Basel III: Operational risk in Banking

By Péter Endre Kovács, Regional Director

• Introduction
• Brief history of operational risk regulation
  • Lessons of the crisis
  • Implementation of the SMA in the EU
• The outline of the SMA formula
  • The output floor
• Conclusion and next steps

Operational risk is the second largest contributor to risk-weighted assets (RWA) after credit risk for the typical commercial bank. The highly flexible advanced measurement approach (AMA) to quantify it - as well as the simpler approaches currently available - shall be replaced by a formalised, new standardised measurement approach (SMA) for Pillar 1 capital requirements calculation as from 2022. Even though the calculation of the minimum (Pillar 1) capital requirement becomes simpler and more comparable across institutions, the quantitative and qualitative requirements of the operational risk management framework and the Pillar 2 quantification do not change explicitly. Banks transferring from AMA are expected to maintain a high standard regarding the management framework.

European legislators are completing the implementation of the previous version of the legislation and will continue the codification of the new one after that work is finished. For example, the final regulatory technical standards (RTS) on the detailed requirements of the advanced measurement approach (AMA) were officially published in July 2018. (the text has been available since June 2015). This document will become obsolete when the final provisions of Basel III regarding the SMA under Pillar 1 are transposed into the European legislation and become effective. The quality requirements of the risk management and quantification framework (loss data collection, risk self-assessments, KRI’s and monitoring the environment and peers) are expected to outlive the change under Pillar 2, even if they are no longer required for the Pillar 1 RWA.

The new formula was published by the Basel Commit- tee as part of the final Basel III provisions in December 2017. The SMA is expected to be effective as from Jan- uary 1, 2022 to allow time for legislators to transpose it and for institutions to prepare for its implementation and impact. Based on the ad-hoc study published by the EBA in December 2017, capital requirements under the SMA are expected to increase on average by 21.4% for non-AMA banks, and by 28.5% for AMA banks.

The capital impact of the changes is controlled by the output floor and the transition cap which apply on an aggregate basis for all risk types. The final RWA for the aggregate of all risk types under Pillar 2 will need to gradually reach 72.5% of the aggregate of the Pillar 1 RWA using the standardised approaches - including the SMA for operational risks.

The Basel Committee on Banking Supervision (BCBS) started publishing documents related to operational risk already in 1984, but it was not until 1998 that it published its first sound practice recommendations related to this risk type (BCBS42). In 2003, the document titled Sound Management and Supervision of Operational Risk (BCBS96) was published by the Committee. It highlighted 10 principles for institutions and supervisors to follow related to the organizational environment, the risk management process, the role of supervisors and the role of disclosure. Operational risk appeared as a separate risk type with explicit capital requirement in the Basel II framework in 2006. The term is defined as:

“…Risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. […] Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.” (bcbs128)

The legislation allowed three (plus one) approaches to quantify the extreme value of these risks: the basic indicator approach (BIA), the (alternative) standardised approach (TSA, ASA) and the advanced measurement approach (AMA). The calculation under the BIA is based on standard financial indicators of the bank and could be calculated regardless of size or complexity. The RWA under the TSA and ASA is similarly simple to calculate, but quantitative and qualitative requirements regarding the risk management framework were attached to the more flexible and thus likely lower capital requirements. Finally, the approval for using internal models (AMA) under Pillar 1, came with still more stringent requirements regarding the models, but also the risk management framework around it.

It was the express intention of the regulators to facilitate the development of modelling best practices in the industry related to the quantification of this “new” risk type. In the years since, large banking organizations have embraced the opportunity to benefit from capital requirement relief versus simpler approaches in exchange for more advanced internal operational risk processes. Entire organizations have been involved in internal and external loss data collection exercises, scenario analyses and self-assessments, as well as the monitoring of the business and control environment, collecting key risk and control indicators (KRI’s and KCI’s), under the guidance of independent operational risk managers, who are also responsible for quantifying the bank’s exposure using advanced predictive models. The implementation is being controlled by the internal auditor and the supervisor. The results of these efforts are overseen by the Operational Risk Committee appointed by the bank’s board of directors. The framework was intended to raise the awareness for and understanding of operational risk throughout the organization and it would continue to have a significant impact on the organizational culture if its implementation was taken seriously. Institutions with a sound operational risk framework were in a better position to develop credible plans for business continuity (BCP) and disaster recovery (DRP). Regardless of the capital charges and the chosen approach to calculate them, the level to which specific institutions internalized the awareness of operational risk is also observable for external stakeholders and, due to the nature of this risk type, is expected to be a major driver in the assessment of the institutions for lenders and investors.

