Beyond Regulatory Compliance
By Jeff Reichert
Watch for it to become a competitive differentiator.
|
Related
Chart
|
Should bankers start worrying now about the Basel II capital guidelines for operational risk? The new rules, after all, won't take hold until January 2008, when they replace the earlier Basel I guidelines. There's also a widespread perception in the industry that these rules are going to impact only the largest banks.
For bankers worried about competitive differentiation, the answer is yes.
At the most basic level, the guidelines will require financial institutions to begin focusing on operational risk from a regulatory perspective. Banks will likely have to put up some capital to reserve against it, in addition to the reserves already placed against credit, market, reputational, legal and other risks. It is short-sighted, however, to relegate operational risk management to the purview of the compliance group and think "we've got it covered."
The effective management of operational risk is a core competency; banks must either demonstrate they have it now or will acquire it soon in order to remain competitive. Regulatory concerns aside, the ability to exercise control of operational risk spans the entire organization. It ties directly to a bank's ability to acquire capital in the markets; to control earnings volatility that impacts stock price; to differentiate itself competitively; and to protect its reputation for safety and soundness.
So, while Basel II may be the catalyst for banks to address long-standing operational risk issues, it's certainly not the only reason banks should care. Heightened market visibility carries with it huge risks for institutions that don't measure up. Putting the control mechanisms in place to minimize operational risk has a real financial payback. And the disparity between the banks that choose to apply resources to identifying, measuring and controlling their operational risks and those that don't is soon going to become obvious.
Capital Adequacy
Since the Basel Committee released its preliminary consultative papers on operational risk less than two years ago, some U.S. legislators have questioned whether our country would even comply. After all, the Committee holds no enforcement power over U.S. regulators, financial institutions — or indeed, over the regulators or banks of any country. But ultimately, even bankers had to admit that in a global economy it was in the U.S. banks' best interests to encourage economic stability among the world's interacting financial institutions and to have everyone playing by the same rules, at least on paper.
So while there's still some jockeying for position going on between the Securities and Exchange Commission, the Office of the Comptroller of the Currency, the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of Thrift Supervision about their respective roles, enforcement tactics, punitive measures and ultimate agendas, U.S. adoption of the Basel II Accord is a reality. Now what does that mean for operational risk management?
From a definitional perspective, the Committee considers operational risk to be "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." Examples of the types of operational risk identified by the Committee include internal theft and fraud; external theft and fraud; employment practices and workplace safety; clients, products and business practices; damage to physical assets; business disruption and systems failures; and execution delivery and process management.
The Basel Accord itself contains three "pillars," or key elements. Pillar 1 relates to the calculation of capital requirements; Pillar 2 to the supervisory review of capital adequacy; and Pillar 3 to the public disclosure of banks' operational risk management control process.
Under Pillar 1, there are three prescribed methods for calculating the amount of capital a bank is required to sustain relative to its level of operational risk. These are the Basic Indicator approach; the Standardized Approach; and the Advanced Measurement Approach (AMA).
The Committee has stated that "internationally active banks and banks with significant operational risk exposure are expected to adopt over time the more risk-sensitive AMA." Under this method, a bank can make its own assessment of the amount of capital it needs to reserve against operational risk, as long as its methodology for doing so is "sufficiently comprehensive and systematic." In other words, AMA banks have the potential to reduce their capital allocation for operational risk. U.S. regulators have indicated that some banks will be required to adopt the AMA, while others may "opt in" to the AMA based on their own internal cost/benefit analyses.
The Basic Indicator and Standardized approaches are "targeted to banks with less significant operational risk exposures" and generally require banks to hold capital for operational risk equivalent to a fixed percentage of gross income. Further, banks using these two methods "are not permitted to recognize the risk-mitigating impact of insurance." Thus, banks adopting the Basic Indicator and Standardized Approaches have little flexibility to reduce their required reserves against operational risk.
