FRBSF Economic Letter
2007-11; May 4, 2007
U.S. Supervisory Standards for Operational Risk Management
The U.S. bank supervisory agencies recently issued for
public comment revised guidance regarding the implementation
of the proposed Basel II-related, risk-based capital requirements.
Among the revisions is an important update to guidance
regarding operational risk management. Operational risk
generally refers to the risk of monetary losses resulting
from inadequate or failed internal processes, people, and
systems, or from external events, such as natural disasters.
For other dimensions of risk, such as credit and market
risk, the Basel II framework includes considerable detail
on using economic models for quantifying risk exposures.
However, operational risk is a relatively new field,
so understandably financial institutions have made less
progress
in developing formal models for it. Therefore, the supervisory
agencies have emphasized standards regarding robust systems
for operational risk management among banking organizations.
This Economic Letter reviews key components of the U.S.
supervisory standards proposed in the recent guidance
and of recent survey data regarding how operational risk
management
systems are being implemented worldwide.
What is operational risk?
Financial institutions are in the business of managing
and reallocating risk. This includes credit risk (the
possibility that a counterparty may default by failing
to repay its
debt obligations in a timely manner) and market risk
(the risk of loss due to changes in prices of financial
assets).
It also includes events that fall under the rubric of
operational risk, such as computer failures or employee
fraud, that
can have financial effects. Cummins et al. (2006), for
example, find that public announcements of operational
loss events by financial firms cause negative stock price
reactions and losses in firm market value that exceed
the reported losses, implying concerns about firms' future
cash flows.
The potential for adverse financial effects is the reason
the Basel II capital framework folds the treatment of
operational risk into risk-based capital requirements.
The framework
calls for banking organizations to hold capital to absorb
possible losses from their exposures to operational risk.
While recognizing that, currently, risks of loss from
a bank's operation are not as amenable to statistical modeling
as are other risks, Basel II sets new criteria for implementing
risk-based capital requirements for operational risk.
The Basel II framework includes three methods for calculating
operational risk capital charges, but in the U.S., the
supervisory agencies have proposed that only the advanced
measurement approaches (AMA) be used. Under these approaches,
the regulatory capital requirement for operational risk
would be determined primarily by a bank's own internal
risk measurement system, subject to certain qualitative
and quantitative supervisory criteria. As currently proposed
in the draft rule, all core banks (large or internationally
active banks that would be required to adopt the Basel
II-based rules) as well as opt-in banks (banks that voluntarily
decide to adopt the advanced approaches) would be required
to meet certain qualitative requirements before using
AMA systems for regulatory capital purposes.
On February 28, the U.S. banking supervisory agencies
issued for public comment revised guidance regarding implementation
of the Basel II Framework (Federal Register, 2007). With
respect to operational risk, the agencies proposed supervisory
standards that a bank should follow in implementing and
maintaining an AMA system for regulatory capital purposes.
The 32 standards can be grouped into three general categories
corresponding to internal governance issues, data issues,
and quantification issues.
Internal governance issues
While banks have always engaged in operational risk management,
the proposed Basel II-related rules introduce new dimensions
to this practice in the form of explicit capital requirements
and corresponding changes in supervisory oversight. Internal
governance, particularly with respect to corporate responsibilities
and risk management documentation, might be expected
to adapt accordingly.
The proposed standards include several requirements for
a bank's AMA system. It should encompass operational
risk across the entire firm. Its operational risk management
and audit functions should be separate and independent
of business line management in order to avoid conflicts
of interest. The bank should have comprehensive documentation
regarding its operational risk management policies and
procedures; for example, the documentation should describe
clearly how the bank identifies, measures, monitors,
and
controls its operational risk exposures, and it should
describe how internal and external operational risk loss
data (as well as the other two elements of the AMA described
below) are captured and used for determining the bank's
operational risk exposures.