The crisis of 2007 highlighted the shortcomings of the Basel II framework, and regulators have taken action to strengthen the resilience of the sector related to operational risk exposures as well. The major concern was related to simpler approaches (BIA, TSA, ASA) which reflected lower operational risk exposure despite higher observed losses during the crisis, as these are based on the gross income of the bank as a proxy for operational risk exposure. These approaches also assume linearity between the gross income and risk exposure, whereas the complexity of larger organizations also increases with the size, which makes this relationship non-linear. The re-calibration of model parameters was also necessary in light of new and significantly more information about actual losses, and a marginal coefficient was introduced to correct the formula for non-linearity.

Capital requirements based on advanced approaches increased during the crisis and decreased afterwards, but the outputs of these models were difficult to compare across institutions and they often lacked transparency or allowed the modellers more flexibility than could be accepted as robust and reasonable by reviewers and regulators.

In 2011, the Basel Committee revised its principles for the sound management of operational risks (BCBS 195) and issued supervisory guidelines for the AMA approaches (BCBS 196). These documents built on the 2003 document and reiterated the quality criteria required of banks using the standardised or advanced measurement approaches (and recommended for BIA banks) as an extended list of principles and supervisory guidelines. In the European Union, these documents are reflected in the recently published AMA RTS (finished in 2015) and the Pillar 2 (Supervisory Review Process, SREP) guidelines - both prepared and maintained by the European Banking Authority (EBA). This action reflects the regulator’s intention to deepen operational risk awareness in the organization. Over time, the section of the SREP guidelines dedicated to operational risk has identified several new Pillar 2 risk types (e.g. model risk, fraud, ICT risk). The process of identifying specific Pillar 2 risks is expected to continue to increase expectations of operational risk management. 

In 2014, the BCBS published its review of the implementation of these sound practices and they concluded that “banks have made insufficient progress in implementing the Principles” (BCBS 292), which means that too many organizations do not view and treat operational risks seriously enough to identify, monitor and manage them appropriately, despite the losses experienced since 2003.

In the same year, the Basel Committee also reviewed the simpler approaches and proposed a new standardised approach to be structured and calibrated based on recent experience. This OpCaR (operational risk capital at risk) approach provided the basis for the new SMA, but only aimed at replacing the simpler (i.e. non-AMA) approaches. In 2016, the name SMA appeared on a new consultative document (d355, BCBS) and it extended the approach to replace AMA models as well under Pillar 1. The structure of the calculation was retained while the details were refined in the final version published in December 2017 (d424, BCBS).

The SMA is intended to apply globally to all internationally active banks as from January 1, 2022, but until then, national legislators need to transpose it to their local legislative framework. In the European Union, this effort is undertaken by EU institutions and will mostly take effect automatically in all member states in the form of the update of the Capital Requirements Regulation (CRR) and technical standards. The review of the corresponding Directive (CRD) and EBA guidelines need to be implemented by the authorities of each member state. The European Union has already implemented parts of the Basel III package by issuing the RTS on the detailed requirements of the risk management framework required of AMA banks (AMA RTS) in July 2018. The timeline regarding the SMA implementation is uncertain at this point.

The Standardised Measurement Approach (SMA) replaces all four approaches currently available under Pillar 1. The objective is to provide stable, comparable and risk-sensitive estimates for the operational risk exposure.

The formula calculates the minimum capital requirement based on:

• The size and activity of the bank based on financial statement data (business indicator, BI),
• A marginal coefficient (12, 15 or 18%) based on the size of the business indicator (with thresholds at EUR 1bn and 30bn) and
• A multiplier based on the bank’s large losses incurred during the previous 10 years (internal loss multiplier, ILM4

The business indicator component (BIC) is the product of the first two components, the BI and the marginal coefficient. The minimum operational risk capital requirement is the product of the BIC and the ILM. The corresponding RWA is 12.5 times that.

The Business Indicator intends to measure the size of the operation based on income, expense and profitability measures, assuming that the larger the institution, the higher its operational risk exposure. This non-linearity is introduced using the 3-bucket approach based on the BI and the increasing marginal coefficients in them.

The Business Indicator is calculated as the sum of three sub-components:

• The interest, leases and dividend component (ILDC),
• The services component (SC), and
• The financial component (FC).