So by some estimates, the Basel Committee has indeed set up a "big banks vs. all other banks" dichotomy. It can be argued that there are no regulatory capital advantages for non-AMA banks to make the investments necessary to manage operational risk more effectively. And maybe if Pillar1 of Basel II were the only reason for managing operational risk, this assessment might ring true. But it is only the tip of the iceberg in the broader regulatory context of operational risk.
For openers, what about Basel's Pillar 3, which requires public disclosure of a bank's operational risk management control process? Think about the implications of that mandate for a moment. How will the processes an organization discloses in its annual reports come across to shareholders and potential investors, who now have the ability to compare its level of operational control to that of other banks? Or to the regulators, who already have the mandate to scrutinize those processes and to impose sanctions or even shut an institution down?
For another example, Section 302 of the Sarbanes-Oxley legislation requires disclosure of "a list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities," as well as "any significant changes in internal controls or related factors that could have a negative impact on the internal controls." And there is Section 404, which requires banks "to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures."
The point is that there's a consistent message emerging here about the management of operational risk. Fear of regulatory action is by no means, however, the only or even best reason to manage operational risk.
Access to Capital
Caught up in the issue of how much capital regulators will expect their organizations to reserve for operational risk, bankers have tended to focus their efforts on gathering data to document operational losses, seeking out industry benchmarks and building sophisticated models to mitigate their capital reserves. But management of operational risk is not just about capital adequacy, it is also about access to capital.
Basel's Pillar 3 imposes public disclosure requirements specifically designed to enable market participants (investors, shareholders, analysts, rating agencies, etc.) to evaluate a bank's level of operational risk and its internal methodologies for controlling it. The Committee's express purpose for this provision was to bring market pressures to bear on banks to manage their operational risks effectively, by benefiting banks that are good at controlling operational risk and by making it more difficult for those banks that do not have adequate operational risk controls in place to be perceived favorably by the market.
While the regulators have not yet opined on their specific disclosure requirements under Basel's Pillar 3, rating agencies are already devising their own methodologies for evaluating a bank's level and management of operational risk and how this operational risk evaluation fits in and impacts their overall credit ratings. It is fair to say that the rating agencies absolutely will take operational risk levels and controls into consideration in rating a bank. And since ratings provide a gauge to investors on the level of credit risk of companies and their securities, they have a direct impact on a bank's ability to raise capital in the markets and on the price a bank will have to pay for that capital. Thus, if non-AMA banks choose to forgo investments in operational risk control, the disparity between "big banks" using the AMA and "smaller banks" using a standardized approach becomes even more pronounced.
Exacerbating this condition is the fact that larger banks are already more active in asset securitization, providing an ongoing capability to free up capital for additional investment that smaller banks do not have at their disposal due to the limited relative size of their loan portfolios. So if non-AMA banks elect not to invest in enhancing their operational controls, the AMA banks will simply continue to widen their competitive advantage in the acquisition of capital. Non-AMA banks will continue to have less and less access to capital that is increasingly pricey until they are squeezed out of the capital markets altogether.
Reducing Earnings Volatility
Much attention has been focused on obtaining historical data on operational losses to feed into capital models being developed to calculate reserves for operational risk. The position of some non-AMA banks seems to be that they will wait for the AMA banks to develop these models, then hope that these models, or a simplified version thereof, will be made available to the non-AMA banks without the risk or expense of participating in their development. Whether through license agreements that enable non-AMA banks to run these models in-house, or through outsourcers that provide the capability, the non-AMA banks will have a way to calculate their capital requirement for operational risk by the time it is mandated they do so.
That approach may be fine for computing losses on a historical basis. But it does nothing to help a bank predict its operational losses and/or mitigate them. The significant industry-wide efforts that are taking place to develop loss databases and to identify key risk indicators are not an end in themselves. Rather, the end goal is to eliminate, reduce or manage operational risks in order to reduce the impact of unanticipated losses, much as banks do in the credit risk arena today. And risks that they can't eliminate, they price and/or sell off.