The roles and responsibilities of the bank's board of
directors, operational risk management function, and senior
management
should be detailed and communicated clearly. For example,
the supervisory standards propose that the board of directors
evaluate the effectiveness of the bank's AMA system at
least once a year. Bank directors and senior management
should receive quarterly reports on operational risk
exposures, losses, and related information. The roles and
responsibilities
of the bank's independent verification and validation
functions should also be delineated. Specifically, the
verification
function is responsible for determining whether the components
of the AMA system are implemented properly and are working
in a manner consistent with approved policies, while
the validation function examines the accuracy of models
used
to quantify operational risk exposures and their risk-based
capital requirements.
According to a 2006 survey on actual AMA-related practices
by the Basel Committee on Banking Supervision (BCBS),
internal governance structures are still evolving in response
to
the development of operational risk management as a distinct
discipline. For example, the involvement of boards of
directors and senior management in the oversight of operational
risk
management was found to vary widely across international
banks, ranging from an active use of operational risk
management as a means for generating tangible benefits
to the bank
to simply complying with minimum regulatory requirements.
An important caveat to this finding was that many surveyed
banks did not as of yet have their AMA systems fully
in place. For such banks, operational risk exposures and
other
outputs from an effective operational risk system were
not yet available for internal discussion and supervisory
oversight.
The validation of AMA-related models is another area
where a wide range of practices was observed in the survey.
The
reasons for this diversity are a general shortage of
operational loss data, the early stage of development of
operational
risk models, and the limited availability of qualified
staff that is also independent of the model development
process. In light of these challenges, many banks are
currently relying on external parties for model validation
or have
crafted temporary internal solutions until they acquire
the needed resources.
Data issues
The nature and quality of a bank's operational risk data
are clearly important factors in its operational risk
management system. Accordingly, several of the proposed
U.S. supervisory
standards delineate supervisors' minimum expectations
regarding operational risk data integrity and comprehensiveness.
These standards relate principally to the characteristics
of the data and how it would be collected and used. For
example, banks would need to have in place a systematic
process for consistently incorporating internal and external
loss event data, as well as other relevant inputs, into
their AMA systems and risk-based capital requirements.
Regarding internal data, the proposed standards would
require the consistent capture of loss event data across
all of
the bank's business lines, corporate functions, product
types, and geographic locations. The bank should have
a minimum of five years of historical internal operational
loss data for AMA use, although shorter transitional
periods
may be approved by the bank's primary supervisor. The
bank should have clear policies for identifying when an
operational
loss is to be recognized and added to its loss event
database. For example, a bank should have policies for
consistently
identifying and capturing multiple loss events that occur
within one or across several time periods, but that result
from the same initial operational loss event. The bank
may establish internal thresholds for identifying operational
loss events, but it should be able to justify the appropriateness
of these thresholds to its primary supervisor.
External data refer to operational loss data generated
by other organizations. Banks may acquire external loss
data from such sources as membership in industry consortia,
third-party data vendors, or public outlets, such as
media reports. However, bank management should carefully
evaluate
whether such data are relevant to their banks' risk exposures
and are clearly reported. Sufficient information should
be collected and documented to permit comparisons between
the bank's internal systems and any external data.
In light of the serious challenges posed by operational
risk data shortages, the proposed standards would require
banks to use two other types of analytical inputs to
their AMA systems. The first, known as scenario analysis,
is
a systematic process of obtaining expert opinions from
bank management about the likelihood and potential losses
arising from hypothetical, yet plausible, high-severity
operational risks. The bank's documentation of these
scenario analyses should include such key elements as who
would
be responsible for formulating scenarios, how they would
be generated, how often they would be updated, and what
is the scope and coverage of operational loss events
they are intended to reflect. According to the BCBS survey,
the rigor applied to scenario analysis by banks varied
greatly in practice, especially concerning the quantity
and quality of scenarios as well as how the scenarios
were
incorporated into banks' AMA systems.
