Response to the Basel Committee on Banking Supervision Consultation Paper (CP3) April 2003
1. Until March 2003 I was the Director at the British Bankers' Association responsible for operational risk issues. I was prime mover and Founding Chairman of the BBA's Global Operational Database, which has been collecting loss event data for over 3 years from some 30 international banks, and chaired the BBA's Operational Risk Advisory Panel for a number of years. I am now Executive Director of the Operational Risk Research Forum (see www.orrf.org). I am also a non-executive director of SVB Syndicates Limited, a principal underwriter of financial institutions in the Lloyd's of London insurance market.
2. Given this experience, I hope the Committee will accept my qualification to comment on the Operational Risk (paragraphs 607 - 641) section of the latest Consultative Document, an opportunity for which I am grateful. There are still unresolved issues, both of policy and of implementation, and it is important that the Committee maintains the dialogue with the industry which has been a welcome characteristic of the development of the new Accord.
3. Basic Approach. The Basic Approach continues to reflect an alpha of 15%. Whilst this, in itself, may produce a level of capital for operational risk which is in line with the Committee's wishes, it is illogical that banks operating the Standardised Approach, with its higher entry standards and more sophisticated approach, should benefit in terms of the level of the minimum regulatory capital charge only in the areas of retail banking, asset management and retail brokerage. I can see no reason - and I cannot recall the Committee's giving a reason - why the highest beta under the Standardised Approach should not be at least equal to the alpha of the Basic Approach. If the range of betas must be 12% - 18%, the alpha should rise to 18%. Alternatively, if the Committee believes that the alpha should remain at 15%, the Standardised beta range should reduce to 10% - 15%. To do otherwise undermines the Committee's wish to encourage banks "to move along the spectrum of available approaches", a wish which I and many in the industry wholeheartedly support.
4. Alternative Standardised Approach (ASA). The concept of the ASA, in that it recognises that in many portfolios 'expected' operational and credit risk losses are covered by annuity income, is to be welcomed.
5. The application of the highest relevant beta, either to retail and commercial banking (i.e. 15%) where these are combined or to the remaining six business lines (i.e. 18%) where these have to be aggregated, is not. Once again, this reduces the incentive for banks to move to the Standardised Approach. Indeed, it is arguable that a bank which cannot split its gross income on the lines proposed by the Committee (difficult though this will be for many) should not be eligible for the Standardised Approach.
6. The Standardised Approach (STA) - qualifying criteria. Any incentive to move to the STA is finally removed by the considerable increase in the "hurdle" represented by the qualifying criteria outlined in CP3, as compared with previous consultations. Criteria (a) to (e) replicate almost exactly the parallel criteria in the Advanced Measurement Approach (AMA) (give or take some changes in sentence order). It seems perverse that having achieved a standard of risk management equal to the AMA, a bank electing to move to the STA may find itself penalised as regards its regulatory capital requirement, as compared with the requirement under the Basic Approach.
7. This change in criteria is especially unnecessary, given that the USA will not be applying the STA and the qualifying criteria currently proposed by the EU in its parallel consultation of 1 July 2003 represent a lower, realistic standard, which will encourage banks to "move along the spectrum of available approaches". I strongly urge the Committee to revert to the standards, which it had published in previous consultations.
8. The one noticeable and welcome difference between the STA and AMA criteria is that the STA, in my view correctly, uses the word "assess" in place of the word "measure", thus echoing the Committee's 'Sound Practices' paper.
9. Advanced Measurement Approach - qualitative standards. To continue the above point, it is disappointing that, by using the word "measurement" there is an implied assumption that operational risk can be measured with a similar high degree of accuracy as has been applied to market risk and credit risk. Whilst there are elements of attritional losses, generally related to transactions, which lend themselves to this kind of estimation, the critical events and underlying causes of operational risk do not. Yet these are the events and causes against which capital is primarily intended to be held. The issue is not one of semantics, but one of reality and common sense. At this late stage, I would still hope that the Committee could adopt the language of its Sound Practices paper and use the word "assess".
10. Advanced Measurement Approach - quantitative standards. The point is brought home most forcefully in the paragraphs covering the AMA soundness standard. Paragraph 627 reasonably refers to "potentially severe 'tail' loss events". The use of inverted commas around "tail" indicates an acceptance that the word is being used in its layman's as opposed to its statistical sense. The following sentence then gives the lie to this interpretation with its reference to comparability to a "99.9 percent confidence interval".
11. It is simply not possible to estimate operational risk to this level, equivalent to a 1 in 1,000 year event. The nature of operational risk, which, unlike credit and market risk, is fundamentally rooted in human rather than transactional behaviour, works against the comparability being sought by the Committee. The differing natures of the information available - loss events, risk indicators, causal factors, scenario analysis, exposure to natural or unnatural external events - also point to the difficulties of attempting estimations to this level of exactness. In the opinion of the numerous academics and actuaries with whom I have discussed this over the last 4 years, no distribution exists to fit the nature, let alone volume and pattern, of the data being considered, even if the data are restricted to loss events, which is but a sub-set of the information required to do the job properly.
12. Operational risk management involves the whole bank. Estimates of risk exposure will require the involvement of many layers of management, most of whom have not been involved in the lengthy discussions which have involved the industry and regulators over the last few years. It is important that line management, who will have to assess risk exposure and work with the various reporting systems which will be required, understand and accept the confidence levels being proposed. Being asked to estimate to a 1 in a 1,000 year possibility will appear completely unrealistic when applied to operational risk. The standard must be realistic, so that hearts and minds are engaged and won. This probably implies something nearer to 1 in 20 years (equivalent to 95%) or 1 in 50 years (equivalent to 98%). I would hope that the Committee would recognise the importance of recommending realistic, rather than unattainable, standards and use the language of those who will have to understand and implement them on the ground. The Committee's confidence level for operational risk should also be expressed primarily in relation to "1 in x year events" (as happens in the insurance industry in relation to Realistic Disaster Scenarios) and revert to percentages only as a subsidiary explanation. This will better reflect the nature of operational risk and greatly assist those who have to implement the Committee's requirements.
