Moving the dial article series
November 2022
Operational risk has become an area of increasing focus for banks in recent years as the environment in which they operate has grown ever more volatile and uncertain. The pandemic, environmental, social and governance (ESG) considerations, cyber risk and other information and communications technology (ICT) issues, and legal risk have all intensified the need for robust, coordinated and detailed non-financial risk management approaches.
It is perhaps surprising that the operational risk capital requirements under Basel 4 appear to represent a simplification rather than a step up in sensitivity and complexity compared to the Basel 2 regime. Looking only at Basel 4’s regulatory capital calculation approaches for Pillar 1, one might prematurely conclude that many banks could significantly slim down their operational risk teams.
Pillar 1 and 2 ‘disconnect’
In our view, this will not — and should not happen — for a number of reasons. First, operational risk is too important an area to be deprioritized. After all, a single major operational risk event could impact a financial institution very severely, undermining its ability to operate as intended towards clients and markets. Furthermore, it is clear that, under Basel 4, advanced operational risk approaches will still be needed to satisfy the Pillar 2 (supervisory review process) requirements that reflect the Principles for the Sound Management of Operational Risk (PSMOR).
The Pillar 1 (minimum capital requirements) and Pillar 2 ‘disconnect’ is reinforced in the latest standard from the Basel Committee on Banking Supervision (BCBS) and the draft legislation proposed by the European Commission (EC). For most banks, the new requirements effectively remove the direct link between the metric used for capital requirements under Pillar 1 and the output of the processes (e.g. Loss Data Collection and Scenario Analysis) supporting the identification, evaluation and management of Operational Risk, which are important from a Pillar 2 perspective. Under Basel 2, there was greater alignment between the measurement (Pillar 1) and control (Pillar 2) of operational risk — Basel 4 separates them. This greater alignment came at the expense of simplicity and the added complexity in the rules did not deliver commensurately better risk management or risk sensitivity.
In our view it creates an opportunity for banks to drive the transformation of the operational risk function, helping to create stronger links with other functions across the organization and achieve a more holistic view of risks.
Pillar 1 calculations: Still some challenges
The Pillar 1 capital calculation requirements will not be straightforward and there will be a significant degree of variety between banks.
Those banks that adopted the most advanced approach under Basel 2 — the Advanced Measurement Approach (AMA), which is eliminated in Basel 4 — should in most cases be ready to move quite seamlessly to the incoming simpler, non-model-based Standardised Approach (SA). However, they may be troubled by the significant increase in capital requirements under the new blunt calculation mechanism — an uplift of 50% or even more.
Banks which have adopted Basel 2’s Basic Indicator Approach (BIA) — generally small and medium-sized players — will face a greater technical challenge. This is because the new SA model bases a bank’s operational risk capital requirement on both the size of its revenues and, possibly, its historic losses due to operational risk factors. The model assumes that an entity that has incurred higher operational risk losses in the past is more likely to experience them in the future.
Even where losses do not ultimately feed through to the capital calculation (due to the application of national or regional discretion1), banks will be required to collect and report information for the last 10 years. This may be difficult for smaller banks that have been on the less sophisticated approach, and they may have to invest time and resources to collect the loss data. In fact, some effort could be required even for banks which are on the AMA, because data quality standards under the new rules may be higher than practices adopted by some banks. The calculations will also need to be signed-off by external auditors.
Overall, the principle behind the BCBS’s approach is to increase the simplicity and comparability of operational risk capital requirements. It also wants to increase transparency, with banks required to disclose risk information publicly under the Pillar 3 market discipline requirements.
Opportunity to transform the mission
Unfortunately, from the operational risk function’s point of view, the rules reduce their team’s scope to bring capital requirements down and make a contribution to the bank’s balance sheet through advanced modelling and risk management practices. The capital requirements, being so standardised, have almost become a tax. This highlights the need for the operational risk function to develop and strengthen their staffing, skills and competences in order to effectively support real risk management.
At the same time, though, operational risk functions can prove their value even more. The scope and importance of non-financial risks are growing all the time. Regulators are increasing their attention on a whole range of non-financial risk areas, and specialised frameworks such as for cyber and ICT are being introduced. In the UK, a new operational resilience framework requirement has started coming into force, and other jurisdictions, including the European Union (EU), are closely behind (e.g. DORA regulation).
Because many banks can reduce the time they take making the regulatory calculation and measurement of operational risk, they can spend more time actually managing it. As entities pursue their digital transformation agendas; grapple with climate risk quantification and reporting; adjust to new hybrid ways of working post-COVID-19 and the risks that may generate; and deal with more complex third-party risks in a challenging supply chain landscape, there is enormous potential for operational risk teams to redefine their mission as the central competence centre for non-financial risk and increase the value they bring. This could include turning some of their computational excellence used in the AMA to develop new quantitative models for operational risk within the growing use of machine learning and artificial intelligence — exciting territory indeed.
To do this, operational risk functions will need to be supported and empowered through senior sponsorship and backing. In our view, Basel 4 doesn’t ‘downgrade’ operational risk — it creates the room to take it to a new level.