| The operational risk requirements of Basel II | | | | of the process of monitoring and controlling |
| proposes three measurement methodologies for | | | | the bank's operational risk profile. This |
| calculating the operational risk capital | | | | information must play a major role in risk |
| charges. These are the Basic Indicator | | | | reporting, management reporting, internal |
| Approach, the Standardized Approach and the | | | | capital allocation, and risk |
| Advanced Measurement Approach.Under the Basic | | | | analysis.-Operational risk exposures and loss |
| Indicator Approach banks must hold capital | | | | experience must be reported regularly to |
| for operational risk equal to the average | | | | business unit management, senior management, |
| over the previous three years of a fixed | | | | and to the board of directors.-The bank's |
| percentage (15% for this approach) of | | | | operational risk management system must be |
| positive annual gross income (figures in | | | | well documented and the bank must have a |
| respect of any year in which annual gross | | | | routine in place for ensuring compliance with |
| income was negative or zero are | | | | a documented set of internal policies, |
| excluded).Although no specific criteria are | | | | controls and procedures concerning the |
| set out for use of the Basic Indicator | | | | operational risk management system, which |
| Approach, banks using this method are | | | | must include policies for the treatment of |
| encouraged to comply with the Committee's | | | | noncompliance issues.-Internal and/or |
| guidance on "Sound Practices for the | | | | external auditors must perform regular |
| Management and Supervision of Operational | | | | reviews of the operational risk management |
| Risk" (BIS; February 2003). These principles | | | | processes and measurement systems. This |
| require:-A hands on approach in the creation | | | | review must include both the activities of |
| of an appropriate risk management | | | | the business units and of the independent |
| environment,-Positive actions in the | | | | operational risk management function.-The |
| identification, assessment, monitoring and | | | | validation of the operational risk |
| control of operational risk,-Adequate public | | | | measurement system by external auditors and |
| disclosure.Under the Standardized Approach a | | | | or supervisory authorities must include the |
| bank's activities are divided into eight | | | | verification that the internal validation |
| business lines. Within each business line, | | | | processes are operating in a satisfactory |
| gross income is a broad indicator that serves | | | | manner; and making sure that data flows and |
| as a stand-in for the level of business | | | | processes associated with the risk |
| operations and therefore the probable size of | | | | measurement system are transparent and |
| operational risk exposure within each of | | | | accessible. In particular, it is necessary |
| these business lines. The capital charge for | | | | that auditors and supervisory authorities are |
| each business line is calculated by | | | | in a position to have easy access, whenever |
| multiplying gross income by a factor (called | | | | they judge it necessary and under appropriate |
| the "beta") assigned to that business line. | | | | procedures, to the system's specifications |
| The beta serves as a substitute for the | | | | and parameters.Because the analytical |
| industry-wide relationship between the | | | | approaches for operational risk continue to |
| operational risk loss experience for a given | | | | evolve the approach or distributional |
| business line and the aggregate level of | | | | assumptions used to generate the operational |
| gross income for that business line. The | | | | risk measure for regulatory capital purposes |
| business lines and the beta factors range | | | | is not being specified by the Basel |
| from 12% for "retail banking", "asset | | | | Committee. A bank must however be able to |
| management" and "retail brokerage"; 15% for | | | | show that its approach captures potentially |
| "commercial banking" and "agency services" to | | | | severe 'tail' loss events. Irrespective of |
| 18% for "corporate finance", "trading & | | | | the approach is used, a bank must demonstrate |
| sales" and "payment & settlement".The total | | | | that its operational risk measure meets a |
| capital charge is calculated as the | | | | soundness standard comparable to that of the |
| three-year average of the simple summation of | | | | internal ratings-based approach for credit |
| the regulatory capital charges across each of | | | | risk.Based on this, bank supervisors will |
| the business lines in each year. In any given | | | | require the bank to calculate its regulatory |
| year, a negative capital charges (as a result | | | | capital requirement as the sum of expected |
| of negative gross income) in any business | | | | loss (EL) and unexpected loss (UL), unless |
| line may offset positive capital charges in | | | | the bank can demonstrate that it is |
| other business lines without limit.At | | | | adequately capturing EL in its internal |
| national supervisory level, the supervisor | | | | business practices (to base the minimum |
| can choose to allow a bank to use the | | | | regulatory capital requirement on UL alone, |
| Alternative Standardized Approach (ASA) | | | | the bank must be able to demonstrate to the |
| provided the bank is able to satisfy its | | | | satisfaction of its national supervisor that |
| supervisor that this alternative approach | | | | it has measured and accounted for its EL |
| provides an improved basis for measurement of | | | | exposure).A bank needs to have a credible, |
| risks. Under the ASA, the operational risk | | | | transparent, well-documented and verifiable |
| capital charge/methodology is the same as for | | | | approach for weighting these basic elements |
| the Standardized Approach except that two | | | | in its overall operational risk measurement |
| business lines - "retail banking" and | | | | system.Internal loss data is critical to |
| "commercial banking" where a fixed factor 'm' | | | | linking a bank's risk estimates to its actual |
| - replaces gross income as the exposure | | | | loss experience. Such data is most relevant |
| indicator and is related to the extent of | | | | when it is clearly linked to a bank's current |
| loans granted in these areas.Under the | | | | business activities, technological processes |
