of the Federal Reserve Bank of San Francisco or of the Board of Governors of the Federal Reserve System. This publication is edited by Sam Zuckerman and Anita Todd. Permission to reprint must be obtained in writing.
Please send editorial comments and requests for reprint permission to