Trojan Horse rules
Operational Risk - December 2004
Once upon a time it all seemed so reasonable. The BIS Sound Practices paper was a model of excellent practical guidance. Here in the UK, the draft text of the Prudential Source Book, especially the section on high-level operational risk systems and controls (known mysteriously as SYSC3A), was essentially guidance. It recognised that operational risk was a new risk, not wholly understood, either as to its extent, or as to the essentials which would enable it to be both managed and assessed with any degree of certainty.
It is undoubtedly the softest of the risks which regulators and firms have had to grapple with. And it is very different in its nature from the others. There is no inherent "size" for the operational risk involved in any transaction. Importantly, it deals largely with those difficult things called people who, to the dismay of economists and managers, are not always rational, efficient, honest or competent. And when it is not dealing with people, it is often dealing with events outside our control, whether fire, flood and pestilence; or changes in the risk environment - terrorism, climate change, the compensation culture; or competitors, either directly or, indirectly, through their incompetence or misbehaviour.
So, a very imprecise risk, treated in an imprecise way. That didn't impress risk purists, or even many CEOs, but it was realistic. The challenges of operational risk management reflect a need to distinguish between shades of grey, rather than rely on paradigms which might explain more scientific certainties or truths.
These philosophical musings were prompted by the announcement by the FSA that it would not apply SYSC3A to banks because of the EU's Markets in Financial Instruments Directive (MiFiD) and the Capital Requirements Directive (CRD). They are both due to be implemented in 2006 and would be subject to consultation in 2005, i.e. after SYSC3A, had it come into force as planned at the beginning of next year. The chilling bit is contained in a letter sent by the FSA to CEOs which states, "The MiFiD requirements - which we plan as far as possible simply to 'copy out' - will take a different form, with harder, more rules-based systems and controls requirements."
There are two points here. The first is to ask when will it ever be the right time to publish text on operational risk? The CRD has not exactly sprung from nowhere, even if its timing may possibly have been in doubt, and in any case I'm not sure that it should significantly affect the guidance which was to be brought in in January. But more importantly, MiFiD, like any Directive or regulation relating to financial services will, inevitably, affect operational risk. Which begs the question of whether the people who debate and negotiate these texts are aware of the needs and nuances of operational risk. Or, just as importantly, whether operational risk professionals (whether from industry or the regulators) were involved in looking at MiFiD. I strongly suspect the answer to both questions is no.
They won't thank me for it, but just as they are involved in new product and other risk management discussions, it seems to me essential that operational risk professionals are involved in these new legislative initiatives to make sure that the realities of risk management are reflected in the texts which emerge and to defend the principles of guidance wherever that is needed. If not, risk management will be at the mercy of regulators and compliance experts for whom a rules-based framework is meat and drink.
Which leads me to the second issue - those simple words, "copy out". When they were first used, many months ago, it was in response to concerns that in the past the FSA had been notoriously 'super-equivalent', and the industry didn't want that to continue with Basel II or the CRD. It sounded like a happy solution. However, to misquote Vergil, "Timeo custodes dona ferentes" - I fear regulators bearing gifts. Because to copy out a Directive is to copy out a law. And laws aren't intended to be guidance, but to be rules, as is indicated by the quote from the FSA's letter. Finally, and perhaps of most concern, is the comment, also in the letter to CEOs, that the FSA believes that "guidance should be used sparingly and only where it is both meaningful and clear."
It's perhaps understandable that in a world where the FSA is being dragged through the courts, whether by Legal & General or by individuals, that they would wish for certainty and have effectively said "enough's enough". Understandable, but sad.
Good regulation and supervision is about considering individual firms and considering the issues of management which they face. Responsibilities to the wider world mean that much of this has to be rules-based. But operational risk, that notoriously wide and amorphous mass, is about business and risk management, where as far as possible, flexibility through guidance rather than prescriptive rules must be maintained. Beware, risk managers - the Trojan horse is at the gates.
John Thirlwell - Director, Operational Risk Research Forum. The views expressed in this article are those of the author.