Simpler operational risk capital calculations under Basel 4

Moving the dial article series

November 2022

Operational risk has become an area of increasing focus for banks in recent years as the environment in which they operate has grown ever more volatile and uncertain. The pandemic, environmental, social and governance (ESG) considerations, cyber risk and other information and communications technology (ICT) issues, and legal risk have all intensified the need for robust, coordinated and detailed non-financial risk management approaches.

It is perhaps surprising that the operational risk capital requirements under Basel 4 appear to represent a simplification rather than a step up in sensitivity and complexity compared to the Basel 2 regime. Looking only at Basel 4’s regulatory capital calculation approaches for Pillar 1, one might prematurely conclude that many banks could significantly slim down their operational risk teams.

In our view, this will not — and should not happen — for a number of reasons. First, operational risk is too important an area to be deprioritized. After all, a single major operational risk event could impact a financial institution very severely, undermining its ability to operate as intended towards clients and markets. Furthermore, it is clear that, under Basel 4, advanced operational risk approaches will still be needed to satisfy the Pillar 2 (supervisory review process) requirements that reflect the Principles for the Sound Management of Operational Risk (PSMOR).

The Pillar 1 (minimum capital requirements) and Pillar 2 ‘disconnect’ is reinforced in the latest standard from the Basel Committee on Banking Supervision (BCBS) and the draft legislation proposed by the European Commission (EC). For most banks, the new requirements effectively remove the direct link between the metric used for capital requirements under Pillar 1 and the output of the processes (e.g. Loss Data Collection and Scenario Analysis) supporting the identification, evaluation and management of Operational Risk, which are important from a Pillar 2 perspective. Under Basel 2, there was greater alignment between the measurement (Pillar 1) and control (Pillar 2) of operational risk — Basel 4 separates them. This greater alignment came at the expense of simplicity and the added complexity in the rules did not deliver commensurately better risk management or risk sensitivity.

In our view it creates an opportunity for banks to drive the transformation of the operational risk function, helping to create stronger links with other functions across the organization and achieve a more holistic view of risks.

The Pillar 1 capital calculation requirements will not be straightforward and there will be a significant degree of variety between banks.

Those banks that adopted the most advanced approach under Basel 2 — the Advanced Measurement Approach (AMA), which is eliminated in Basel 4 — should in most cases be ready to move quite seamlessly to the incoming simpler, non-model-based Standardised Approach (SA). However, they may be troubled by the significant increase in capital requirements under the new blunt calculation mechanism — an uplift of 50% or even more.

Banks which have adopted Basel 2’s Basic Indicator Approach (BIA) — generally small and medium-sized players — will face a greater technical challenge. This is because the new SA model bases a bank’s operational risk capital requirement on both the size of its revenues and, possibly, its historic losses due to operational risk factors. The model assumes that an entity that has incurred higher operational risk losses in the past is more likely to experience them in the future.

Even where losses do not ultimately feed through to the capital calculation (due to the application of national or regional discretion¹), banks will be required to collect and report information for the last 10 years. This may be difficult for smaller banks that have been on the less sophisticated approach, and they may have to invest time and resources to collect the loss data. In fact, some effort could be required even for banks which are on the AMA, because data quality standards under the new rules may be higher than practices adopted by some banks. The calculations will also need to be signed-off by external auditors.

Overall, the principle behind the BCBS’s approach is to increase the simplicity and comparability of operational risk capital requirements. It also wants to increase transparency, with banks required to disclose risk information publicly under the Pillar 3 market discipline requirements.

Operational risk functions may view the new requirements as limiting their scope to bring capital requirements down and manage the bank’s balance sheet through advanced modelling and risk management practices, and the simpler capital requirements as little more than a tax. This perception of reduced regulatory incentive for accurate risk identification may mistakenly drive reviews of budget and resources and get in the way of the operational risk function developing and strengthening its staffing, skills and competences in order to effectively support real risk management.

In fact, the new rules present opportunities for operational risk functions to prove their value even more. As many banks can reduce the time spent on the regulatory calculation and measurement of operational risk, they can spend more time actually managing it.

The scope and importance of non-financial risks are growing all the time. Regulators are increasing their attention on a whole range of non-financial risk areas, for example introducing specialised frameworks for cyber and ICT. In the UK, a new operational resilience framework is in force, and other jurisdictions, including the EU, are close behind with initiatives such as the Digital Operational Resilience Act (DORA).

As entities pursue their digital transformation agendas, grapple with climate risk quantification and reporting, adjust to new hybrid ways of working post-COVID-19 and associated risks, and deal with more complex third-party risks in a challenging supply chain landscape, there is enormous potential for operational risk teams to redefine their mission as the competence centre for non-financial risk and add more value. This could include turning some of the computational excellence used in the AMA to develop new quantitative models for operational risk within the growing use of machine learning and artificial intelligence — exciting territory indeed!

To do this, operational risk functions will need to be supported and empowered through senior sponsorship and backing. In our view, Basel 4 does not ‘downgrade’ operational risk — it creates the room to take it to a new level.