Each component is based on several other components: interest income, interest expense, interest earning assets and dividend income for the ILDC; other operating income or other operating expense, and fee income or fee expense for the SC; and the absolute value of the net P&L of the banking book and trading book for the FC. Each of these is calculated as the average of the latest three years’ data.

The objective of the ILM is to adjust the BIC, with the actual loss experience of the bank relative to the BIC. If the BIC represents the usual operational risk exposure of banks, the ILM adjusts this upwards or downwards based on the actual large loss experience of the specific institution. The large loss experience is consolidated as the sum of all individual losses above EUR 20,000 for each of the previous 10 years. The average of these yearly sums is multiplied by 15 to give the Loss Component (LC), which is then compared to the value of the BIC. If the Loss Component is 1% of the BIC, the value of the ILM is 0.55. If the LC is half, twice or five times the BIC, the ILM will be 0.83, 1.24 and 1.67, respectively.

“Supervisors are provided the flexibility to set the ILM to one for all institutions, or to increase the individual loss floor up to EUR 100,000 for large institutions (BI > EUR 1 BN) in their jurisdiction. The observation period may also be shorter than 10 years for currently non-AMA banks if certain criteria are met and if the supervisor approves.”

With such a standardized approach to Pillar 1 (minimum) capital requirements, the BIC will be an indicator that is comparable across institutions. The ILM provides an opportunity to adjust this to the institution’s own loss experience. As the past 10-year loss experience (sum of individual losses above the floor in each year) will need to be disclosed, external stakeholders may also gain a better understanding of the drivers of the minimum capital requirement.

The Pillar 2 calculations will continue to determine the total risk exposure of the institution as calculated by internal models and subject to supervisory scrutiny. The output floor assures that using internal models may lead to a maximum RWA advantage of 27.5% versus standardised models on an aggregate basis. An output floor is set at 72.5% of the RWA calculated using the standardised methods for credit, market and operational risks. This means that, even if the bank’s own assessment and models accepted by its supervisors indicate a Pillar 2 RWA below 72.5% of the RWA determined by the standardised methods, the final RWA may not fall below this threshold. The difference between the Pillar 2 RWA calculated for operational risks and the RWA calculated using the SMA will contribute to this, but due to the aggregation, it needs to be interpreted in context with the same figures for the other two risk types.

In the transitional period (between the beginning of 2022 and the end of 2026), the output floor will increase in annual increments from 50% to 72.5%. National supervisors have the power to decide whether or not to apply a transitional 25% cap for the annual increase in RWA. This would mean that the overall RWA requirement may not increase from one year to the next by more than 25% of the RWA of the year before the transition to the new standardised approaches.

As the AMA approach was also intended as a very extensive methodology study by the regulators in Basel II, it contributed significantly to the proliferation of varieties of the loss distribution approach (LDA) based as well as other models on a global scale. It also helped raise management attention to operational risks. Accepting a level of operational risk as a cost of doing business, defining operational risk tolerance and appetite levels and building a dedicated internal team to guide an organization-wide network presents a paradigm shift in many institutions. Raising risk awareness across the organization, collecting loss data, assigning responsibility, strengthening internal controls on processes and change management are probably the biggest contributions of this regulation. Process improvements related to business continuity (BCP) and disaster recovery (DRP) are extensions of this framework.

With a simplified Pillar 1 calculation requirement, the test of the AMA models will be if bank management finds them valuable enough to maintain or improve under Pillar 2. Risk management consultancies may contribute valuable insights to the assessment of the current models in the new environment, provide recommendations to improve models by streamlining, simplifying or further elaborating the current calculation framework, building into it the lessons the institution gathered during the many years of using it. The infrastructure used to calculate these figures can also be streamlined in order to optimise output quality and maintenance costs while retaining the IT control environment.

With an appropriate infrastructure increasingly embedded into the management information systems, the bank can further explore the drivers of its operational risks and be better suited to run scenario analyses cost effectively - not only for stress testing purposes - in order to provide valuable insight for decision makers. Such a framework would also be of interest to institutions currently using BIA or TSA/ASA in order to provide their management with better information at affordable cost.

In any event, a major wave of internal model reviews is expected to take place in the coming years, initiated by bank management in order to better serve the information needs of operational risk committees as well as all levels of management throughout the organization. Finalyse is prepared to undertake, lead or support this complex effort. An outsourcing offer is not yet available for this service, but we are committed to serving our clients in a manner that generates the highest added value.