Bankers have been cognizant of the credit risks associated with their businesses for as long as they have been lending and have made great strides over the past 15 years with data-driven approaches to quantify, manage and price credit risk. However, the science of operational risk management is less advanced — perhaps because of the difficulty of identifying, quantifying, controlling and pricing the diverse and wide-ranging types and elements of operational risk. But make no mistake, the impact of operational losses can be just as devastating to earnings as any credit that goes south. A case in point is the catastrophic collapse of Barings PLC in 1995, which was caused by the activities of a single out-of-control derivatives trader.
Managing operational risk is ultimately about reducing earnings volatility by mitigating unanticipated losses and by reserving against losses that can be expected. Again, earnings volatility bears a direct relationship to shareholder value and to market capitalization. The better the organization's ability to control and price unanticipated losses, the less earnings volatility the bank will experience. It's in an organization's best interests to control operational risk, entirely aside from Basel's mandates.
Documentation Problem
The core banking principles of "safety and soundness" are no less applicable to managing operational risk than they are to managing credit risk. But processes to control operational risk are about to become a great deal more visible than they have been in the past.
In most banks, operational procedures are developed on an as-needed, evolutionary basis and handed down from employee to employee. Whatever semblance they bear to bank policy is relatively coincidental. Documentation of day-to-day procedures is also non-existent. Moreover, procedures for dealing with exceptions reside strictly in the mind of someone who had to make up a way of handling a problem that arose at one time.
So along comes Basel II. Operating procedures and controls now have to be disclosed so they can be evaluated and their quality rated by the regulators and understood by the markets. Back up a minute. First, these operating procedures have to be documented, which they are not today. Back up another minute. Before we can document procedures, we have to know what bank management's policies are for handling every possible operating scenario that could occur so our operating procedures can appropriately reflect the bank's policy — on everything from check collection to opening checking accounts, setting up treasury services, credit limits, approval processes, credit scores, portfolio concentrations, documentation, collateral, delinquencies, etc.
Nowhere in any organization will you find such a central repository of policies.
Not only does the lack of written, explicit policies make the documentation of operating procedures a daunting task, but banks will now be evaluated and compared on how good their controls are. Managerial strength and operational control become competitive differentiators and an important piece of the fabric of the "safety and soundness" doctrine.
Disclosure is not just a regulatory issue, but a customer perception issue as well — one that will inevitably affect customers' selection of a financial institution. Banks are now in the position of needing to demonstrate to a competitive market that they have the organizational and procedural controls in place to deal with operational risk in order to retain and acquire business.
Legal Liability
The Risk Management Association (RMA) has categorized operational risks into three basic types: external risks, process risks and conduct risks. External risks, consisting of damage to physical assets (fire, flood, earthquake, etc.) and external theft and fraud, are, in many ways, the most manageable because they are insurable events. That is, the organization can offload some or all of its exposure to these events by insuring against them.
Process risks, consisting of execution, delivery and process management risks, as well as business disruption and systems failure, are largely controllable through managed processes and procedures, adequate training, automation, workflow management, productivity reporting and effective business continuity planning. Process risks are expected to become more stringently managed through the documentation and disclosure of a bank's operational controls, as discussed above.
The biggest and most unmanageable risk, therefore, may be employee conduct risk, including employee theft and fraud and employment and business practices. The organization is legally liable for the actions of its employees toward clients and the public generally, so there are very real out-of-pocket costs associated with employee failures. Intentional or unintentional employee conduct issues can occur at every salary level, in every department and in every location of every financial institution.
In addition, employee risks are virtually impossible to predict and the financial consequences of employees' actions are therefore the most difficult to prevent. Losses can be substantial — as anyone who has faced a multi-million dollar class action law suit can attest. Further, employee conduct directly affects an institution's reputation in the market, the financial damage from which can be incalculable.
Operational risk is nothing to pass over lightly or relegate to the compliance department. With or without Basel II, financial institutions need to start taking it seriously.
Mr. Reichert is the director of decision support and information services at Automated Financial Systems, a software, information and consulting firm in Exton, Pa.