| The operational risk requirements of Basel II | | | | must be an integral part of the process of monitoring |
| proposes three measurement methodologies for | | | | and controlling the bank's operational risk profile. This |
| calculating the operational risk capital charges. These | | | | information must play a major role in risk reporting, |
| are the Basic Indicator Approach, the Standardized | | | | management reporting, internal capital allocation, and |
| Approach and the Advanced Measurement | | | | risk analysis.-Operational risk exposures and loss |
| Approach.Under the Basic Indicator Approach banks | | | | experience must be reported regularly to business |
| must hold capital for operational risk equal to the | | | | unit management, senior management, and to the |
| average over the previous three years of a fixed | | | | board of directors.-The bank's operational risk |
| percentage (15% for this approach) of positive | | | | management system must be well documented and |
| annual gross income (figures in respect of any year in | | | | the bank must have a routine in place for ensuring |
| which annual gross income was negative or zero are | | | | compliance with a documented set of internal policies, |
| excluded).Although no specific criteria are set out for | | | | controls and procedures concerning the operational |
| use of the Basic Indicator Approach, banks using this | | | | risk management system, which must include policies |
| method are encouraged to comply with the | | | | for the treatment of noncompliance issues.-Internal |
| Committee's guidance on "Sound Practices for the | | | | and/or external auditors must perform regular |
| Management and Supervision of Operational Risk" | | | | reviews of the operational risk management |
| (BIS; February 2003). These principles require:-A | | | | processes and measurement systems. This review |
| hands on approach in the creation of an appropriate | | | | must include both the activities of the business units |
| risk management environment,-Positive actions in the | | | | and of the independent operational risk management |
| identification, assessment, monitoring and control of | | | | function.-The validation of the operational risk |
| operational risk,-Adequate public disclosure.Under the | | | | measurement system by external auditors and/or |
| Standardized Approach a bank's activities are divided | | | | supervisory authorities must include the verification |
| into eight business lines. Within each business line, | | | | that the internal validation processes are operating in |
| gross income is a broad indicator that serves as a | | | | a satisfactory manner; and making sure that data |
| stand-in for the level of business operations and | | | | flows and processes associated with the risk |
| therefore the probable size of operational risk | | | | measurement system are transparent and accessible. |
| exposure within each of these business lines. The | | | | In particular, it is necessary that auditors and |
| capital charge for each business line is calculated by | | | | supervisory authorities are in a position to have easy |
| multiplying gross income by a factor (called the | | | | access, whenever they judge it necessary and under |
| "beta") assigned to that business line. The beta | | | | appropriate procedures, to the system's |
| serves as a substitute for the industry-wide | | | | specifications and parameters.Because the analytical |
| relationship between the operational risk loss | | | | approaches for operational risk continue to evolve |
| experience for a given business line and the | | | | the approach or distributional assumptions used to |
| aggregate level of gross income for that business line. | | | | generate the operational risk measure for regulatory |
| The business lines and the beta factors range from | | | | capital purposes is not being specified by the Basel |
| 12% for "retail banking", "asset management" and | | | | Committee. A bank must however be able to show |
| "retail brokerage"; 15% for "commercial banking" and | | | | that its approach captures potentially severe 'tail' loss |
| "agency services" to 18% for "corporate finance", | | | | events. Irrespective of the approach is used, a bank |
| "trading & sales" and "payment & settlement".The | | | | must demonstrate that its operational risk measure |
| total capital charge is calculated as the three-year | | | | meets a soundness standard comparable to that of |
| average of the simple summation of the regulatory | | | | the internal ratings-based approach for credit |
| capital charges across each of the business lines in | | | | risk.Based on this, bank supervisors will require the |
| each year. In any given year, a negative capital | | | | bank to calculate its regulatory capital requirement as |
| charges (as a result of negative gross income) in any | | | | the sum of expected loss (EL) and unexpected loss |
| business line may offset positive capital charges in | | | | (UL), unless the bank can demonstrate that it is |
| other business lines without limit.At national | | | | adequately capturing EL in its internal business |
| supervisory level, the supervisor can choose to allow | | | | practices (to base the minimum regulatory capital |
| a bank to use the Alternative Standardized Approach | | | | requirement on UL alone, the bank must be able to |
| (ASA) provided the bank is able to satisfy its | | | | demonstrate to the satisfaction of its national |
| supervisor that this alternative approach provides an | | | | supervisor that it has measured and accounted for its |
| improved basis for measurement of risks. Under the | | | | EL exposure).A bank needs to have a credible, |
| ASA, the operational risk capital charge/methodology | | | | transparent, well-documented and verifiable approach |
| is the same as for the Standardized Approach | | | | for weighting these basic elements in its overall |
| except that two business lines - "retail banking" and | | | | operational risk measurement system.Internal loss |
| "commercial banking" where a fixed factor 'm' - | | | | data is critical to linking a bank's risk estimates to its |
| replaces gross income as the exposure indicator and | | | | actual loss experience. Such data is most relevant |
| is related to the extent of loans granted in these | | | | when it is clearly linked to a bank's current business |
