Basel II's Three Approaches to Operational Risk Management

The operational risk requirements of Basel II proposes three measurement methodologies for calculating the operational risk capital charges. These are the Basic Indicator Approach, the Standardized Approach and the Advanced Measurement Approach. Under the Basic Indicator Approach banks must hold capital for operational risk equal to the average over the previous three years of a fixed percentage (15% for this approach) of positive annual gross income (figures in respect of any year in which annual gross income was negative or zero are excluded). Although no specific criteria are set out for use of the Basic Indicator Approach, banks using this method are encouraged to comply with the Committee's guidance on "Sound Practices for the Management and Supervision of Operational Risk" (BIS; February 2003). These principles require: * A hands on approach in the creation of an appropriate risk management environment, * Positive actions in the identification, assessment, monitoring and control of operational risk, * Adequate public disclosure. Under the Standardized Approach a bank's activities are divided into eight business lines. Within each business line, gross income is a broad indicator that serves as a stand-in for the level of business operations and therefore the probable size of operational risk exposure within each of these business lines. The capital charge for each business line is calculated by multiplying gross income by a factor (called the "beta") assigned to that business line. The beta serves as a substitute for the industry-wide relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that business line. The business lines and the beta factors range from 12% for "retail banking", "asset management" and "retail brokerage"; 15% for "commercial banking" and "agency services" to 18% for "corporate finance", "trading & sales" and "payment & settlement". The total capital charge is calculated as the three-year average of the simple summation of the regulatory capital charges across each of the business lines in each year. In any given year, a negative capital charges (as a result of negative gross income) in any business line may offset positive capital charges in other business lines without limit. At national supervisory level, the supervisor can choose to allow a bank to use the Alternative Standardized Approach (ASA) provided the bank is able to satisfy its supervisor that this alternative approach provides an improved basis for measurement of risks. Under the ASA, the operational risk capital charge/methodology is the same as for the Standardized Approach except that two business lines - "retail banking" and "commercial banking" where a fixed factor 'm' - replaces gross income as the exposure indicator and is related to the extent of loans granted in these areas. Under the Advanced Measurement Approaches (AMA) the regulatory capital requirement equals the risk measure generated by the bank's internal operational risk measurement system using specific quantitative and qualitative criteria. Use of the AMA is subject to supervisory approval. Supervisory approval has to be conditional on the bank being able to show to the satisfaction of the supervisory authority that the allocation mechanism for these subsidiaries is appropriate and can be supported empirically. The quantitative standards that apply to internally generated operational risk measures for purposes of calculating the regulatory minimum capital charge are that any internal operational risk measurement system must be consistent with the definition of operational risk and a range of defined loss event types (covering all operational aspects such as fraud, employee practices, workplace safety, business practices, processing practices, business disruption and loss of physical assets). To qualify for use of the Advanced Measurement Approaches (AMA), a bank must satisfy its supervisor that, * The banks board of directors and senior management, are actively involved in the oversight of the operational risk management framework; * The bank has an operational risk management system that is conceptually sound and which includes an independent operational risk management function that is responsible for the design and implementation of the bank's operational risk management framework; * The bank has It has sufficient resources to use this approach in the major business lines as well as the control and audit areas. A bank using the AMA will be subject to a period of initial monitoring by its supervisor before it can be used for regulatory purposes. This period will allow the supervisor to determine if the approach is credible and appropriate. The bank's internal measurement system must be able to reasonably estimate unexpected losses based on the combined use of internal and relevant external loss data, scenario analysis and bank-specific business environment and internal control factors. The bank's measurement system must also be capable of supporting an allocation of economic capital for operational risk across business lines in a manner that creates incentives to improve business line operational risk management. Additionally, * The operational risk management function is responsible for documenting policies and procedures concerning operational risk management and controls, designing and implementing the bank's operational risk measurement methodology, designing and implementing a risk-reporting system for operational risk, and developing strategies to identify, measure, monitor and control/mitigate operational risk, * The bank's internal operational risk measurement system must be closely integrated into the day-to-day risk management processes of the bank and its output must be an integral part of the process of monitoring and controlling the bank's operational risk profile. This information must play a major role in risk reporting, management reporting, internal capital allocation, and risk analysis. * Operational risk exposures and loss experience must be reported regularly to business unit management, senior management, and to the board of directors. * The bank's operational risk management system must be well documented and the bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of noncompliance issues. * Internal and/or external auditors must perform regular reviews of the operational risk management processes and measurement systems. This review must include both the activities of the business units and of the independent operational risk management function. * The validation of the operational risk measurement system by external auditors and/or supervisory authorities must include the verification that the internal validation processes are operating in a satisfactory manner; and making sure that data flows and processes associated with the risk measurement system are transparent and accessible. In particular, it is necessary that auditors and supervisory authorities are in a position to have easy access, whenever they judge it necessary and under appropriate procedures, to the system's specifications and parameters. Because the analytical approaches for operational risk continue to evolve the approach or distributional assumptions used to generate the operational risk measure for regulatory capital purposes is not being specified by the Basel Committee. A bank must however be able to show that its approach captures potentially severe 'tail' loss events. Irrespective of the approach is used, a bank must demonstrate that its operational risk measure meets a soundness standard comparable to that of the internal ratings-based approach for credit risk. Based on this, bank supervisors will require the bank to calculate its regulatory capital requirement as the sum of expected loss (EL) and unexpected loss (UL), unless the bank can demonstrate that it is adequately capturing EL in its internal business practices (to base the minimum regulatory capital requirement on UL alone, the bank must be able to demonstrate to the satisfaction of its national supervisor that it has measured and accounted for its EL exposure). A bank needs to have a credible, transparent, well-documented and verifiable approach for weighting these basic elements in its overall operational risk measurement system. Internal loss data is critical to linking a bank's risk estimates to its actual loss experience. Such data is most relevant when it is clearly linked to a bank's current business activities, technological processes and risk management procedures. To do this a bank must have documented procedures for assessing the on-going relevance of historical loss data, including those situations in which judgment overrides or other adjustments may be used, to what extent they may be used and who is authorized to make such decisions. Internally generated operational risk measures used for regulatory capital purposes must be based on a minimum five-year observation period of internal loss data. However, when the bank first moves to the AMA, a three-year historical data window is acceptable. To qualify for regulatory capital purposes, a bank's internal loss collection processes must be able to map its historical internal loss data into the relevant supervisory categories as are defined in detail in the Basel II Annexes. The bank must have documented objective criteria for allocating losses to the specified business lines and event types. A bank's internal loss data must be comprehensive. It must capture all material activities and exposures from all appropriate sub-systems and geographic locations. The bank must be able to justify that any excluded activities or exposures, both individually and in combination would not significantly impact the overall risk estimates. This should be based on an appropriate minimum gross loss threshold for internal loss data collection. Additionally, a bank should collect information relating the date of the event, any recoveries of loss amounts, as well as descriptive information about the drivers or causes of the loss event. The level of detail in any descriptive information should be appropriate to the size of the gross loss amount. Operational risk losses that are related to credit risk and have traditionally been included in banks' credit risk databases (e.g. collateral management failures) must continue to be treated as credit risk for the purposes of calculating minimum regulatory capital. It follows that such losses will not be subject to the operational risk capital charge. Nevertheless, for the purposes of internal operational risk management, banks must identify all material operational risk losses consistent with the scope of the definition of operational risk and the defined event types, including those related to credit risk. A bank's operational risk measurement system must use pertinent external data (either public data and/or pooled industry data), especially when there is any possibility to believe that the bank is potentially exposed to severe losses, however infrequent. Additionally a bank must use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high-severity events.