The fourth source of analytical information regarding
operational risk is the bank's so-called business environment
and internal
control factors (BEICFs), which indicate a bank's actual
operational risk profile and the effectiveness of its
internal control environment. Examples include business
line growth
rates, new product introductions, findings from internal
audit results, employee turnover, and computer system
downtime. Incorporating these BEICF indicators into an
AMA system
should help ensure that key drivers of operational risk
are being monitored for potentially important changes.
According to the BCBS survey, most banks have methods
in place for measuring key BEICFs, but very few banks have
determined how to quantify their impact on operational
risk exposures and regulatory capital calculations.
Quantification issues
Research by DeFontnouvelle et al. (2006) and others has
advanced the modeling of operational risk. However, limited
data and significant differences in loss experiences
across banks make it difficult to determine a commonly
accepted
set of models or analytical methods. Accordingly, there
is and will continue to be significant variation in operational
risk analysis across banks, with each bank tailoring
its analysis to match its information technology platforms,
risk management procedures, and staff resources. The
proposed
supervisory standards regarding operational risk quantification
do not specify which models or methods should be used,
but they are intended to provide supervisors with enough
flexibility to accommodate the continued evolution of
operational risk quantification techniques while still
applying consistent
supervision and enforcement across banks. For example,
the standards would require that modeling assumptions
be interpreted conservatively to reflect the degree of
uncertainty
present in evolving AMA systems. A bank should review
and update its operational risk quantification system whenever
information that may have a material effect on the bank's
estimate of operational risk exposure is discovered,
but
no less frequently than annually.
Another challenging component of operational risk quantification
is how to account for risk transfers through operational
risk mitigation products. The primary mechanism currently
used for mitigating operational risk exposure is insurance.
Since insurance policies are expected to decrease a bank's
operational risk exposure and regulatory capital requirements,
certain conditions should be met before these deductions
can be realized. For example, the policy should be provided
by a highly rated insurance company and have a minimum
length of one year. As before, the proposed standards
do not specify how the amount of risk mitigation provided
by such policies should be calculated, but they do suggest
that conservative assumptions are appropriate. In addition,
any such risk reductions are currently limited to permit
a maximum 20% reduction in overall operational risk exposures.
Conclusion
The main objective of the proposed Basel II capital framework
is to establish regulatory capital requirements that
are more closely related to banks' actual risk exposures,
including
operational risk. The recently published revisions to
the proposed U.S. implementation of this framework provide
a clear indication of the supervisory concerns and requirements
regarding operational risk issues. The proposed standards
and subsequent comments by industry participants should
help in the development of robust risk management systems.
The comment period ends May 29, 2007.
Jose A. Lopez
Senior Economist
References
[URLs accessed April 2007.]
Basel Committee on Banking Supervision. 2006. "Observed
Range of Practice in Key Elements of Advanced Measurement
Approaches (AMA)" (October).
Cummins,
J.D., C.M. Lewis, and R. Wei. 2006. "The
Market Value Impact of Operational Loss Events for U.S.
Banks and Insurers." Journal of Banking and
Finance 30(10) (October) pp. 2,605-2,634. DeFontnouvelle, P., V. DeJesus-Rueff, J.S. Jordan, and
E.S. Rosengren. 2006. "Capital and Risk: New Evidence
on the Implications of Large Operational Losses." Journal
of Money, Credit, and Banking 38(7) (October) pp. 1,819-1,846.
Federal Register. 2007. "Proposed
Supervisory Guidance for Internal Ratings-Based Systems
for Credit Risk, Advanced
Measurement Approaches for Operational Risk, and the
Supervisory Review Process (Pillar 2) Related to Basel
II Implementation." Docket
Number OP-1277, 72(39) (February) pp. 9,084-9,182.
Opinions expressed in this newsletter
do not necessarily reflect the views of the management
of the Federal Reserve Bank of San Francisco or of the
Board of Governors of the Federal Reserve System. Comments?
Questions? Contact
us via e-mail or write us at:
Research Department
Federal Reserve Bank of San Francisco
P.O. Box 7702
San Francisco, CA 94120
|