| Advanced Measurement Approaches (AMA) the | | | | and risk management procedures. To do this a |
| regulatory capital requirement equals the | | | | bank must have documented procedures for |
| risk measure generated by the bank's internal | | | | assessing the on-going relevance of |
| operational risk measurement system using | | | | historical loss data, including those |
| specific quantitative and qualitative | | | | situations in which judgment overrides or |
| criteria. Use of the AMA is subject to | | | | other adjustments may be used, to what extent |
| supervisory approval.Supervisory approval has | | | | they may be used and who is authorized to |
| to be conditional on the bank being able to | | | | make such decisions. Internally generated |
| show to the satisfaction of the supervisory | | | | operational risk measures used for regulatory |
| authority that the allocation mechanism for | | | | capital purposes must be based on a minimum |
| these subsidiaries is appropriate and can be | | | | five-year observation period of internal loss |
| supported empirically. The quantitative | | | | data. However, when the bank first moves to |
| standards that apply to internally generated | | | | the AMA, a three-year historical data window |
| operational risk measures for purposes of | | | | is acceptable.To qualify for regulatory |
| calculating the regulatory minimum capital | | | | capital purposes, a bank's internal loss |
| charge are that any internal operational risk | | | | collection processes must be able to map its |
| measurement system must be consistent with | | | | historical internal loss data into the |
| the definition of operational risk and a | | | | relevant supervisory categories as are |
| range of defined loss event types (covering | | | | defined in detail in the Basel II Annexes. |
| all operational aspects such as fraud, | | | | The bank must have documented objective |
| employee practices, workplace safety, | | | | criteria for allocating losses to the |
| business practices, processing practices, | | | | specified business lines and event types. A |
| business disruption and loss of physical | | | | bank's internal loss data must be |
| assets).To qualify for use of the Advanced | | | | comprehensive. It must capture all material |
| Measurement Approaches (AMA), a bank must | | | | activities and exposures from all appropriate |
| satisfy its supervisor that,-The banks board | | | | sub-systems and geographic locations. The |
| of directors and senior management, are | | | | bank must be able to justify that any |
| actively involved in the oversight of the | | | | excluded activities or exposures, both |
| operational risk management framework;-The | | | | individually and in combination would not |
| bank has an operational risk management | | | | significantly impact the overall risk |
| system that is conceptually sound and which | | | | estimates. This should be based on an |
| includes an independent operational risk | | | | appropriate minimum gross loss threshold for |
| management function that is responsible for | | | | internal loss data collection. Additionally, |
| the design and implementation of the bank's | | | | a bank should collect information relating |
| operational risk management framework;-The | | | | the date of the event, any recoveries of loss |
| bank has It has sufficient resources to use | | | | amounts, as well as descriptive information |
| this approach in the major business lines as | | | | about the drivers or causes of the loss |
| well as the control and audit areas.A bank | | | | event. The level of detail in any descriptive |
| using the AMA will be subject to a period of | | | | information should be appropriate to the size |
| initial monitoring by its supervisor before | | | | of the gross loss amount.Operational risk |
| it can be used for regulatory purposes. This | | | | losses that are related to credit risk and |
| period will allow the supervisor to determine | | | | have traditionally been included in banks' |
| if the approach is credible and appropriate. | | | | credit risk databases (e.g. collateral |
| The bank's internal measurement system must | | | | management failures) must continue to be |
| be able to reasonably estimate unexpected | | | | treated as credit risk for the purposes of |
| losses based on the combined use of internal | | | | calculating minimum regulatory capital. It |
| and relevant external loss data, scenario | | | | follows that such losses will not be subject |
| analysis and bank-specific business | | | | to the operational risk capital charge. |
| environment and internal control factors.The | | | | Nevertheless, for the purposes of internal |
| bank's measurement system must also be | | | | operational risk management, banks must |
| capable of supporting an allocation of | | | | identify all material operational risk losses |
| economic capital for operational risk across | | | | consistent with the scope of the definition |
| business lines in a manner that creates | | | | of operational risk and the defined event |
| incentives to improve business line | | | | types, including those related to credit |
| operational risk management.Additionally,-The | | | | risk.A bank's operational risk measurement |
| operational risk management function is | | | | system must use pertinent external data |
| responsible for documenting policies and | | | | (either public data and/or pooled industry |
| procedures concerning operational risk | | | | data), especially when there is any |
| management and controls, designing and | | | | possibility to believe that the bank is |
| implementing the bank's operational risk | | | | potentially exposed to severe losses, however |
| measurement methodology, designing and | | | | infrequent. Additionally a bank must use |
| implementing a risk-reporting system for | | | | scenario analysis of expert opinion in |
| operational risk, and developing strategies | | | | conjunction with external data to evaluate |
| to identify, measure, monitor and control | | | | its exposure to high-severity events.Stanley |
| mitigate operational risk,-The bank's | | | | Epstein is a Principal Associate and Director |
| internal operational risk measurement system | | | | of Citadel Advantage Ltd., a consultancy |
| must be closely integrated into the | | | | dealing in bank operations and specializing |
| day-to-day risk management processes of the | | | | in Operations Risk and Payment Systems. |
| bank and its output must be an integral part | | | | |