| areas.Under the Advanced Measurement Approaches | | | | activities, technological processes and risk |
| (AMA) the regulatory capital requirement equals the | | | | management procedures. To do this a bank must |
| risk measure generated by the bank's internal | | | | have documented procedures for assessing the |
| operational risk measurement system using specific | | | | on-going relevance of historical loss data, including |
| quantitative and qualitative criteria. Use of the AMA is | | | | those situations in which judgment overrides or other |
| subject to supervisory approval.Supervisory approval | | | | adjustments may be used, to what extent they may |
| has to be conditional on the bank being able to show | | | | be used and who is authorized to make such |
| to the satisfaction of the supervisory authority that | | | | decisions. Internally generated operational risk |
| the allocation mechanism for these subsidiaries is | | | | measures used for regulatory capital purposes must |
| appropriate and can be supported empirically. The | | | | be based on a minimum five-year observation period |
| quantitative standards that apply to internally | | | | of internal loss data. However, when the bank first |
| generated operational risk measures for purposes of | | | | moves to the AMA, a three-year historical data |
| calculating the regulatory minimum capital charge are | | | | window is acceptable.To qualify for regulatory capital |
| that any internal operational risk measurement | | | | purposes, a bank's internal loss collection processes |
| system must be consistent with the definition of | | | | must be able to map its historical internal loss data |
| operational risk and a range of defined loss event | | | | into the relevant supervisory categories as are |
| types (covering all operational aspects such as fraud, | | | | defined in detail in the Basel II Annexes. The bank |
| employee practices, workplace safety, business | | | | must have documented objective criteria for |
| practices, processing practices, business disruption | | | | allocating losses to the specified business lines and |
| and loss of physical assets).To qualify for use of the | | | | event types. A bank's internal loss data must be |
| Advanced Measurement Approaches (AMA), a bank | | | | comprehensive. It must capture all material activities |
| must satisfy its supervisor that,-The banks board of | | | | and exposures from all appropriate sub-systems and |
| directors and senior management, are actively | | | | geographic locations. The bank must be able to |
| involved in the oversight of the operational risk | | | | justify that any excluded activities or exposures, |
| management framework;-The bank has an | | | | both individually and in combination would not |
| operational risk management system that is | | | | significantly impact the overall risk estimates. This |
| conceptually sound and which includes an independent | | | | should be based on an appropriate minimum gross |
| operational risk management function that is | | | | loss threshold for internal loss data collection. |
| responsible for the design and implementation of the | | | | Additionally, a bank should collect information relating |
| bank's operational risk management framework;-The | | | | the date of the event, any recoveries of loss |
| bank has It has sufficient resources to use this | | | | amounts, as well as descriptive information about the |
| approach in the major business lines as well as the | | | | drivers or causes of the loss event. The level of |
| control and audit areas.A bank using the AMA will be | | | | detail in any descriptive information should be |
| subject to a period of initial monitoring by its | | | | appropriate to the size of the gross loss |
| supervisor before it can be used for regulatory | | | | amount.Operational risk losses that are related to |
| purposes. This period will allow the supervisor to | | | | credit risk and have traditionally been included in |
| determine if the approach is credible and appropriate. | | | | banks' credit risk databases (e.g. collateral |
| The bank's internal measurement system must be | | | | management failures) must continue to be treated as |
| able to reasonably estimate unexpected losses based | | | | credit risk for the purposes of calculating minimum |
| on the combined use of internal and relevant external | | | | regulatory capital. It follows that such losses will not |
| loss data, scenario analysis and bank-specific business | | | | be subject to the operational risk capital charge. |
| environment and internal control factors.The bank's | | | | Nevertheless, for the purposes of internal operational |
| measurement system must also be capable of | | | | risk management, banks must identify all material |
| supporting an allocation of economic capital for | | | | operational risk losses consistent with the scope of |
| operational risk across business lines in a manner that | | | | the definition of operational risk and the defined |
| creates incentives to improve business line operational | | | | event types, including those related to credit risk.A |
| risk management.Additionally,-The operational risk | | | | bank's operational risk measurement system must |
| management function is responsible for documenting | | | | use pertinent external data (either public data and/or |
| policies and procedures concerning operational risk | | | | pooled industry data), especially when there is any |
| management and controls, designing and implementing | | | | possibility to believe that the bank is potentially |
| the bank's operational risk measurement | | | | exposed to severe losses, however infrequent. |
| methodology, designing and implementing a | | | | Additionally a bank must use scenario analysis of |
| risk-reporting system for operational risk, and | | | | expert opinion in conjunction with external data to |
| developing strategies to identify, measure, monitor | | | | evaluate its exposure to high-severity events.Stanley |
| and control/mitigate operational risk,-The bank's | | | | Epstein is a Principal Associate and Director of Citadel |
| internal operational risk measurement system must | | | | Advantage Ltd., a consultancy dealing in bank |
| be closely integrated into the day-to-day risk | | | | operations and specializing in Operations Risk and |
| management processes of the bank and its output | | | | Payment Systems. |