Moving the dial article series
November 2022
Operational risk has become an area of increasing focus for banks in recent years as the environment in which they operate has become ever more volatile and uncertain. The pandemic, climate risk and environmental, social and governance (ESG), cyber risk and other information and communications technology (ICT) issues, and legal risk — all of these have intensified the need for robust, coordinated and detailed non-financial risk management approaches.
On the face of it, it is perhaps surprising therefore that the operational risk capital requirements under Basel 4 represent a simplification rather than a step-up in sensitivity and complexity compared to the Basel 2 regime. Looking only at the capital calculation approaches for Pillar 1 under Basel 4, one might conclude that many banks could significantly slim down their operational risk teams.
Pillar 1 and 2 ‘disconnect’
In our view, this won’t happen — and shouldn’t happen — for a number of reasons. Operational risk is too important an area to be deprioritised; after all, one major operational risk event could potentially finish a financial institution. What’s more, when looking at the Basel 4 regulations, it’s clear that in fact advanced operational risk approaches are still needed as a result of the Pillar 2 requirements that include the Principles for the Sound Management of Operational Risk (PSMOR). This has been reinforced in the latest proposed standards from both the Basel Committee on Banking Supervision (BCBS) and the European Commission (EC). What has effectively happened is that the new regulations put a gap in between Pillar 1 and Pillar 2. Under Basel 2, there was alignment between the measurement (Pillar 1) and management (Pillar 2) of operational risk, Basel 4 separates them and almost severs that link.
While this may seem unexpected, in our view it in fact creates an opportunity for banks to drive the transformation of the operational risk function’s mission, helping to create stronger links with other functions across the organisation and achieve a more holistic view of risks.
Pillar 1 calculations: Still some challenges
The Pillar 1 capital calculation requirements will not be straightforward and there will be a significant degree of variety between banks.
Those banks that have adopted the most advanced approach under Basel 2 — the Advanced Measurement Approach (AMA) — should in most cases be ready to adopt the simpler, non-model-based Standardised Approach (SA) of Basel 4 almost directly. What will trouble them more is that many are likely to see a significant increase in capital requirements under the new blunt calculation mechanism — a 50% uplift, or even more. However, as operational risk capital is generally only a fraction of the amount required for credit risk, this increase is expected to be more of an irritation than a major issue.
There will be more of a technical challenge for the banks — generally, small and medium-sized players — who have adopted the Basic Indicator Approach (BIA) of Basel 2. This is because the new SA model bases a bank’s operational risk capital requirement on both the size of its revenues and, possibly, of its historic losses to operational risk factors. But even if losses do not, in the end, input through to the capital calculation, banks are still required to collect that information for the last 10 years: the model assumes that an entity that has incurred higher operational risk losses in the past is more likely to experience them in the future.
This collection may be difficult to make for smaller banks that have been on the less sophisticated approaches, and they may have to invest time and resources to collect the loss data needed. In fact, it could also require some effort even for banks who are on the AMA, because the data quality standards are much higher under the new rules. The calculations will also need to be signed-off by external auditors.
Overall, the principle behind the Basel Committee’s approach is to increase the simplicity and comparability of operational risk capital requirements. It also wants to increase transparency, with banks required to publicly disclose risk information under the Pillar 3 market discipline requirements.
Opportunity to transform the mission
Unfortunately, from the operational risk function’s point of view, the rules reduce their team’s scope to bring capital requirements down and make a contribution to the bank’s balance sheet through advanced modelling and risk management practices. The capital requirements, being so standardised, have almost become a tax. This highlights the need for the operational risk function to develop and strengthen their staffing, skills and competences in order to effectively support real risk management.
At the same time, though, operational risk functions can prove their value even more. The scope and importance of non-financial risks are growing all the time. Regulators are increasing their attention on a whole range of non-financial risk areas, and specialised frameworks such as for cyber and ICT are being introduced. In the UK, a new operational resilience framework requirement has started coming into force, and other jurisdictions, including the European Union (EU), are closely behind (e.g. DORA regulation).
Because many banks can reduce the time they take making the regulatory calculation and measurement of operational risk, they can spend more time actually managing it. As entities pursue their digital transformation agendas; grapple with climate risk quantification and reporting; adjust to new hybrid ways of working post-COVID-19 and the risks that may generate; and deal with more complex third-party risks in a challenging supply chain landscape, there is enormous potential for operational risk teams to redefine their mission as the central competence centre for non-financial risk and increase the value they bring. This could include turning some of their computational excellence used in the AMA to develop new quantitative models for operational risk within the growing use of machine learning and artificial intelligence — exciting territory indeed.
To do this, operational risk functions will need to be supported and empowered through senior sponsorship and backing. In our view, Basel 4 doesn’t ‘downgrade’ operational risk — it creates the room to take it to a new level.