13. The need for buy-in is demonstrated by the Committee's wish that the measurement system should play "a prominent role in . . . internal capital allocation". I recognise that this requirement could act as something of a 'use test' but, in my view, it is not appropriate for supervisors to prescribe a bank's internal capital allocation model. Leaving that aside, however, it is essential that all managers affected by economic capital allocation accept the basis on which the allocation is made.
14. AMA - detailed criteria. (b) The Committee wishes the regulatory capital requirement to cover both expected loss and unexpected loss, subject to a bank's demonstrating that it has accounted for expected (or budgeted?) loss in some other way. Given that it is not possible for current distributions to estimate satisfactorily the extreme events which characterise operational risk and highlight the difficulty in its measurement, it would be helpful if the Committee explained that the terms EL and UL are being used in their lay, rather than their statistical sense.
15. AMA - detailed criteria. (c) It is highly unlikely that any measurement system will capture the major 'drivers' of operational risk, which may affect the 'tail' of estimates. These are causal and not readily amenable to being exposed via systems which rely heavily on the evidence of past events.
16. Internal data. It is true that internal data are most relevant when linked to a bank's current business activities. It is disappointing, therefore, that supervisors insist that banks, in addition to building a model in accordance with their own structure, possibly using data obtained from cost centres in addition to business units, and possibly using event data other than direct losses (such as profits and/or near misses), should nevertheless be obliged to map historical internal loss data to the event types and business lines identified in Annexes 6 and 7. It is unlikely that industry-wide data (as evidenced by the QIS3 results) will offer the level of validation which regulators seek and so justify the additional costs involved for AMA banks. It is interesting, also, that the US regulators' ANPR requires mapping only to the loss-event types and not to business lines. These costs are an additional regulatory burden for banks which, by definition, have satisfied regulators that they are sophisticated enough to be on the AMA.
17. The credit/operational risk boundary. The requirement to disaggregate operational from credit risk losses for the purposes of internal measurement is a costly and unnecessary requirement which senior management in many banks will find difficult to understand. The previous suggestions that banks should "track" these losses, perhaps by way of a flag, was one thing. The current proposal goes too far beyond this. It also goes beyond the US regulators' proposed requirements which "permit and encourage" banks to treat these losses as operational risk rather than credit risk losses, but does not impose this as a mandatory obligation.
18. This is a fundamental proposal, which represents a step change in regulatory requirements and should have been the subject of much more detailed consultation, if it is to remain in its current form. I hope it is not too late for the Committee, in dialogue with the industry, to refine its requirements.
19. External data. As the Chairman of the first (and until very recently, only) international pooled industry database, which has now been running for over 3 years, I have consistently pointed out to the Committee, both collectively through the BBA's responses to earlier consultations, and in conversations with individual members of the Risk Management Group, the serious health warnings with which external data should be treated. There are changes to the present text from previous versions, which I support. Examples are the references to using external data to in making qualitative adjustments or informing scenario and other analyses. These are proper uses of what is, by its nature, data which is even more incomplete, inconsistent and imprecise than internally generated data. They are the uses to which members of the BBA's Global Operational Loss Database (GOLD) have put the information provided by that database.
20. I continue to take issue, however, with the belief that external data can be adequately "scaled" to enable accurate comparisons to be made between an event in one bank and a similar event in another bank. The different cultures and practices of risk tolerance and risk management in individual banks are good reasons why this is simply not possible, even if an appropriate scaling factor could be identified. It is noticeable that the Advance Notice of Proposed Rulemaking recently published by the US regulators makes no reference to scaling in the section on external data. It does require that firms should collect "sufficient information about the reporting institution to facilitate comparison to its own organization". This seems to me to be an absolutely acceptable and realistic requirement and I recommend that the Committee uses similar language in its own statements on the use of external data.
21. Insurance. As a non-executive Director of one of the lead underwriters of financial institutions in the Lloyd's of London insurance market, I naturally have a considerable interest in the proposals for the acceptance of insurance as a 'mitigant' of the regulatory capital charge. Members of the RMG may recall my supporting the principle of insurance recognition as part of a presentation made by the European Banking Federation some 2/3 years ago.
22. I continue to support the principle, although I believe that insurance should be ranked with other 'mitigants' such as a good control and risk management environment for these purposes. Whilst it may be difficult to evaluate an insurance policy, it should be possible to apply appropriate haircuts to risk exposure within the framework of the AMA.
23. The criteria outlined by the Committee are a step in the right direction as is their continuing willingness to make insurance available for this purpose. There are obviously a number of issues to resolve. The Committee has specifically raised the minimum notice period for cancellation and non-renewal. There are also the issues of: duration and nature of coverage; claims-paying rating; exclusions relating to regulatory action or for receivers and liquidators; captives. All of these - and speed of payment - require further dialogue and discussion.
24. Clarification is also required about the 20% cap in the case of partial use. Will the 20% only apply to the AMA element of the capital charge or to the whole of the charge as is indicated in the consultation paper.
25. I should be very willing to assist the Committee in any dialogue it undertakes on this issue. Through the Operational Risk Research Forum, and with the knowledge of the FSA, I am currently gathering the views of selected principal members of the London insurance market - underwriters, brokers, re-insurers and actuaries - to see if common ground can be achieved both within that market and with the banking industry. I hope that that research will enable the Committee to formulate criteria which are acceptable to both industries.
John Thirlwell, 31 July 2003